// question

A Windows host shows a registry write under DeviceRegistryEvents affecting the System policy path. Investigate entries where the data is set to ‘0’ and determine which registry value was modified to turn off UAC consent prompts.

Reference KQL answer and model-by-model comparison.

a768aaa2-2442-475c-8990-69cf33af0f4e
question id
18/23
models correct
1
valid answer
78%
success rate
// reference answer

Human-validated correct answer for this question.

ConsentPromptBehaviorAdmin
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType startswith "RegistryValueSet"
| where RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by Timestamp
pass111.83s0.0042
gpt-35-turbo
ConsentPromptBehaviorAdmin
DeviceRegistryEvents | where RegistryValueData == '0' and RegistryKey contains 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
pass14.20s0.0045
gpt-4-turbo-2024-04-09
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' and RegistryValueData == '0'
| project DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated
pass534.89s0.2432
gpt-4.1
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueData == "0"
| where RegistryValueName in ("ConsentPromptBehaviorAdmin", "EnableLUA", "PromptOnSecureDesktop", "ConsentPromptBehaviorUser")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
pass14.89s0.0128
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0427
gpt-4.1-mini
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass225.32s0.0035
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0016
gpt-4o
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey contains "System" and RegistryValueData == "0"
| project DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated, InitiatingProcessAccountName, InitiatingProcessCommandLine
pass12.32s0.0201
gpt-5-high
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// System policy path
| where RegistryKey has_cs "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
// Normalize and match data set to 0 (covers common DWORD renderings)
| extend RegData = trim(@"\s", tostring(RegistryValueData))
| extend RegDataLower = tolower(RegData)
| where RegDataLower in ("0", "00000000", "0x00000000")
// Classify UAC-related impact
| extend UACSetting = case(
        RegistryValueName =~ "EnableLUA", "EnableLUA=0 disables UAC entirely (no consent prompts; reboot required)",
        RegistryValueName =~ "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorAdmin=0 elevates without prompting (no UAC consent prompts for admins)",
        RegistryValueName =~ "ConsentPromptBehaviorUser", "ConsentPromptBehaviorUser=0 automatically denies elevation (no prompts shown to standard users)",
        RegistryValueName =~ "PromptOnSecureDesktop", "PromptOnSecureDesktop=0 shows prompts on normal desktop (not secure)",
        "Other"
    )
| extend TurnsOffUACConsentPrompts = iif(RegistryValueName in~ ("EnableLUA", "ConsentPromptBehaviorAdmin"), true, false)
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData,
          PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName, UACSetting, TurnsOffUACConsentPrompts
| order by TimeGenerated desc
pass163.03s0.0510
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0124
gpt-5-mini-low
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where isnotempty(RegistryKey)
| extend key_lc = tolower(RegistryKey)
// Match policy/System paths controlling UAC/Consent prompts (use contains to avoid escaping issues)
| where key_lc contains "policies" and key_lc contains "system"
// Filter for write actions - common ActionType values vary by connector/version
| where tolower(ActionType) contains "set" or tolower(ActionType) contains "create" or tolower(ActionType) contains "modify" or tolower(ActionType) contains "write"
// Normalize RegistryValueData and match 0 (string or common hex forms)
| extend rvdata = trim(" ", tostring(RegistryValueData))
| where rvdata in ("0", "0x00000000", "0x0", "0x00000000;", "0;")
// Normalize RegistryValueName
| extend rvn_lc = tolower(tostring(RegistryValueName))
// Known UAC-related value names and keywords
| where rvn_lc in ("consentpromptbehavioradmin","consentpromptbehavioruser","consentpromptbehaviordesktopuser","consentpromptbehaviorsecuredesktop","enablelua","enablesecureuacmode","filteradministratorstoken","localaccounttokenfilterpolicy","promptonsecuredesktop","behaviorinadmininstall")
    or rvn_lc contains "consent" or rvn_lc contains "uac" or rvn_lc contains "prompt" or rvn_lc contains "secure" or rvn_lc contains "filter" or rvn_lc contains "enable"
// Only show actual change where previous value differs (optional)
| where coalesce(tostring(PreviousRegistryValueData), "") != rvdata
| project TimeGenerated, DeviceName, DeviceId, ReportId, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ActionType, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueData, PreviousRegistryKey
| order by TimeGenerated desc
| limit 200
pass565.52s0.0159
gpt-5-mini-medium
