Question Analysis
On a Windows endpoint, commands are no longer being logged to PowerShell history, suggesting PSReadLine settings were altered. Using process execution logs, determine the exact command that was run to set the history save style to 'SaveNothing'.
2f898b81-3e97-4abb-bc3f-a95138988370
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
Set-PSReadlineOption -HistorySaveStyle SaveNothing
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Set-PSReadLineOption"
| where ProcessCommandLine has "HistorySaveStyle"
| where ProcessCommandLine has "SaveNothing"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc | Correct | 1 | 8.44s | 0.0032 |
| gpt-35-turbo | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where ProcessCommandLine has 'Set-PSReadLineOption -HistorySaveStyle SaveNothing' | Correct | 1 | 3.08s | 0.0030 |
| gpt-4-turbo-2024-04-09 | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where ProcessCommandLine contains 'Set-PSReadLineOption' and ProcessCommandLine contains 'SaveNothing'
| project DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime | Correct | 1 | 10.06s | 0.0518 |
| gpt-4.1 | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe")
| where ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "-HistorySaveStyle" and ProcessCommandLine has "SaveNothing"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath
| sort by TimeGenerated desc | Correct | 1 | 7.34s | 0.0112 |
| gpt-4.1-finetuned | powershell.exe & {Set-PSReadlineOption -HistorySaveStyle SaveNothing} | DeviceProcessEvents
| where ProcessCommandLine contains "Set-PSReadlineOption"
| where ProcessCommandLine contains "HistorySaveStyle"
| where ProcessCommandLine contains "SaveNothing"
| sort by Timestamp desc
| project-reorder Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessParentFileName, FileName, InitiatingProcessId, ProcessId
| Correct | 1 | 7.70s | 0.0130 |
| gpt-4.1-mini | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where ProcessCommandLine contains "HistorySaveStyle" and ProcessCommandLine contains "SaveNothing"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessFileName, ProcessName = FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 5.03s | 0.0041 |
| gpt-4.1-nano | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where FileName in ('powershell.exe', 'pwsh.exe')
| extend CommandLineLower = tolower(ProcessCommandLine)
| where CommandLineLower contains 'set-psreadlineoption' and CommandLineLower contains 'historysavestyle' and CommandLineLower contains 'savenothing'
| project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | Correct | 3 | 23.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0468 |
| grok-3-beta | SaveNothing | DeviceProcessEvents
| where ProcessCommandLine contains "Set-PSReadLineOption" and ProcessCommandLine contains "-HistorySaveStyle SaveNothing"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc | Correct | 1 | 8.53s | 0.0200 |
| grok-3-mini-beta | "powershell.exe" & {Set-PSReadlineOption -HistorySaveStyle SaveNothing} | DeviceProcessEvents
| where ProcessCommandLine contains "Set-PSReadLineOption -HistorySaveStyle SaveNothing"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 14.41s | 0.0016 |
| o1-high | Set-PSReadlineOption | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_all ("Set-PSReadLineOption", "SaveNothing")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Incorrect | 1 | 32.82s | 0.2576 |
| o1-low | Set-PSReadLineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where ProcessCommandLine has_all ("Set-PSReadLineOption", "SaveNothing")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 50.22s | 0.3668 |
| o3-mini-high | SaveNothing | DeviceProcessEvents
| where (ProcessCommandLine has "SaveNothing" or InitiatingProcessCommandLine has "SaveNothing")
and (ProcessCommandLine has "Set-PSReadlineOption" or InitiatingProcessCommandLine has "Set-PSReadlineOption")
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 30.21s | 0.0233 |
| o3-mini-low | SaveNothing | DeviceProcessEvents
| where ProcessCommandLine contains "SaveNothing" or InitiatingProcessCommandLine contains "SaveNothing"
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 17.00s | 0.0115 |
| o4-mini-high | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
// Look for PowerShell or PowerShell Core processes
| where FileName in~ ("powershell.exe", "pwsh.exe")
// Identify invocations that disable PSReadLine history logging
| where ProcessCommandLine has "-HistorySaveStyle" and ProcessCommandLine has "SaveNothing"
// Show relevant details
| project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 38.63s | 0.0141 |
| o4-mini-low | Set-PSReadlineOption -HistorySaveStyle SaveNothing | DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now()) // adjust time filter as needed or rely on external time picker
| where FileName in ("powershell.exe", "pwsh.exe") // include Windows PowerShell and PowerShell Core
| where ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "SaveNothing"
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine | Correct | 1 | 20.80s | 0.0094 |