Question Analysis
A Windows host logs a change to the Terminal Server registry key disabling single-session per user. Which command-line utility executed this registry modification?
35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
Question ID
9/16
Models Correct
1
Valid Answer
56%
Success Rate
Reference Answer
Human-validated correct answer for this question
reg
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0170 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0115 |
| gpt-4-turbo-2024-04-09 | reg | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server" and RegistryValueData == "0"
| summarize by InitiatingProcessCommandLine
| distinct InitiatingProcessCommandLine | Correct | 1 | 11.71s | 0.0504 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0476 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0543 |
| gpt-4.1-mini | reg | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server" and RegistryValueName == "fSingleSessionPerUser"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 3.07s | 0.0021 |
| gpt-4.1-nano | reg.exe | DeviceRegistryEvents
| where RegistryKey has 'Terminal Server' and PreviousRegistryValueName == 'fSingleSessionPerUser' and RegistryValueData =~ '0'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData | Correct | 2 | 20.60s | 0.0007 |
| gpt-4o | reg | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server" and RegistryValueName == "fSingleSessionPerUser" and RegistryValueData == "0"
| project DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, TimeGenerated | Correct | 2 | 23.82s | 0.0272 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0856 |
| grok-3-mini-beta | reg.exe | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server"
| where RegistryValueData == "0" // Assuming '0' indicates the disabling of single-session per user
| project DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName, Timestamp
| summarize arg_max(Timestamp, *) by InitiatingProcessCommandLine // Get the most recent event per unique command line
| order by Timestamp desc | Correct | 1 | 15.10s | 0.0016 |
| o1-high | reg.exe | DeviceRegistryEvents
| where RegistryKey has "Control\\Terminal Server"
| where RegistryValueName =~ "fSingleSessionPerUser"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | Correct | 1 | 19.51s | 0.1611 |
| o1-low | reg.exe | DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"
| where RegistryValueName == "fSingleSessionPerUser"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData
| order by TimeGenerated desc | Correct | 1 | 19.30s | 0.1544 |
| o3-mini-high | reg.exe | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server"
and RegistryValueName == "fSingleSessionPerUser"
and RegistryValueData =~ "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc
| limit 10 | Correct | 1 | 17.46s | 0.0098 |
| o3-mini-low | reg.exe | DeviceRegistryEvents
| where RegistryKey contains "Terminal Server"
| where RegistryValueName == "fSingleSessionPerUser" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
| take 20
| Correct | 1 | 43.90s | 0.0114 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0487 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0330 |