Question Analysis
On a Windows endpoint, someone may have disabled the secure desktop for elevation prompts by modifying a registry setting. Review the registry event logs to identify which registry value name was changed to 0.
85f3a526-4cfa-4fe7-98c1-dea99be025c7
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
PromptOnSecureDesktop
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "PromptOnSecureDesktop"
| where RegistryValueData == "0"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName | Correct | 2 | 13.62s | 0.0076 |
| gpt-35-turbo | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == '0' | summarize count() by RegistryValueName | Correct | 2 | 7.47s | 0.0048 |
| gpt-4-turbo-2024-04-09 | PromptOnSecureDesktop | DeviceRegistryEvents | where ActionType == 'RegistryValueSet' and RegistryValueData == '0' and RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' | project DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated | Correct | 1 | 11.18s | 0.0582 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0509 |
| gpt-4.1-finetuned | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryValueData =~ "0"
| distinct RegistryValueName
| order by RegistryValueName asc
| Correct | 1 | 8.37s | 0.0104 |
| gpt-4.1-mini | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 7.75s | 0.0038 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0011 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0462 |
| grok-3-beta | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where RegistryValueName == 'PromptOnSecureDesktop'
| where RegistryValueData == '0' or PreviousRegistryValueData == '0'
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by Timestamp desc | Correct | 2 | 15.48s | 0.0391 |
| grok-3-mini-beta | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryValueData == '0'
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| order by TimeGenerated desc | Correct | 1 | 11.04s | 0.0020 |
| o1-high | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "RegistryValueSet", "RegistryValueModified")
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc | Correct | 1 | 30.23s | 0.2497 |
| o1-low | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryValueData == "0"
| project TimeGenerated, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 18.89s | 0.2179 |
| o3-mini-high | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType
| order by TimeGenerated desc | Correct | 1 | 10.59s | 0.0091 |
| o3-mini-low | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryValueData == "0"
// Optionally filter for the specific registry key related to secure desktop elevation prompt
| where RegistryKey has "Policies\\System"
| where RegistryValueName == "PromptOnSecureDesktop"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 17.05s | 0.0104 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0414 |
| o4-mini-low | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System"
| where ActionType == "RegistryValueSet"
| where RegistryValueData == "0"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
RegistryKey,
RegistryValueName,
RegistryValueType,
RegistryValueData,
PreviousRegistryValueData,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 84.17s | 0.0218 |