Question Analysis
A Windows user’s registry was altered via a command-line tool to disable the lock workstation feature by adding a DWORD entry under the current user Policies\System key. Which registry value name was modified in this operation?
3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
Question ID
4/16
Models Correct
1
Valid Answer
25%
Success Rate
Reference Answer
Human-validated correct answer for this question
DisableLockWorkstation
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0258 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0113 |
| gpt-4-turbo-2024-04-09 | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'Policies\\System' and (InitiatingProcessCommandLine has 'cmd.exe' or InitiatingProcessCommandLine has 'powershell.exe')
| project DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine, TimeGenerated | Incorrect | 4 | 36.59s | 0.2441 |
| gpt-4.1 | DisableLockWorkstation | DeviceRegistryEvents
| where RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Policies\System"
or RegistryKey endswith @"\Policies\System"
| where (tolower(RegistryValueName) == "disablelockworkstation")
and tolower(RegistryValueType) == "dword"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 10.54s | 0.0121 |
| gpt-4.1-finetuned | DisableLockWorkstation | DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Policies\\System"
| summarize by RegistryValueName
| Correct | 4 | 28.72s | 0.0311 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0052 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0522 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0876 |
| grok-3-mini-beta | ModifiedValues | DeviceRegistryEvents
| where RegistryKey contains 'HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System'
| where RegistryValueType == 'REG_DWORD'
| where ActionType == 'RegistryValueSet'
| distinct RegistryValueName
| summarize ModifiedValues = make_set(RegistryValueName) | Incorrect | 3 | 43.67s | 0.0047 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7382 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7519 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0324 |
| o3-mini-low | DisableLockWorkstation | DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
| where RegistryValueType has "DWORD"
| where isnotempty(InitiatingProcessCommandLine)
| distinct RegistryValueName | Correct | 1 | 21.69s | 0.0100 |
| o4-mini-high | DisableLockWorkstation | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Only DWORD-type value changes
| where RegistryValueType has "DWORD"
// Target the current user Policies\System key (where DisableLockWorkstation is stored)
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Policies\System"
// Detect use of reg.exe (reg add) for the modification
| where InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessCommandLine has_cs "reg add"
// Return the registry value name and related context
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc | Correct | 2 | 101.59s | 0.0241 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0390 |