How can security defenders detect or prevent the TelemetryController backdoor?

Defenders should regularly check the registry key `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController` for unauthorized `Command` values. The default `Command` under the `Appraiser` subkey should be `%windir%\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun`. Any deviation, especially a command pointing to an executable like `cmd.exe` or a script, indicates compromise. Additionally, monitor for unusual child processes of `CompatTelRunner.exe` and consider disabling the **Microsoft Compatibility Appraiser** scheduled task if not needed. This technique bypasses many autoruns scanners, so proactive registry auditing is essential.