False alert for ACC for Suspicious reg.exe process detectedIssue You may see a alert for "Suspicious reg.exe process detected" on a Windows computer that has Agent Client Collector installed on it, for a reg.exe process running as the service's "servicenow" user. This is a false alert. You may want to report this to the vendor of the monitoring tool. reg.exe is a command line tool, that is included as part of Windows, for reading and editing the registry. In the example below, the full command was: reg query "HKLM\SOFTWARE\INTEL\EmaAgent" /s This is being run deliberately by the intel_ema.rb ruby script, that's part of the Windows version of the acc-visibility-modules ACC Plugin, documented here.:Using push-based Discovery and Intel Endpoint Management Assistant (EMA) together That script is run by endpoint_discovery.rb, as part of the "Enhanced Discovery" check: endpoint_discovery.rb --compact --select=data_collection,enhanced_inventory,file_systems,network_adapters,tcp_connections,storage_devices,running_processes,local_users,intel_ema,memory_modules