Question Analysis
A Windows host shows evidence of a driver being installed using a built-in utility. Investigate process creation events to find the INF filename that was specified in the add-driver invocation.
cb01b3da-b0e7-4e24-bf6d-de5223526785
Question ID
14/23
Models Correct
1
Valid Answer
61%
Success Rate
Reference Answer
Human-validated correct answer for this question
usbstor.inf
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | acpipmi.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "pnputil.exe"
| where ProcessCommandLine contains "-a"
| project Timestamp, DeviceName, ProcessCommandLine | Incorrect | 1 | 7.10s | 0.0028 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2392 |
| gpt-4.1 | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where FileName in~ ("pnputil.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("/add-driver", "add-driver", ".inf")
| extend InfFile=extract(@"([\w\:\\.-]+\.inf)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InfFile, AccountName, InitiatingProcessAccountName | Correct | 1 | 5.85s | 0.0128 |
| gpt-4.1-finetuned | C:\Windows\INF\usbstor.inf (also C:\Windows\INF\acpipmi.inf – either is correct depending on the event of interest) | DeviceProcessEvents
| where InitiatingProcessCommandLine has "inf" | Correct | 3 | 26.89s | 0.0342 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0082 |
| gpt-4.1-nano | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "pnputil" or ProcessCommandLine contains "dism"
| where ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains "/install-driver"
| extend INFFileName = extract(@"\\([^\\]+\.inf)", 1, ProcessCommandLine)
| project ProcessCreationTime, ProcessId, DeviceName, ProcessCommandLine, INFFileName
| where isnotempty(INFFileName) | Correct | 3 | 6.63s | 0.0013 |
| gpt-4o | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "add-driver"
| extend INF_FileName = extract(@"[^\s]*\.inf", 0, InitiatingProcessCommandLine)
| project DeviceName, DeviceId, InitiatingProcessCommandLine, INF_FileName, ProcessCreationTime | Correct | 3 | 27.85s | 0.0407 |
| gpt-5-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.3063 |
| gpt-5-mini-high | usbstor.inf | // Find .inf filenames referenced by pnputil/devcon/rundll32 driver-install invocations
union isfuzzy=true
DeviceProcessEvents,
DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)
| extend Cmdline = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
// Look for known installer utilities or InstallHinfSection calls
| where Cmdline has_cs "pnputil" or Cmdline has_cs "rundll32" or Cmdline has_cs "devcon" or Cmdline contains_cs "InstallHinfSection"
// Split the command line into tokens and normalize
| mv-expand token = split(Cmdline, ' ')
| extend token = trim('\"''', tostring(token))
// Tokens that end with .inf (case-insensitive)
| where tolower(token) endswith ".inf"
| extend inf = token
| project TimeGenerated, DeviceName, DeviceId, ReportId, ProcessId = coalesce(ProcessId, InitiatingProcessId), ProcessFileName = coalesce(FileName, InitiatingProcessFileName), InitiatingProcessId, InitiatingProcessCommandLine, Cmdline, inf
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), Cmdlines = make_set(Cmdline, 5), Initiators = make_set(ProcessFileName, 5) by DeviceName, DeviceId, ReportId, ProcessId, inf
| order by FirstSeen desc
| limit 200 | Correct | 4 | 48.69s | 0.0150 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0126 |
| gpt-5-mini-medium | acpipmi.inf | DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
// Focus on common Windows utilities used to install drivers
| where tolower(ProcessCommandLine) contains "pnputil"
or tolower(ProcessCommandLine) contains "devcon"
or tolower(ProcessCommandLine) contains "rundll32 setupapi"
or tolower(ProcessCommandLine) contains "setupapi.dll,InstallHinfSection"
or tolower(ProcessCommandLine) contains "install-hinfsection"
// Extract potential .inf filenames from the command line
| extend Cmd = tostring(ProcessCommandLine)
