// question

An attacker has attempted to sideload code by invoking regsvr32.exe in a Windows host against a file that does not use the standard .dll extension. Investigate the process event logs to determine the name of the file that was registered.

Reference KQL answer and model-by-model comparison.

1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
question id
10/23
models correct
1
valid answer
43%
success rate
// reference answer

Human-validated correct answer for this question.

shell32.jpg
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
shell32.jpg
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "regsvr32.exe"
| extend match = extract_all(@'regsvr32.*? (?:"(.*?)"|(\S+))', ProcessCommandLine)
| where array_length(match) > 0
| extend RegisteredFileName = coalesce(match[0][0], match[0][1])
| where isnotempty(RegisteredFileName)
| where not(RegisteredFileName endswith ".dll") and not(RegisteredFileName endswith ".ocx")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, RegisteredFileName, ReportId
pass130.24s0.0189
gpt-35-turbo
regsvr32.exe
DeviceProcessEvents | where FileName !endswith '.dll' | extend index = strcat(ProcessId, AccountName) | where ProcessCommandLine has 'regsvr32.exe' | summarize max(TimeGenerated) by index, FileName
fail25.37s0.0048
gpt-4-turbo-2024-04-09
shell32.jpg
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'regsvr32.exe' or InitiatingProcessCommandLine has 'regsvr32.exe'
| extend fileExtension = tostring(split(FileName, '.')[1])
| where FileName !endswith '.dll'
| project DeviceName, FileName, InitiatingProcessCommandLine, TimeGenerated
pass215.87s0.0979
gpt-4.1
shell32.jpg
DeviceProcessEvents
| where FileName =~ "regsvr32.exe"
| where not(ProcessCommandLine has ".dll")
| extend SideloadedFile = extract(@"regsvr32\.exe\s+([^\s]+)", 1, ProcessCommandLine)
| where isnotempty(SideloadedFile) and not(SideloadedFile endswith ".dll")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SideloadedFile
pass319.47s0.0214
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0514
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0078
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0018
gpt-4o
no answer
no query generatedfail50.00s0.0645
gpt-5-high
no answer
no query generatedfail50.00s0.3539
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0251
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0162
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0192
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0107
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0110
grok-3-beta
no answer
no query generatedfail50.00s0.0862
grok-3-mini-beta
shell32.jpg
DeviceProcessEvents
| where FileName == 'regsvr32.exe'
| extend filePart = extract(@'[^\\]+$', 0, ProcessCommandLine)  // Extract the last part of the command line, assuming it's the file name
| extend extension = tolower(extract(@'\.([^\.]+)$', 1, filePart))  // Extract and lowercase the file extension
| where extension != 'dll' and isnotnull(extension)  // Filter for files not ending with .dll
| project FileName, ProcessCommandLine, filePart  // Project relevant fields to show the file name
pass116.73s0.0016
o1-high
shell32.jpg
DeviceProcessEvents
| where FileName =~ "regsvr32.exe"
| where isnotempty(ProcessCommandLine)
| where not(ProcessCommandLine has ".dll")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
pass129.92s0.2244
o1-low
shell32.jpg
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "regsvr32.exe"
| where not(tolower(ProcessCommandLine) has ".dll")
| project TimeGenerated, DeviceName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass128.36s0.2249
o3-high
no answer
no query generatedfail50.00s0.0989
o3-mini-high
shell32.jpg
DeviceProcessEvents
| where tolower(ProcessCommandLine) has "regsvr32.exe"
| where not(tolower(ProcessCommandLine) has ".dll")
| extend RegisteredFile = extract("regsvr32\\.exe\\s+(?:/[^\\s]+\\s+)*([^\\s]+)", 1, ProcessCommandLine)
| where isnotempty(RegisteredFile)
| project TimeGenerated, DeviceName, ProcessCommandLine, RegisteredFile
pass341.48s0.0297
o3-mini-low
shell32.jpg
DeviceProcessEvents
| where ProcessCommandLine contains "regsvr32.exe"
| extend SideloadedFile = extract("regsvr32\\.exe\\s+['\"]?([^'\"]+)", 1, ProcessCommandLine)
| where isnotempty(SideloadedFile) and tolower(SideloadedFile) !endswith ".dll"
| project TimeGenerated, DeviceName, ProcessCommandLine, SideloadedFile
pass223.69s0.0217
o4-mini-high
shell32.jpg
DeviceProcessEvents
| where tolower(FileName) == "regsvr32.exe"
| where isnotempty(ProcessCommandLine)
// Extract the arguments string after 'regsvr32.exe'
| parse ProcessCommandLine with * "regsvr32.exe" rest:string
// Split on spaces and take the first token as the target file
| extend args = split(rest, " ")
| extend RegisteredFile = trim('"', tostring(args[0]))
// Filter out switches (starting with '/') and standard .dll targets
| where RegisteredFile !startswith "/"
| where tolower(RegisteredFile) !endswith ".dll"
| project TimeGenerated, DeviceName, AccountName, RegisteredFile, ProcessCommandLine
| sort by TimeGenerated desc
pass5157.74s0.0433
o4-mini-low
shell32.jpg
DeviceProcessEvents
| where FileName == "regsvr32.exe"
// Extract the first non-switch argument (the target file)
| extend TargetFile = extract(@"(?:regsvr32(?:\.exe)?)(?:\s+/\w+)*\s+([^\s]+)", 1, ProcessCommandLine)
// Only include files that don’t end in .dll
| where isnotempty(TargetFile) and tolower(TargetFile) !endswith ".dll"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine, TargetFile
| sort by TimeGenerated desc
pass134.24s0.0084