Question Analysis
On a Windows endpoint, review process execution logs to see if any PowerShell sessions were wiped clean. Which command was executed to clear the PowerShell history?
22c779cd-9445-4d3e-a136-f75adbf0315f
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
Clear-History
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Clear-History | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains_cs "Clear-History"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 16.25s | 0.0080 |
| gpt-35-turbo | Clear-History | DeviceProcessEvents | where ProcessCommandLine has 'powershell' and ProcessCommandLine has 'Clear-History' | project DeviceName, ProcessId, ProcessCreationTime, ProcessCommandLine | Correct | 1 | 1.83s | 0.0024 |
| gpt-4-turbo-2024-04-09 | Clear-History | DeviceProcessEvents
| where FileName == 'powershell.exe' or FileName == 'pwsh.exe'
| where ProcessCommandLine contains 'Clear-History' or ProcessCommandLine contains 'Remove-Item' and ProcessCommandLine contains '-Path' and ProcessCommandLine contains 'ConsoleHost_history.txt'
| project DeviceName, AccountName, ProcessCommandLine, TimeGenerated | Correct | 1 | 10.46s | 0.0505 |
| gpt-4.1 | Clear-History | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Remove-Item", "Clear-History", "del", "Erase")
and (ProcessCommandLine has "(Get-PSReadlineOption).HistorySavePath" or ProcessCommandLine has "ConsoleHost_history.txt" or ProcessCommandLine has "Clear-History")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine | Correct | 1 | 7.61s | 0.0121 |
| gpt-4.1-finetuned | powershell.exe & {Clear-History} | DeviceProcessEvents
| where ProcessCommandLine has_any ("Clear-History", "cls", "Clear-Host")
| where InitiatingProcessFileName =~ "powershell.exe"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by DeviceName, InitiatingProcessAccountSid, SHA1, ProcessCommandLine
| extend Name = tostring(split(InitiatingProcessAccountSid,'-')[-1])
| extend NTDomain = tostring(split(InitiatingProcessAccountSid,'-')[-2])
| extend Account = strcat(NTDomain, '\\', Name)
| project-away Name, NTDomain
| order by StartTime asc, EndTime desc | Correct | 2 | 28.46s | 0.0143 |
| gpt-4.1-mini | Clear-History | DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
// Look for commands related to clearing history
| where ProcessCommandLine has "Clear-History" or ProcessCommandLine has "Remove-Item" or ProcessCommandLine has "-Path" and (ProcessCommandLine contains "ConsoleHost_history.txt" or ProcessCommandLine contains "PSReadline")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime
| order by TimeGenerated desc | Correct | 2 | 26.93s | 0.0055 |
| gpt-4.1-nano | remove-item | DeviceProcessEvents
| where FileName contains "powershell" or InitiatingProcessFileName contains "powershell.exe"
| where InitiatingProcessCommandLine contains "Clear-History" or InitiatingProcessCommandLine contains "Remove-Item" or InitiatingProcessCommandLine contains "Get-PSReadLineOption"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc | Incorrect | 2 | 20.74s | 0.0010 |
| gpt-4o | Clear-History | DeviceProcessEvents
| where ProcessCommandLine has "Clear-History"
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime | Correct | 1 | 3.09s | 0.0140 |
| grok-3-beta | Clear-History | DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine has_any ('clear-history', 'delete history', 'remove history', 'clear history')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc | Correct | 1 | 8.10s | 0.0197 |
| grok-3-mini-beta | Clear-History | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Clear-History'
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 10.83s | 0.0015 |
| o1-high | Clear-History | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Clear-History", "Remove-History", "Remove-Item", "HistorySavePath")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 38.78s | 0.3039 |
| o1-low | Remove-Item | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_any ("Remove-Item", "Clear-History")
and ProcessCommandLine has_any ("Get-PSReadLineOption", "HistorySavePath")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCreationTime, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Incorrect | 1 | 21.32s | 0.1785 |
| o3-mini-high | Clear-History | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Clear-History"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 11.64s | 0.0087 |
| o3-mini-low | Clear-History | DeviceProcessEvents
| where FileName has "powershell.exe"
| where ProcessCommandLine has "Clear-History"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 16.46s | 0.0093 |
| o4-mini-high | Clear-History | DeviceProcessEvents
| where ProcessCommandLine has "powershell.exe" or ProcessCommandLine has "pwsh.exe"
| where
(ProcessCommandLine has "Clear-History")
or (ProcessCommandLine has "ClearHistory(")
or (ProcessCommandLine has "PSConsoleReadLine::ClearHistory")
or (ProcessCommandLine has "Remove-Item" and ProcessCommandLine has "ConsoleHost_history.txt")
or (ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "HistorySaveStyle SaveNothing")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 3 | 55.35s | 0.0238 |
| o4-mini-low | Clear-History | DeviceProcessEvents
| where FileName endswith "powershell.exe"
| where tolower(ProcessCommandLine) matches regex @"(?i)(clear(-| )history|remove-item\s+.*ConsoleHost_history\.txt)"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 23.51s | 0.0099 |