Question Analysis
A Windows endpoint shows an Active Setup entry under Internet Explorer Core Fonts being altered with a StubPath value. Investigate the registry events and identify the payload that was set.
39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
Question ID
5/16
Models Correct
1
Valid Answer
31%
Success Rate
Reference Answer
Human-validated correct answer for this question
calc.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0269 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0117 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2381 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0390 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0543 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0065 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0011 |
| gpt-4o | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where RegistryKey has_any("Active Setup", "Internet Explorer Core Fonts")
| where RegistryValueName == "StubPath"
| project TimeGenerated, DeviceName, DeviceId, ActionType, RegistryKey, RegistryValueName, RegistryValueData
| where ActionType has "RegistryValueSet" | Correct | 4 | 32.05s | 0.0358 |
| grok-3-beta | calc.exe | DeviceRegistryEvents
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components"
| where RegistryValueName == "StubPath"
| project DeviceName, Timestamp, RegistryKey, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 2 | 18.37s | 0.0391 |
| grok-3-mini-beta | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains "SOFTWARE\\Microsoft\\Active Setup\\Installed Components"
| where RegistryValueName == 'StubPath'
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 4 | 48.09s | 0.0060 |
| o1-high | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where ActionType in ("SetValue","ModifyValue","RegistryValueSet","RegistryValueModified")
| where RegistryKey has "Active Setup"
| where RegistryValueName =~ "StubPath"
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 74.16s | 0.5745 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8245 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0370 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0419 |
| o4-mini-high | calc.exe | DeviceRegistryEvents
| where RegistryValueName == "StubPath"
| where RegistryKey has "Software\\Microsoft\\Active Setup\\Installed Components"
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData
| sort by TimeGenerated desc | Correct | 2 | 57.66s | 0.0222 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0426 |