Question Analysis
A Windows host shows a registry write under DeviceRegistryEvents affecting the System policy path. Investigate entries where the data is set to ‘0’ and determine which registry value was modified to turn off UAC consent prompts.
a768aaa2-2442-475c-8990-69cf33af0f4e
Question ID
18/23
Models Correct
1
Valid Answer
78%
Success Rate
Reference Answer
Human-validated correct answer for this question
ConsentPromptBehaviorAdmin
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType startswith "RegistryValueSet"
| where RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by Timestamp | Correct | 1 | 11.83s | 0.0042 |
| gpt-35-turbo | ConsentPromptBehaviorAdmin | DeviceRegistryEvents | where RegistryValueData == '0' and RegistryKey contains 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' | Correct | 1 | 4.20s | 0.0045 |
| gpt-4-turbo-2024-04-09 | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' and RegistryValueData == '0'
| project DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated | Correct | 5 | 34.89s | 0.2432 |
| gpt-4.1 | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueData == "0"
| where RegistryValueName in ("ConsentPromptBehaviorAdmin", "EnableLUA", "PromptOnSecureDesktop", "ConsentPromptBehaviorUser")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | Correct | 1 | 4.89s | 0.0128 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0427 |
| gpt-4.1-mini | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 25.32s | 0.0035 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey contains "System" and RegistryValueData == "0"
| project DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated, InitiatingProcessAccountName, InitiatingProcessCommandLine | Correct | 1 | 2.32s | 0.0201 |
| gpt-5-high | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// System policy path
| where RegistryKey has_cs "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
// Normalize and match data set to 0 (covers common DWORD renderings)
| extend RegData = trim(@"\s", tostring(RegistryValueData))
| extend RegDataLower = tolower(RegData)
| where RegDataLower in ("0", "00000000", "0x00000000")
// Classify UAC-related impact
| extend UACSetting = case(
RegistryValueName =~ "EnableLUA", "EnableLUA=0 disables UAC entirely (no consent prompts; reboot required)",
RegistryValueName =~ "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorAdmin=0 elevates without prompting (no UAC consent prompts for admins)",
RegistryValueName =~ "ConsentPromptBehaviorUser", "ConsentPromptBehaviorUser=0 automatically denies elevation (no prompts shown to standard users)",
RegistryValueName =~ "PromptOnSecureDesktop", "PromptOnSecureDesktop=0 shows prompts on normal desktop (not secure)",
"Other"
)
| extend TurnsOffUACConsentPrompts = iif(RegistryValueName in~ ("EnableLUA", "ConsentPromptBehaviorAdmin"), true, false)
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData,
PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, UACSetting, TurnsOffUACConsentPrompts
| order by TimeGenerated desc | Correct | 1 | 63.03s | 0.0510 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0124 |
| gpt-5-mini-low | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where isnotempty(RegistryKey)
| extend key_lc = tolower(RegistryKey)
// Match policy/System paths controlling UAC/Consent prompts (use contains to avoid escaping issues)
| where key_lc contains "policies" and key_lc contains "system"
// Filter for write actions - common ActionType values vary by connector/version
| where tolower(ActionType) contains "set" or tolower(ActionType) contains "create" or tolower(ActionType) contains "modify" or tolower(ActionType) contains "write"
// Normalize RegistryValueData and match 0 (string or common hex forms)
| extend rvdata = trim(" ", tostring(RegistryValueData))
| where rvdata in ("0", "0x00000000", "0x0", "0x00000000;", "0;")
// Normalize RegistryValueName
| extend rvn_lc = tolower(tostring(RegistryValueName))
// Known UAC-related value names and keywords
| where rvn_lc in ("consentpromptbehavioradmin","consentpromptbehavioruser","consentpromptbehaviordesktopuser","consentpromptbehaviorsecuredesktop","enablelua","enablesecureuacmode","filteradministratorstoken","localaccounttokenfilterpolicy","promptonsecuredesktop","behaviorinadmininstall")
or rvn_lc contains "consent" or rvn_lc contains "uac" or rvn_lc contains "prompt" or rvn_lc contains "secure" or rvn_lc contains "filter" or rvn_lc contains "enable"
// Only show actual change where previous value differs (optional)
| where coalesce(tostring(PreviousRegistryValueData), "") != rvdata
| project TimeGenerated, DeviceName, DeviceId, ReportId, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ActionType, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueData, PreviousRegistryKey
| order by TimeGenerated desc
| limit 200 | Correct | 5 | 65.52s | 0.0159 |
| gpt-5-mini-medium | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where tolower(ActionType) has_any ("setvalue","writevalue","valueset","registryvalueset","modify","set")
