Question Analysis
On a Windows device, examine registry event logs for modifications under the System policies path. Determine which registry value name was altered to disable the shutdown button at login.
6e0d1131-2d7e-4905-8ca5-d6172f05d03d
Question ID
9/23
Models Correct
1
Valid Answer
39%
Success Rate
Reference Answer
Human-validated correct answer for this question
shutdownwithoutlogon
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | shutdownwithoutlogon | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains @"Policies\System"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType | Correct | 3 | 23.70s | 0.0100 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0114 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2317 |
| gpt-4.1 | shutdownwithoutlogon | DeviceRegistryEvents
| where tolower(RegistryKey) has @"policies\system"
| where ActionType in ("SetValue", "ModifyValue", "ValueModified", "RegistryValueSet")
| where tolower(RegistryValueName) == "shutdownwithoutlogon"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, ActionType | Correct | 2 | 8.73s | 0.0215 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0428 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0017 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0477 |
| gpt-5-high | shutdownwithoutlogon | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
// System policies locations
| where RegistryKey has_any ("\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "\\Policies\\Microsoft\\Windows\\System")
// Value that controls the shutdown button on the logon screen
| where RegistryValueName =~ "ShutdownWithoutLogon"
// Detect it being set to 0 (disabled)
| extend NewValDec = tolong(extract(@"\d+", 0, tostring(RegistryValueData))),
OldValDec = tolong(extract(@"\d+", 0, tostring(PreviousRegistryValueData)))
| where NewValDec == 0 or RegistryValueData has "0x00000000"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessSHA256
| order by TimeGenerated desc | Correct | 1 | 116.03s | 0.0508 |
| gpt-5-mini-high | shutdownwithoutlogon | DeviceRegistryEvents
| where (tolower(RegistryKey) contains "\\policies\\system" or tolower(PreviousRegistryKey) contains "\\policies\\system")
| where isnotempty(RegistryValueName) or isnotempty(PreviousRegistryValueName)
| extend ChangedValue = tostring(coalesce(RegistryValueName, PreviousRegistryValueName))
| extend ChangedValueLower = tolower(ChangedValue)
| where ChangedValueLower matches regex @".*(shutdown|shutdownwithoutlogon|noclose|hide|power|close|remove).*"
| project Timestamp, DeviceName, RegistryKey, PreviousRegistryKey, RegistryValueName, PreviousRegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| order by Timestamp desc
| take 200 | Correct | 1 | 22.48s | 0.0061 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0221 |
| gpt-5-mini-medium | shutdownwithoutlogon | DeviceRegistryEvents
| where RegistryKey contains "\\Policies\\System" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where ActionType in ("SetValue", "Modify", "Create", "Write", "Delete") or isnotempty(RegistryValueName) or isnotempty(RegistryValueData)
| where tolower(RegistryValueName) in ("shutdownwithoutlogon","shutdownwithoutlogonui","noclose","shutdownwithoutlogon") or RegistryValueName has_cs "Shutdown" or RegistryValueName has_cs "NoClose"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, RegistryKey, RegistryValueName, RegistryValueType, PreviousRegistryValueData, RegistryValueData
| order by TimeGenerated desc
| summarize Changes = count(), PrevValues = make_set(PreviousRegistryValueData), NewValues = make_set(RegistryValueData), LatestEvent = max(TimeGenerated) by RegistryValueName, DeviceName
| order by LatestEvent desc
| take 50 | Correct | 2 | 31.33s | 0.0075 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0064 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0889 |
| grok-3-mini-beta | shutdownwithoutlogon | DeviceRegistryEvents
| where RegistryKey contains 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\System' or RegistryKey contains 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where ActionType has_any ('Set', 'RegistryValueSet')
| where RegistryValueName in~ ('NoClose', 'ShutdownWithoutLogon', 'DisableShutdown')
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by Timestamp desc | Correct | 3 | 32.63s | 0.0044 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7958 |
| o1-low | shutdownwithoutlogon | DeviceRegistryEvents
| where Timestamp >= ago(30d)
| where RegistryKey has "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "SetValue", "ModifyValue")
| where RegistryValueName in~ ("DisableShutdownButton", "ShutdownWithoutLogon", "HideShutdownButton")
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 46.08s | 0.3536 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0752 |
| o3-mini-high | shutdownwithoutlogon | DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
| where RegistryValueData == "0"
| summarize EventCount = count() by RegistryValueName, DeviceName
| order by EventCount desc | Correct | 1 | 11.92s | 0.0123 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0417 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0348 |
| o4-mini-low | shutdownwithoutlogon | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| summarize arg_max(TimeGenerated, *) by RegistryValueName
| project TimeGenerated, DeviceName, RegistryValueName, PreviousRegistryValueData, RegistryValueData
| sort by TimeGenerated desc | Correct | 4 | 125.10s | 0.0380 |