On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed?
KQL answer reference and model-by-model benchmark comparison
c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
Question ID
14/23
Models Correct
1
Valid Answer
61%
Success Rate
Reference Answer
Human-validated correct answer for this question
UseLogonCredential
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0186 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| project DeviceName, TimeGenerated, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 9.60s | 0.0554 |
| gpt-4.1 | UseLogonCredential | DeviceRegistryEvents
| where tostring(ActionType) in~ ("RegistryValueSet", "RegistryValueAdd", "RegistryKeyCreated")
| where tolower(RegistryKey) contains "wdigest" or tolower(PreviousRegistryKey) contains "wdigest"
| where tolower(RegistryValueName) == "uselogoncredential" or tolower(PreviousRegistryValueName) == "uselogoncredential"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, PreviousRegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 3 | 14.36s | 0.0331 |
| gpt-4.1-finetuned | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "SecurityProviders\\WDigest"
| summarize count() by RegistryValueName | Correct | 3 | 15.19s | 0.0290 |
| gpt-4.1-mini | UseLogonCredential | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueUpdate")
| where RegistryKey has "Wdigest"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 3.61s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0516 |
| gpt-5-high | UseLogonCredential | let wdigestPathRegex = @"\\system\\(currentcontrolset|controlset\d+)\\control\\securityproviders\\wdigest";
DeviceRegistryEvents
| where ActionType in~ ("RegistryValueSet","RegistryValueCreated","RegistryValueModified")
| where tolower(RegistryKey) matches regex wdigestPathRegex
| extend NewVal = tostring(RegistryValueData), OldVal = tostring(PreviousRegistryValueData)
// Enablement occurs when UseLogonCredential is set to 1 (from 0/blank)
| where RegistryValueName =~ "UseLogonCredential" and NewVal in~ ("1","0x00000001") and OldVal !in~ ("1","0x00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, ActionType,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 129.56s | 0.0614 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0146 |
| gpt-5-mini-low | UseLogonCredential | DeviceRegistryEvents
| where ActionType has_any ("SetValue", "RegSetValue", "SetValueKey", "Modify", "Updated", "Create")
// Filter for registry keys containing "wdigest" (case-insensitive)
| where tolower(RegistryKey) contains "wdigest"
// Look for the specific value name UseLogonCredential (current or previous)
| where tostring(RegistryValueName) == "UseLogonCredential" or tostring(PreviousRegistryValueName) == "UseLogonCredential"
// Also include partial matches like "uselogon" for broader detection
| union (
DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(tostring(RegistryValueName)) contains "uselogon" or tolower(tostring(PreviousRegistryValueName)) contains "uselogon"
)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ActionType, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData
| sort by TimeGenerated desc
| limit 200
| Correct | 2 | 15.95s | 0.0040 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0080 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0072 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0061 |
| grok-3-beta | UseLogonCredential | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey has 'WDigest'
| where RegistryValueName == 'UseLogonCredential'
| where RegistryValueData contains '1'
| project Timestamp, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by Timestamp desc | Correct | 4 | 31.62s | 0.0741 |
| grok-3-mini-beta | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "UseLogonCredential" and RegistryValueData == "1"
| project RegistryValueName, TimeGenerated, DeviceName | Correct | 2 | 26.44s | 0.0030 |
| o1-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueCreated")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, PreviousRegistryValueName, PreviousRegistryValueData,
RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 14.97s | 0.1530 |
| o1-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in~ ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 18.82s | 0.1659 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0690 |
| o3-mini-high | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where ActionType contains "Value"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName
| sort by TimeGenerated asc
// If you're only interested in unique registry value names that were changed, use the following:
// | summarize ChangedValues = make_set(RegistryValueName) | Correct | 2 | 19.09s | 0.0148 |
| o3-mini-low | UseLogonCredential | DeviceRegistryEvents
| where RegistryKey has "WDigest"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by TimeGenerated desc | Correct | 1 | 10.78s | 0.0074 |
| o4-mini-high | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Control\\SecurityProviders\\WDigest"
| where PreviousRegistryValueData == "0" and RegistryValueData == "1"
| distinct RegistryValueName | Correct | 2 | 43.94s | 0.0190 |
| o4-mini-low | UseLogonCredential | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where tolower(RegistryKey) has "\\control\\securityproviders\\wdigest"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, PreviousRegistryValueName, RegistryValueName, PreviousRegistryValueData, RegistryValueData
| sort by TimeGenerated desc | Correct | 1 | 24.26s | 0.0069 |