// question

On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed?

Reference KQL answer and model-by-model comparison.

c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
question id
14/23
models correct
1
valid answer
61%
success rate
// reference answer

Human-validated correct answer for this question.

UseLogonCredential
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0186
gpt-35-turbo
no answer
no query generatedfail50.00s0.0112
gpt-4-turbo-2024-04-09
UseLogonCredential
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| project DeviceName, TimeGenerated, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
pass19.60s0.0554
gpt-4.1
UseLogonCredential
DeviceRegistryEvents
| where tostring(ActionType) in~ ("RegistryValueSet", "RegistryValueAdd", "RegistryKeyCreated")
| where tolower(RegistryKey) contains "wdigest" or tolower(PreviousRegistryKey) contains "wdigest"
| where tolower(RegistryValueName) == "uselogoncredential" or tolower(PreviousRegistryValueName) == "uselogoncredential"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, PreviousRegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType
| order by TimeGenerated desc
pass314.36s0.0331
gpt-4.1-finetuned
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey has "SecurityProviders\\WDigest"
| summarize count() by  RegistryValueName
pass315.19s0.0290
gpt-4.1-mini
UseLogonCredential
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueUpdate")
| where RegistryKey has "Wdigest"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName
| order by TimeGenerated desc
pass13.61s0.0023
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0012
gpt-4o
no answer
no query generatedfail50.00s0.0516
gpt-5-high
UseLogonCredential
let wdigestPathRegex = @"\\system\\(currentcontrolset|controlset\d+)\\control\\securityproviders\\wdigest";
DeviceRegistryEvents
| where ActionType in~ ("RegistryValueSet","RegistryValueCreated","RegistryValueModified")
| where tolower(RegistryKey) matches regex wdigestPathRegex
| extend NewVal = tostring(RegistryValueData), OldVal = tostring(PreviousRegistryValueData)
// Enablement occurs when UseLogonCredential is set to 1 (from 0/blank)
| where RegistryValueName =~ "UseLogonCredential" and NewVal in~ ("1","0x00000001") and OldVal !in~ ("1","0x00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, ActionType,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass1129.56s0.0614
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0146
gpt-5-mini-low
UseLogonCredential
DeviceRegistryEvents
| where ActionType has_any ("SetValue", "RegSetValue", "SetValueKey", "Modify", "Updated", "Create")
// Filter for registry keys containing "wdigest" (case-insensitive)
| where tolower(RegistryKey) contains "wdigest"
// Look for the specific value name UseLogonCredential (current or previous)
| where tostring(RegistryValueName) == "UseLogonCredential" or tostring(PreviousRegistryValueName) == "UseLogonCredential"
// Also include partial matches like "uselogon" for broader detection
| union (
    DeviceRegistryEvents
    | where tolower(RegistryKey) contains "wdigest"
    | where tolower(tostring(RegistryValueName)) contains "uselogon" or tolower(tostring(PreviousRegistryValueName)) contains "uselogon"
)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ActionType, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData
| sort by TimeGenerated desc
| limit 200
pass215.95s0.0040
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0080
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0072
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0061
grok-3-beta
UseLogonCredential
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| where RegistryValueName == 'UseLogonCredential'
| where RegistryValueData contains '1'
| project Timestamp, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by Timestamp desc
pass431.62s0.0741
grok-3-mini-beta
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "UseLogonCredential" and RegistryValueData == "1"
| project RegistryValueName, TimeGenerated, DeviceName
pass226.44s0.0030
o1-high
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueCreated")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, PreviousRegistryValueName, PreviousRegistryValueData,
          RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass114.97s0.1530
o1-low
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in~ ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc
pass118.82s0.1659
o3-high
no answer
no query generatedfail50.00s0.0690
o3-mini-high
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where ActionType contains "Value"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName
| sort by TimeGenerated asc

// If you're only interested in unique registry value names that were changed, use the following:
// | summarize ChangedValues = make_set(RegistryValueName)
pass219.09s0.0148
o3-mini-low
UseLogonCredential
DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by TimeGenerated desc
pass110.78s0.0074
o4-mini-high
UseLogonCredential
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Control\\SecurityProviders\\WDigest"
| where PreviousRegistryValueData == "0" and RegistryValueData == "1"
| distinct RegistryValueName
pass243.94s0.0190
o4-mini-low
UseLogonCredential
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where tolower(RegistryKey) has "\\control\\securityproviders\\wdigest"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, PreviousRegistryValueName, RegistryValueName, PreviousRegistryValueData, RegistryValueData
| sort by TimeGenerated desc
pass124.26s0.0069