Question Analysis
A Windows endpoint shows an Active Setup entry under Internet Explorer Core Fonts being altered with a StubPath value. Investigate the registry events and identify the payload that was set.
39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
Question ID
8/23
Models Correct
1
Valid Answer
35%
Success Rate
Reference Answer
Human-validated correct answer for this question
calc.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0269 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0117 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2381 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0390 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0543 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0065 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0011 |
| gpt-4o | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where RegistryKey has_any("Active Setup", "Internet Explorer Core Fonts")
| where RegistryValueName == "StubPath"
| project TimeGenerated, DeviceName, DeviceId, ActionType, RegistryKey, RegistryValueName, RegistryValueData
| where ActionType has "RegistryValueSet" | Correct | 4 | 32.05s | 0.0358 |
| gpt-5-high | C:\Windows\System32\calc.exe | // Active Setup StubPath modifications and their payloads
let name_values =
DeviceRegistryEvents
| where RegistryKey has @"Active Setup\Installed Components"
| where RegistryValueName in~ ("DisplayName","LocalizedName","FriendlyName","ComponentID")
| where isnotempty(RegistryValueData)
| summarize ComponentNameCandidates = make_set(RegistryValueData, 10) by DeviceId, DeviceName, RegistryKey;
let stub_changes =
DeviceRegistryEvents
| where RegistryKey has @"Active Setup\Installed Components" // covers HKLM/HKU and WOW6432Node
| where RegistryValueName =~ "StubPath"
| where ActionType in ("RegistryValueSet","RegistryValueCreate")
| project TimeGenerated, DeviceId, DeviceName, RegistryKey, ActionType,
Payload = RegistryValueData, PreviousPayload = PreviousRegistryValueData,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessSHA1, InitiatingProcessSHA256,
InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCreationTime;
stub_changes
| join kind=leftouter name_values on DeviceId, DeviceName, RegistryKey
| extend ComponentNameCandidates = coalesce(ComponentNameCandidates, dynamic([]))
| extend LowerNames = tolower(strcat_array(ComponentNameCandidates, "|")), LowerKey = tolower(RegistryKey)
| extend ContainsCoreFonts = iff(LowerNames has "internet explorer core fonts" or LowerNames has "core fonts" or LowerKey has "internet explorer core fonts" or LowerKey has "core fonts", true, false)
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, ActionType,
ContainsCoreFonts, ComponentNameCandidates,
Payload, PreviousPayload,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessSHA1, InitiatingProcessSHA256,
InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCreationTime
| order by ContainsCoreFonts desc, TimeGenerated desc | Correct | 4 | 318.49s | 0.1994 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0203 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0211 |
| gpt-5-mini-medium | C:\Windows\System32\calc.exe | let targetKeyPatterns = dynamic(["\\Software\\Microsoft\\Internet Explorer\\Core Fonts\\Active Setup","\\Software\\Microsoft\\Internet Explorer\\Core Fonts\\Active Setup\\%","\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Core Fonts\\Active Setup","%Active Setup%Core Fonts%"]);
DeviceRegistryEvents
| where isnotempty(RegistryKey)
| where RegistryKey has_cs "Internet Explorer" or RegistryKey has_cs "Core Fonts" or RegistryKey has_cs "Active Setup"
| where RegistryValueName == "StubPath" or RegistryValueName == "(Default)" or RegistryValueName == ""
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ActionType
| order by TimeGenerated desc
| take 50 | Correct | 1 | 13.69s | 0.0038 |
| gpt-5-nano-high | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where RegistryValueName == "StubPath"
| where RegistryKey has_any ("Internet Explorer Core Fonts", "IECoreFonts", "Active Setup")
| extend Payload = RegistryValueData
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, Payload, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 38.31s | 0.0019 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0076 |
| grok-3-beta | calc.exe | DeviceRegistryEvents
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components"
| where RegistryValueName == "StubPath"
| project DeviceName, Timestamp, RegistryKey, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 2 | 18.37s | 0.0391 |
| grok-3-mini-beta | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains "SOFTWARE\\Microsoft\\Active Setup\\Installed Components"
| where RegistryValueName == 'StubPath'
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 4 | 48.09s | 0.0060 |
| o1-high | C:\Windows\System32\calc.exe | DeviceRegistryEvents
| where ActionType in ("SetValue","ModifyValue","RegistryValueSet","RegistryValueModified")
| where RegistryKey has "Active Setup"
| where RegistryValueName =~ "StubPath"
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 74.16s | 0.5745 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8245 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1044 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0370 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0419 |
| o4-mini-high | calc.exe | DeviceRegistryEvents
| where RegistryValueName == "StubPath"
| where RegistryKey has "Software\\Microsoft\\Active Setup\\Installed Components"
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData
| sort by TimeGenerated desc | Correct | 2 | 57.66s | 0.0222 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0426 |