Question Analysis
A Windows host shows registry modifications in its boot configuration store enabling test signing mode. Investigate which process made this change and identify the exact command it ran to turn on test signing.
bb6b51e1-ab92-45b5-aeea-e410d06405f8
Question ID
4/16
Models Correct
1
Valid Answer
25%
Success Rate
Reference Answer
Human-validated correct answer for this question
bcdedit /set testsigning on
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | bcdedit /set testsigning on | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "bcdedit" and ProcessCommandLine contains "testsigning" and ProcessCommandLine contains "on"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 4 | 48.39s | 0.0244 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0118 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2336 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0598 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0660 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0097 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0017 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0414 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0946 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| o1-high | bcdedit.exe | DeviceProcessEvents
| where FileName =~ "bcdedit.exe" or ProcessCommandLine has "bcdedit"
| where ProcessCommandLine has_any ("testsigning", "TestSigning", "TESTSIGNING")
| order by TimeGenerated desc
| project TimeGenerated,
DeviceName,
FileName,
ProcessCommandLine,
FolderPath,
AccountDomain,
AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessTokenElevation
| Correct | 2 | 74.74s | 0.4691 |
| o1-low | cmd.exe bcdedit /set testsigning on | // Combine registry events for BCD store changes and processes that ran bcdedit
// to see who or what turned on test signing mode
union
(
DeviceRegistryEvents
| where ActionType in ("SetValue", "ModifyValue", "CreateValue")
// Look for references to the BCD store or test signing in the registry
| where RegistryKey has "BCD" or RegistryValueData has "testsigning"
| project TimeGenerated, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
),
(
DeviceProcessEvents
// Look for a process that actually ran bcdedit with a test signing parameter
| where FileName =~ "bcdedit.exe" or ProcessCommandLine has "bcdedit"
| where ProcessCommandLine has "testsigning" // Focus on enabling test signing
| project TimeGenerated, DeviceId, DeviceName, ActionType, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
)
| order by TimeGenerated desc | Correct | 2 | 97.97s | 0.5971 |
| o3-mini-high | cmd.exe | let RegistryEvents = DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where (tolower(RegistryKey) contains "boot" or tolower(RegistryKey) contains "bcd")
| where (tolower(RegistryValueName) contains "testsign" or tolower(RegistryValueData) contains "on")
| where isnotempty(InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine;
let ProcessEvents = DeviceProcessEvents
| where tolower(ProcessCommandLine) contains "bcdedit"
| where tolower(ProcessCommandLine) contains "testsign"
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
RegistryEvents
| union ProcessEvents
| order by TimeGenerated desc | Incorrect | 4 | 77.16s | 0.0522 |
| o3-mini-low | cmd.exe | union withsource = TableName DeviceRegistryEvents, DeviceProcessEvents
| where ((InitiatingProcessCommandLine contains "bcdedit" or InitiatingProcessCommandLine contains "testsign")
or (ProcessCommandLine contains "bcdedit" and ProcessCommandLine contains "testsign"))
| extend CommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| project TimeGenerated, DeviceName, TableName, CommandLine, InitiatingProcessId, ProcessId, RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc | Incorrect | 3 | 78.54s | 0.0556 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0588 |
| o4-mini-low | bcdedit.exe | let regEvents = DeviceRegistryEvents
| where ActionType == "SetValue"
and RegistryKey contains "BCD00000000"
and tolower(RegistryValueName) contains "testsign"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
InitiatingProcessFileName,
InitiatingProcessId,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueName,
RegistryValueData;
let procEvents = DeviceProcessEvents
| where tolower(FileName) endswith "bcdedit.exe"
and tolower(ProcessCommandLine) contains "testsign"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
InitiatingProcessFileName = FileName,
InitiatingProcessId = ProcessId,
InitiatingProcessCommandLine = ProcessCommandLine,
RegistryKey = "(n/a)",
RegistryValueName = "(n/a)",
RegistryValueData = "(n/a)";
regEvents
| union procEvents
| sort by TimeGenerated desc | Correct | 2 | 69.20s | 0.0161 |