// Normalize fields
| extend RK = tolower(tostring(RegistryKey)), RVN = tolower(tostring(RegistryValueName)), RVD = tostring(RegistryValueData)
// Focus on common system policy locations that hold UAC settings
| where RK has "\\policies\\system" or RK has "\\system\\currentcontrolset\\policies\\system" or RK has "\\microsoft\\windows\\currentversion\\policies\\system" or RK has "\\system\\currentcontrolset\\control\\lsa" or RK has "software\\microsoft\\windows\\currentversion\\policies\\system"
// Match value data that represents 0 (decimal 0, hex 0, or dword:00000000 style)
| where RVD matches regex @"(?i)^\s*(?:0|0x0|dword:0+)\s*$"
// UAC-related registry value names (normalized to lower-case)
| where RVN in ("consentpromptbehavioradmin","consentpromptbehavioruser","enablelua","promptonsecuredesktop","filteradministratortoken","enableinstallerdetection")
// Keep relevant context fields (use initiating process account/name fields that exist on DeviceRegistryEvents)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType, ReportId
// Summarize for easier triage
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), AnyProcess=any(InitiatingProcessFileName), AnyCmdLine=any(InitiatingProcessCommandLine), InitiatingAccounts=make_set(InitiatingProcessAccountName) by DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by FirstSeen desc | Correct | 2 | 35.42s | 0.0089 |
| gpt-5-nano-high | ConsentPromptBehaviorAdmin | let defaultWindow = 24h; // default to last 24 hours; the caller may override this via timerange
DeviceRegistryEvents
| where TimeGenerated >= ago(defaultWindow)
| where RegistryKey contains "\\Policies\\System" or RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| where RegistryValueName in ("ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser")
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime
| sort by TimeGenerated desc | Correct | 4 | 87.57s | 0.0059 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0068 |
| grok-3-beta | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where RegistryValueName == 'ConsentPromptBehaviorAdmin'
| where RegistryValueData == '0'
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 9.26s | 0.0227 |
| grok-3-mini-beta | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet' // Filter for registry write actions
| where RegistryKey contains 'Policies\\System' // Target the System policy path
| where RegistryValueData == '0' // Match entries where the data is set to '0'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine // Project relevant fields for analysis
| order by Timestamp desc // Order by timestamp for chronological review
| Correct | 1 | 13.96s | 0.0018 |
| o1-high | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated,
DeviceName,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessId,
InitiatingProcessParentFileName
| order by TimeGenerated desc | Correct | 1 | 43.78s | 0.3240 |
| o1-low | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where isnotempty(RegistryValueData)
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine | Correct | 1 | 43.89s | 0.3273 |
| o3-high | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
// ‑-- Time range is supplied by the hunting/alert rule, no hard-coded range here ‑--
| where ActionType == "RegistryValueSet" // only consider actual value writes
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" // UAC policy hive
| where RegistryValueData == "0" // DWORD value set to 0
// Focus on the two knobs used to disable UAC prompts.
| where RegistryValueName in ("EnableLUA", "ConsentPromptBehaviorAdmin")
| project TimeGenerated,
DeviceName,
DeviceId,
RegistryKey,
RegistryValueName,
RegistryValueData,
PreviousRegistryValueData,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256,
ReportId
| order by TimeGenerated desc | Correct | 1 | 39.89s | 0.0228 |
| o3-mini-high | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 29.36s | 0.0101 |
| o3-mini-low | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where RegistryKey contains "Policies\\System"
| where RegistryValueData == "0"
| summarize EventCount=count() by RegistryValueName, RegistryKey, RegistryValueData
| project RegistryValueName, RegistryKey, RegistryValueData, EventCount | Correct | 1 | 50.82s | 0.0186 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0482 |
| o4-mini-low | ConsentPromptBehaviorAdmin | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Only look in the System policy path where UAC settings are stored
| where RegistryKey has_cs "Policies\\System"
// Filter to known UAC-related values
| where RegistryValueName in ("EnableLUA", "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser", "PromptOnSecureDesktop")
// Match plain '0' or hex–encoded zeros (e.g. '0x00000000')
| where RegistryValueData matches regex "^(0|0x0+|0+)$"
// Return relevant context
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc | Correct | 3 | 80.94s | 0.0289 |