Question Analysis
On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed?
c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
UseLogonCredential
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0186 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| project DeviceName, TimeGenerated, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 9.60s | 0.0554 |
| gpt-4.1 | UseLogonCredential | DeviceRegistryEvents
| where tostring(ActionType) in~ ("RegistryValueSet", "RegistryValueAdd", "RegistryKeyCreated")
| where tolower(RegistryKey) contains "wdigest" or tolower(PreviousRegistryKey) contains "wdigest"
| where tolower(RegistryValueName) == "uselogoncredential" or tolower(PreviousRegistryValueName) == "uselogoncredential"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, PreviousRegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 3 | 14.36s | 0.0331 |
| gpt-4.1-finetuned | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "SecurityProviders\\WDigest"
| summarize count() by RegistryValueName | Correct | 3 | 15.19s | 0.0290 |
| gpt-4.1-mini | UseLogonCredential | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueUpdate")
| where RegistryKey has "Wdigest"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 3.61s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0516 |
| grok-3-beta | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| where RegistryValueName == 'UseLogonCredential'
| where RegistryValueData contains '1'
| project Timestamp, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by Timestamp desc | Correct | 4 | 31.62s | 0.0741 |
| grok-3-mini-beta | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "UseLogonCredential" and RegistryValueData == "1"
| project RegistryValueName, TimeGenerated, DeviceName | Correct | 2 | 26.44s | 0.0030 |
| o1-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueCreated")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, PreviousRegistryValueName, PreviousRegistryValueData,
RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 14.97s | 0.1530 |
| o1-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in~ ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 18.82s | 0.1659 |
| o3-mini-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where ActionType contains "Value"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName
| sort by TimeGenerated asc
// If you're only interested in unique registry value names that were changed, use the following:
// | summarize ChangedValues = make_set(RegistryValueName) | Correct | 2 | 19.09s | 0.0148 |
| o3-mini-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 1 | 10.78s | 0.0074 |
| o4-mini-high | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Control\\SecurityProviders\\WDigest"
| where PreviousRegistryValueData == "0" and RegistryValueData == "1"
| distinct RegistryValueName | Correct | 2 | 43.94s | 0.0190 |
| o4-mini-low | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where tolower(RegistryKey) has "\\control\\securityproviders\\wdigest"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, PreviousRegistryValueName, RegistryValueName, PreviousRegistryValueData, RegistryValueData
| sort by TimeGenerated desc | Correct | 1 | 24.26s | 0.0069 |