Swarmer is a new tool designed for stealthy modifications to the Windows Registry, specifically targeting low privilege users. Traditional methods of achieving registry persistence, such as using the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, have become less effective as Endpoint Detection and Response (EDR) tools have improved in monitoring these calls. Instead of using standard registry APIs, which are closely watched, Swarmer leverages the legacy Offline Registry Library (Offreg.dll) to manipulate registry hive files without triggering EDR alerts. The tool allows users to create a mandatory user profile by modifying an NTUSER.DAT file. This is accomplished by exporting the current registry state, making necessary changes, and then converting it into a binary hive file named NTUSER.MAN. Users drop this file into their profile directory, which Windows recognizes as a mandatory profile, thus preventing any changes from persisting across logins. The implementation has its quirks; for instance, simply using the Offreg.dll API won’t create a valid NTUSER.MAN file, so an initial empty hive must be created using RegLoadAppKeyW. While Swarmer has proven effective across Windows 10 and 11 systems, limitations exist. Once NTUSER.MAN is created, the profile becomes mandatory, meaning user changes during a session won’t be saved. The tool also operates on a per-user basis, affecting only HKCU, and requires the user to log out and back in for changes to take effect. Although this method minimizes detection from EDR tools, potential flags can arise from the sudden appearance of the NTUSER.MAN file or the use of Offreg.dll. The authors see value in sharing this technique to enhance defenders' understanding of Windows' complex behavior and its security implications.