I've ran scans using multiple tools and cannot find anything irregular. I've also reviewed all firewall rules for the offending machines and don't see anything unusual. These machines have no outside internet so its easy to review.
Is it normal for these registry values to change? Are they false alarms in OSSEC? I cant seem to find much information about them.