Question Analysis
On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed?
c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
Question ID
14/23
Models Correct
1
Valid Answer
61%
Success Rate
Reference Answer
Human-validated correct answer for this question
UseLogonCredential
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0186 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| project DeviceName, TimeGenerated, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 9.60s | 0.0554 |
| gpt-4.1 | UseLogonCredential | DeviceRegistryEvents
| where tostring(ActionType) in~ ("RegistryValueSet", "RegistryValueAdd", "RegistryKeyCreated")
| where tolower(RegistryKey) contains "wdigest" or tolower(PreviousRegistryKey) contains "wdigest"
| where tolower(RegistryValueName) == "uselogoncredential" or tolower(PreviousRegistryValueName) == "uselogoncredential"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, PreviousRegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 3 | 14.36s | 0.0331 |
| gpt-4.1-finetuned | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "SecurityProviders\\WDigest"
| summarize count() by RegistryValueName | Correct | 3 | 15.19s | 0.0290 |
| gpt-4.1-mini | UseLogonCredential | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueUpdate")
| where RegistryKey has "Wdigest"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 3.61s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0516 |
| gpt-5-high | UseLogonCredential | let wdigestPathRegex = @"\\system\\(currentcontrolset|controlset\d+)\\control\\securityproviders\\wdigest";
DeviceRegistryEvents
| where ActionType in~ ("RegistryValueSet","RegistryValueCreated","RegistryValueModified")
| where tolower(RegistryKey) matches regex wdigestPathRegex
| extend NewVal = tostring(RegistryValueData), OldVal = tostring(PreviousRegistryValueData)
// Enablement occurs when UseLogonCredential is set to 1 (from 0/blank)
| where RegistryValueName =~ "UseLogonCredential" and NewVal in~ ("1","0x00000001") and OldVal !in~ ("1","0x00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, ActionType,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 129.56s | 0.0614 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0146 |
| gpt-5-mini-low | UseLogonCredential | DeviceRegistryEvents
| where ActionType has_any ("SetValue", "RegSetValue", "SetValueKey", "Modify", "Updated", "Create")
// Filter for registry keys containing "wdigest" (case-insensitive)
| where tolower(RegistryKey) contains "wdigest"
// Look for the specific value name UseLogonCredential (current or previous)
| where tostring(RegistryValueName) == "UseLogonCredential" or tostring(PreviousRegistryValueName) == "UseLogonCredential"
// Also include partial matches like "uselogon" for broader detection
| union (
DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(tostring(RegistryValueName)) contains "uselogon" or tolower(tostring(PreviousRegistryValueName)) contains "uselogon"
)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ActionType, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData
| sort by TimeGenerated desc
| limit 200
| Correct | 2 | 15.95s | 0.0040 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0080 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0072 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0061 |
| grok-3-beta | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| where RegistryValueName == 'UseLogonCredential'
| where RegistryValueData contains '1'
| project Timestamp, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by Timestamp desc | Correct | 4 | 31.62s | 0.0741 |
| grok-3-mini-beta | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "UseLogonCredential" and RegistryValueData == "1"
| project RegistryValueName, TimeGenerated, DeviceName | Correct | 2 | 26.44s | 0.0030 |
| o1-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueCreated")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, PreviousRegistryValueName, PreviousRegistryValueData,
RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 14.97s | 0.1530 |
| o1-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in~ ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 18.82s | 0.1659 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0690 |
| o3-mini-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where ActionType contains "Value"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName
| sort by TimeGenerated asc
// If you're only interested in unique registry value names that were changed, use the following:
// | summarize ChangedValues = make_set(RegistryValueName) | Correct | 2 | 19.09s | 0.0148 |
| o3-mini-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 1 | 10.78s | 0.0074 |
| o4-mini-high | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Control\\SecurityProviders\\WDigest"
| where PreviousRegistryValueData == "0" and RegistryValueData == "1"
| distinct RegistryValueName | Correct | 2 | 43.94s | 0.0190 |
| o4-mini-low | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where tolower(RegistryKey) has "\\control\\securityproviders\\wdigest"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, PreviousRegistryValueName, RegistryValueName, PreviousRegistryValueData, RegistryValueData
| sort by TimeGenerated desc | Correct | 1 | 24.26s | 0.0069 |