Question Analysis
A Windows host shows evidence of a driver being installed using a built-in utility. Investigate process creation events to find the INF filename that was specified in the add-driver invocation.
cb01b3da-b0e7-4e24-bf6d-de5223526785
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
usbstor.inf
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | acpipmi.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "pnputil.exe"
| where ProcessCommandLine contains "-a"
| project Timestamp, DeviceName, ProcessCommandLine | Incorrect | 1 | 7.10s | 0.0028 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2392 |
| gpt-4.1 | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where FileName in~ ("pnputil.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("/add-driver", "add-driver", ".inf")
| extend InfFile=extract(@"([\w\:\\.-]+\.inf)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InfFile, AccountName, InitiatingProcessAccountName | Correct | 1 | 5.85s | 0.0128 |
| gpt-4.1-finetuned | C:\Windows\INF\usbstor.inf (also C:\Windows\INF\acpipmi.inf – either is correct depending on the event of interest) | DeviceProcessEvents
| where InitiatingProcessCommandLine has "inf" | Correct | 3 | 26.89s | 0.0342 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0082 |
| gpt-4.1-nano | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "pnputil" or ProcessCommandLine contains "dism"
| where ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains "/install-driver"
| extend INFFileName = extract(@"\\([^\\]+\.inf)", 1, ProcessCommandLine)
| project ProcessCreationTime, ProcessId, DeviceName, ProcessCommandLine, INFFileName
| where isnotempty(INFFileName) | Correct | 3 | 6.63s | 0.0013 |
| gpt-4o | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "add-driver"
| extend INF_FileName = extract(@"[^\s]*\.inf", 0, InitiatingProcessCommandLine)
| project DeviceName, DeviceId, InitiatingProcessCommandLine, INF_FileName, ProcessCreationTime | Correct | 3 | 27.85s | 0.0407 |
| grok-3-beta | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "pnputil.exe" and ProcessCommandLine contains "add-driver"
| extend InfFileName = extract("add-driver\\s+([^\\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, InfFileName
| order by Timestamp desc | Correct | 1 | 12.64s | 0.0208 |
| grok-3-mini-beta | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains 'pnputil' and ProcessCommandLine contains '/add-driver'
| extend INF_File = extract(@'/add-driver\s+([^\s]+\.inf)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, INF_File
| order by TimeGenerated desc | Correct | 1 | 11.58s | 0.0016 |
| o1-high | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where ActionType in ("Create", "ProcessCreated")
| where ProcessCommandLine has "add-driver"
| where ProcessCommandLine has_any ("dism", "pnputil")
| extend INFFile = extract(@'([A-Za-z]?:\\[^\s]+\.inf)', 0, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 2 | 45.76s | 0.3658 |
| o1-low | usbstor.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(ProcessCommandLine) has "add-driver" and tolower(ProcessCommandLine) has ".inf"
| extend InfFile = extract(@"(\\S+\\.inf)", 1, tolower(ProcessCommandLine))
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InfFile | Correct | 1 | 27.49s | 0.1971 |
| o3-mini-high | usbstor.inf | DeviceProcessEvents
| where InitiatingProcessCommandLine has "add-driver"
| extend INFFile = extract("(?i)/add-driver\\s+([^\\s]+\\.inf)", 1, InitiatingProcessCommandLine)
| where isnotempty(INFFile)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 2 | 31.74s | 0.0149 |
| o3-mini-low | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "add-driver" and ProcessCommandLine contains ".inf"
| extend INFFile = extract(@"(\S+\.inf)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 1 | 17.83s | 0.0088 |
| o4-mini-high | usbstor.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has_any ("pnputil.exe", "dism.exe", "devcon.exe")
| where ProcessCommandLine contains ".inf"
| extend InfFile = extract(@"(?i)([^\s]+\.inf)", 1, ProcessCommandLine)
| where isnotempty(InfFile)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine, InfFile | Correct | 3 | 99.02s | 0.0378 |
| o4-mini-low | usbstor.inf | DeviceProcessEvents
| where FileName in ("pnputil.exe", "dism.exe")
and (ProcessCommandLine has "add-driver" or ProcessCommandLine has "/add-driver")
| extend InfFile = extract(@"(?i)(?:add-driver|/add-driver)\s+""?([^""\s]+\.inf)""?", 1, ProcessCommandLine)
| where isnotempty(InfFile)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InfFile | Correct | 3 | 82.38s | 0.0309 |