// question

A Windows user’s registry was altered via a command-line tool to disable the lock workstation feature by adding a DWORD entry under the current user Policies\System key. Which registry value name was modified in this operation?

Reference KQL answer and model-by-model comparison.

3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
question id
7/23
models correct
1
valid answer
30%
success rate
// reference answer

Human-validated correct answer for this question.

DisableLockWorkstation
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0258
gpt-35-turbo
no answer
no query generatedfail50.00s0.0113
gpt-4-turbo-2024-04-09
PromptOnSecureDesktop
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'Policies\\System' and (InitiatingProcessCommandLine has 'cmd.exe' or InitiatingProcessCommandLine has 'powershell.exe')
| project DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine, TimeGenerated
fail436.59s0.2441
gpt-4.1
DisableLockWorkstation
DeviceRegistryEvents
| where RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Policies\System"
      or RegistryKey endswith @"\Policies\System"
| where (tolower(RegistryValueName) == "disablelockworkstation")
      and tolower(RegistryValueType) == "dword"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
pass110.54s0.0121
gpt-4.1-finetuned
DisableLockWorkstation
DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Policies\\System"
| summarize by RegistryValueName
pass428.72s0.0311
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0052
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
no answer
no query generatedfail50.00s0.0522
gpt-5-high
DisableLockWorkstation
let cmdline_tools = dynamic(["reg.exe","cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe"]);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where tolower(RegistryKey) has "\\software\\microsoft\\windows\\currentversion\\policies\\system"
| where RegistryKey startswith "HKEY_USERS" or RegistryKey startswith "HKEY_CURRENT_USER" or RegistryKey startswith "HKU" or RegistryKey startswith "HKCU"
| where tostring(RegistryValueType) contains "DWORD"
| where tolower(InitiatingProcessFileName) in (cmdline_tools) or InitiatingProcessCommandLine has_any ("reg add","Set-ItemProperty","New-ItemProperty")
| summarize LastSeen=max(TimeGenerated) by DeviceId, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by LastSeen desc
| project RegistryValueName
| distinct RegistryValueName
pass2134.79s0.0731
gpt-5-mini-high
DisableLockWorkstation
DeviceRegistryEvents
| where RegistryKey has 'Policies\\System' or RegistryKey has 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where tolower(RegistryValueType) contains 'dword'
| where (
    InitiatingProcessCommandLine has 'reg ' or
    InitiatingProcessCommandLine has 'reg.exe' or
    InitiatingProcessCommandLine has 'reg add' or
    InitiatingProcessCommandLine has 'New-ItemProperty' or
    InitiatingProcessCommandLine has 'Set-ItemProperty' or
    InitiatingProcessFileName in~ ("reg.exe", "powershell.exe", "cmd.exe")
)
| summarize Count = count(), LastSeen = max(TimeGenerated) by RegistryValueName, RegistryValueData
| sort by LastSeen desc
| project RegistryValueName, RegistryValueData, Count, LastSeen
pass126.04s0.0069
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0163
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0138
gpt-5-nano-high
PromptOnSecureDesktop
DeviceRegistryEvents
| where RegistryKey contains "Policies\\System"
| where InitiatingProcessCommandLine has_any ("cmd.exe", "powershell", "reg.exe")
| where isnotempty(RegistryValueName)
| summarize Count = count() by RegistryValueName, RegistryKey
| order by Count desc
| take 1
| project RegistryValueName, RegistryKey, Count
fail379.02s0.0047
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0063
grok-3-beta
no answer
no query generatedfail50.00s0.0876
grok-3-mini-beta
ModifiedValues
DeviceRegistryEvents
| where RegistryKey contains 'HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System'
| where RegistryValueType == 'REG_DWORD'
| where ActionType == 'RegistryValueSet'
| distinct RegistryValueName
| summarize ModifiedValues = make_set(RegistryValueName)
fail343.67s0.0047
o1-high
no answer
no query generatedfail50.00s0.7382
o1-low
no answer
no query generatedfail50.00s0.7519
o3-high
DisableLockWorkstation
// Registry value added / modified to disable the “Lock Workstation” option
let TargetPath = @"\Software\Microsoft\Windows\CurrentVersion\Policies\System";
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryKeyValueSet")
// HKCU path only (current user)
| where RegistryKey startswith_cs "HKEY_CURRENT_USER" or RegistryKey startswith_cs "HKCU"
| where RegistryKey has_cs TargetPath
// Evidence that change came from a script / CLI tool
| where InitiatingProcessFileName in~ ("reg.exe","powershell.exe","cmd.exe","regini.exe","regedit.exe")
        or InitiatingProcessCommandLine has_any ("reg add","New-ItemProperty","Set-ItemProperty")
// Answer: which value name(s) were changed?
| summarize LastWrite = arg_max(TimeGenerated, RegistryValueData, InitiatingProcessFileName,
                                InitiatingProcessCommandLine, InitiatingProcessAccountName,
                                RegistryKey) by RegistryValueName, DeviceName
| project LastWrite, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by LastWrite desc
pass5104.43s0.0845
o3-mini-high
no answer
no query generatedfail50.00s0.0324
o3-mini-low
DisableLockWorkstation
DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
| where RegistryValueType has "DWORD"
| where isnotempty(InitiatingProcessCommandLine)
| distinct RegistryValueName
pass121.69s0.0100
o4-mini-high
DisableLockWorkstation
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Only DWORD-type value changes
| where RegistryValueType has "DWORD"
// Target the current user Policies\System key (where DisableLockWorkstation is stored)
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Policies\System"
// Detect use of reg.exe (reg add) for the modification
| where InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessCommandLine has_cs "reg add"
// Return the registry value name and related context
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc
pass2101.59s0.0241
o4-mini-low
no answer
no query generatedfail50.00s0.0390