| extend INF = extract(@"([\w:\\\.\-\s]+?\.inf)", 1, Cmd)
| extend INF = trim('\"', INF)
| where isnotempty(INF)
| project TimeGenerated, DeviceName, ProcessId, FileName = ProcessVersionInfoOriginalFileName, ProcessFileName = ProcessVersionInfoOriginalFileName, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain, ProcessCommandLine = Cmd, INF
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count() by DeviceName, INF, InitiatingProcessFileName, InitiatingProcessId, AccountDomain, AccountName
| order by LastSeen desc
| limit 50 | Incorrect | 1 | 12.78s | 0.0036 |
| gpt-5-nano-high | usbstor.inf | DeviceProcessEvents
| where (InitiatingProcessFileName in ('pnputil.exe','pnputil') or tolower(coalesce(InitiatingProcessCommandLine, ProcessCommandLine)) contains 'add-driver')
| extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| extend InfPath = extract(@"(?i)([A-Za-z]:\\.*?\.inf)", 1, CmdLine)
| extend InfPath = iff(isempty(InfPath), "", InfPath)
| extend InfFileName = extract(@"([^\\]+\.inf)$", 1, InfPath)
| project TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessFileName, CmdLine, InfPath, InfFileName | Correct | 2 | 70.26s | 0.0050 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0086 |
| grok-3-beta | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "pnputil.exe" and ProcessCommandLine contains "add-driver"
| extend InfFileName = extract("add-driver\\s+([^\\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, InfFileName
| order by Timestamp desc | Correct | 1 | 12.64s | 0.0208 |
| grok-3-mini-beta | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains 'pnputil' and ProcessCommandLine contains '/add-driver'
| extend INF_File = extract(@'/add-driver\s+([^\s]+\.inf)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, INF_File
| order by TimeGenerated desc | Correct | 1 | 11.58s | 0.0016 |
| o1-high | C:\Windows\INF\usbstor.inf | DeviceProcessEvents
| where ActionType in ("Create", "ProcessCreated")
| where ProcessCommandLine has "add-driver"
| where ProcessCommandLine has_any ("dism", "pnputil")
| extend INFFile = extract(@'([A-Za-z]?:\\[^\s]+\.inf)', 0, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 2 | 45.76s | 0.3658 |
| o1-low | usbstor.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(ProcessCommandLine) has "add-driver" and tolower(ProcessCommandLine) has ".inf"
| extend InfFile = extract(@"(\\S+\\.inf)", 1, tolower(ProcessCommandLine))
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InfFile | Correct | 1 | 27.49s | 0.1971 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1058 |
| o3-mini-high | usbstor.inf | DeviceProcessEvents
| where InitiatingProcessCommandLine has "add-driver"
| extend INFFile = extract("(?i)/add-driver\\s+([^\\s]+\\.inf)", 1, InitiatingProcessCommandLine)
| where isnotempty(INFFile)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 2 | 31.74s | 0.0149 |
| o3-mini-low | usbstor.inf | DeviceProcessEvents
| where ProcessCommandLine contains "add-driver" and ProcessCommandLine contains ".inf"
| extend INFFile = extract(@"(\S+\.inf)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, INFFile
| order by TimeGenerated desc | Correct | 1 | 17.83s | 0.0088 |
| o4-mini-high | usbstor.inf | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has_any ("pnputil.exe", "dism.exe", "devcon.exe")
| where ProcessCommandLine contains ".inf"
| extend InfFile = extract(@"(?i)([^\s]+\.inf)", 1, ProcessCommandLine)
| where isnotempty(InfFile)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine, InfFile | Correct | 3 | 99.02s | 0.0378 |
| o4-mini-low | usbstor.inf | DeviceProcessEvents
| where FileName in ("pnputil.exe", "dism.exe")
and (ProcessCommandLine has "add-driver" or ProcessCommandLine has "/add-driver")
| extend InfFile = extract(@"(?i)(?:add-driver|/add-driver)\s+""?([^""\s]+\.inf)""?", 1, ProcessCommandLine)
| where isnotempty(InfFile)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InfFile | Correct | 3 | 82.38s | 0.0309 |