// question
On a Windows endpoint, someone may have disabled the secure desktop for elevation prompts by modifying a registry setting. Review the registry event logs to identify which registry value name was changed to 0.
Reference KQL answer and model-by-model comparison.
85f3a526-4cfa-4fe7-98c1-dea99be025c7
question id
17/23
models correct
1
valid answer
74%
success rate
// reference answer
Human-validated correct answer for this question.
PromptOnSecureDesktop
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | PromptOnSecureDesktop | DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" | where RegistryValueName == "PromptOnSecureDesktop" | where RegistryValueData == "0" | project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName | pass | 2 | 13.62s | 0.0076 |
| gpt-35-turbo | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == '0' | summarize count() by RegistryValueName | pass | 2 | 7.47s | 0.0048 |
| gpt-4-turbo-2024-04-09 | PromptOnSecureDesktop | DeviceRegistryEvents | where ActionType == 'RegistryValueSet' and RegistryValueData == '0' and RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' | project DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData, TimeGenerated | pass | 1 | 11.18s | 0.0582 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0509 |
| gpt-4.1-finetuned | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData =~ "0" | distinct RegistryValueName | order by RegistryValueName asc | pass | 1 | 8.37s | 0.0104 |
| gpt-4.1-mini | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == "0" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine | sort by TimeGenerated desc | pass | 1 | 7.75s | 0.0038 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0011 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0462 |
| gpt-5-high | PromptOnSecureDesktop | let zeroRegex = @"(?i)^\s*(0|0x0+)\s*(\(\s*0\s*\))?\s*$";
DeviceRegistryEvents
| where ActionType in~ ("RegistryValueSet", "RegistryValueCreated")
// UAC policy path where PromptOnSecureDesktop resides
| where RegistryKey has @"\Microsoft\Windows\CurrentVersion\Policies\System"
and RegistryKey has_any ("HKLM\\", "HKEY_LOCAL_MACHINE\\")
| extend IsZeroNow = tostring(RegistryValueData) matches regex zeroRegex,
WasZeroBefore = iff(isnotempty(PreviousRegistryValueData) and tostring(PreviousRegistryValueData) matches regex zeroRegex, true, false)
| where IsZeroNow and (isempty(PreviousRegistryValueData) or WasZeroBefore == false)
// Optional: uncomment to focus strictly on the secure desktop setting
// | where RegistryValueName =~ "PromptOnSecureDesktop"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueType,
PreviousRegistryValueData, RegistryValueData,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | pass | 2 | 132.91s | 0.0914 |
| gpt-5-mini-high | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryKey has_cs "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName in ("PromptOnSecureDesktop", "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser") or RegistryValueName has "PromptOnSecure"
| where tostring(RegistryValueData) has "0"
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCommandLine, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueType, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessId, ReportId
| order by TimeGenerated desc | pass | 1 | 11.22s | 0.0030 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0087 |
| gpt-5-mini-medium | PromptOnSecureDesktop | DeviceRegistryEvents
| where TimeGenerated between (startofday(now(-30d)) .. now())
// Accept multiple representations of 0: plain "0", hex "0x0", or numeric 0
| where RegistryValueData in ("0", "0x0") or toint(RegistryValueData) == 0
// Registry path filters: HKLM (Machine) or HKCU (User) policies System key
| where RegistryKey has_cs "Microsoft\\Windows\\CurrentVersion\\Policies\\System" or RegistryKey has_cs "CurrentVersion\\Policies\\System"
// Value name filters: known UAC related values and common substrings
| where RegistryValueName in ("PromptOnSecureDesktop", "ConsentPromptBehaviorAdmin", "ConsentPromptBehaviorUser", "EnableLUA", "EnableVirtualization")
or RegistryValueName has_cs "Consent"
or RegistryValueName has_cs "Prompt"
or RegistryValueName has_cs "Secure"
// Show previous values if present to see what changed
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, PreviousRegistryValueName, PreviousRegistryValueData, ReportId
| order by TimeGenerated desc
| take 500 | pass | 2 | 18.76s | 0.0054 |
| gpt-5-nano-high | PromptOnSecureDesktop | DeviceRegistryEvents
| where TimeGenerated >= ago(1d)
| where ActionType in ("RegistryValueSet","RegistryValueUpdated","ValueSet","ValueChanged","SetValue")
| extend RegValInt = todouble(RegistryValueData)
| where isnotempty(RegistryValueName) and (isnotnull(RegValInt) and RegValInt == 0)
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName, InitiatingProcessFileName, InitiatingProcessCreationTime
| sort by TimeGenerated desc | pass | 1 | 35.94s | 0.0027 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0077 |
| grok-3-beta | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryKey contains 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' | where RegistryValueName == 'PromptOnSecureDesktop' | where RegistryValueData == '0' or PreviousRegistryValueData == '0' | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData | order by Timestamp desc | pass | 2 | 15.48s | 0.0391 |
| grok-3-mini-beta | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == '0' | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by TimeGenerated desc | pass | 1 | 11.04s | 0.0020 |
| o1-high | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "RegistryValueSet", "RegistryValueModified")
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc | pass | 1 | 30.23s | 0.2497 |
| o1-low | PromptOnSecureDesktop | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryValueData == "0"
| project TimeGenerated, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | pass | 1 | 18.89s | 0.2179 |
| o3-high | PromptOnSecureDesktop | DeviceRegistryEvents
// --- The secure-desktop policy lives here ---
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
// Focus on write operations
| where ActionType in~ ("SetValue", "RegistryValueSet", "ModifyValue", "Modification", "UpdatedValue")
// We care about values that were set TO 0
| where RegistryValueData == "0"
// If we have the previous value and it was already 0 we can ignore – we want real changes
| where isnull(PreviousRegistryValueData) or PreviousRegistryValueData !in ("0", "0x0")
// Limit to numeric types typically used for this policy (DWORD/QWORD) when the info is present
| where isnull(RegistryValueType) or RegistryValueType in~ ("REG_DWORD", "REG_QWORD", "dword", "qword")
// Add a friendly user column
| extend InitiatingUser = iif(isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName))
// Surface the interesting information
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData,
InitiatingUser, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, ReportId
// Summarise to answer the core question – which value names were set to 0 and where/when
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices=make_set(DeviceName, 10),
Users=make_set(InitiatingUser, 10), ExampleProcesses=make_set(InitiatingProcessFileName, 10)
by RegistryKey, RegistryValueName
| order by LastSeen desc | pass | 2 | 54.61s | 0.0437 |
| o3-mini-high | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == "0" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType | order by TimeGenerated desc | pass | 1 | 10.59s | 0.0091 |
| o3-mini-low | PromptOnSecureDesktop | DeviceRegistryEvents | where RegistryValueData == "0" // Optionally filter for the specific registry key related to secure desktop elevation prompt | where RegistryKey has "Policies\\System" | where RegistryValueName == "PromptOnSecureDesktop" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 17.05s | 0.0104 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0414 |
| o4-mini-low | PromptOnSecureDesktop | DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System"
| where ActionType == "RegistryValueSet"
| where RegistryValueData == "0"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
RegistryKey,
RegistryValueName,
RegistryValueType,
RegistryValueData,
PreviousRegistryValueData,
InitiatingProcessCommandLine
| order by TimeGenerated desc | pass | 2 | 84.17s | 0.0218 |