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where tolower(ActionType) has_any ("setvalue","writevalue","valueset","registryvalueset","modify","set")
// Normalize fields
| extend RK = tolower(tostring(RegistryKey)), RVN = tolower(tostring(RegistryValueName)), RVD = tostring(RegistryValueData)
// Focus on common system policy locations that hold UAC settings
| where RK has "\\policies\\system" or RK has "\\system\\currentcontrolset\\policies\\system" or RK has "\\microsoft\\windows\\currentversion\\policies\\system" or RK has "\\system\\currentcontrolset\\control\\lsa" or RK has "software\\microsoft\\windows\\currentversion\\policies\\system"
// Match value data that represents 0 (decimal 0, hex 0, or dword:00000000 style)
| where RVD matches regex @"(?i)^\s*(?:0|0x0|dword:0+)\s*$"
// UAC-related registry value names (normalized to lower-case)
| where RVN in ("consentpromptbehavioradmin","consentpromptbehavioruser","enablelua","promptonsecuredesktop","filteradministratortoken","enableinstallerdetection")
// Keep relevant context fields (use initiating process account/name fields that exist on DeviceRegistryEvents)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType, ReportId
// Summarize for easier triage
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), AnyProcess=any(InitiatingProcessFileName), AnyCmdLine=any(InitiatingProcessCommandLine), InitiatingAccounts=make_set(InitiatingProcessAccountName) by DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by FirstSeen desc
pass235.42s0.0089
gpt-5-nano-high
ConsentPromptBehaviorAdmin
let defaultWindow = 24h; // default to last 24 hours; the caller may override this via timerange
DeviceRegistryEvents
| where TimeGenerated >= ago(defaultWindow)
| where RegistryKey contains "\\Policies\\System" or RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| where RegistryValueName in ("ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser")
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime
| sort by TimeGenerated desc
pass487.57s0.0059
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0068
grok-3-beta
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where RegistryValueName == 'ConsentPromptBehaviorAdmin'
| where RegistryValueData == '0'
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass19.26s0.0227
grok-3-mini-beta
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'  // Filter for registry write actions
| where RegistryKey contains 'Policies\\System'  // Target the System policy path
| where RegistryValueData == '0'  // Match entries where the data is set to '0'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine  // Project relevant fields for analysis
| order by Timestamp desc  // Order by timestamp for chronological review
pass113.96s0.0018
o1-high
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated,
          DeviceName,
          RegistryKey,
          RegistryValueName,
          RegistryValueData,
          InitiatingProcessAccountName,
          InitiatingProcessCommandLine,
          InitiatingProcessId,
          InitiatingProcessParentFileName
| order by TimeGenerated desc
pass143.78s0.3240
o1-low
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where isnotempty(RegistryValueData)
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine
pass143.89s0.3273
o3-high
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
// ‑-- Time range is supplied by the hunting/alert rule, no hard-coded range here ‑--
| where ActionType == "RegistryValueSet"   // only consider actual value writes
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"  // UAC policy hive
| where RegistryValueData == "0"            // DWORD value set to 0
// Focus on the two knobs used to disable UAC prompts.
| where RegistryValueName in ("EnableLUA", "ConsentPromptBehaviorAdmin")
| project TimeGenerated,
          DeviceName,
          DeviceId,
          RegistryKey,
          RegistryValueName,
          RegistryValueData,
          PreviousRegistryValueData,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessSHA256,
          ReportId
| order by TimeGenerated desc
pass139.89s0.0228
o3-mini-high
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
pass129.36s0.0101
o3-mini-low
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| summarize EventCount=count() by RegistryValueName, RegistryKey, RegistryValueData
| project RegistryValueName, RegistryKey, RegistryValueData, EventCount
pass150.82s0.0186
o4-mini-high
no answer
no query generatedfail50.00s0.0482
o4-mini-low
ConsentPromptBehaviorAdmin
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Only look in the System policy path where UAC settings are stored
| where RegistryKey has_cs "Policies\\System"
// Filter to known UAC-related values
| where RegistryValueName in ("EnableLUA", "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser", "PromptOnSecureDesktop")
// Match plain '0' or hex–encoded zeros (e.g. '0x00000000')
| where RegistryValueData matches regex "^(0|0x0+|0+)$"
// Return relevant context
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc
pass380.94s0.0289