Question Analysis
On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change.
68254a85-aa42-4312-a695-38b7276307f8
Question ID
17/23
Models Correct
2
Valid Answers
74%
Success Rate
Reference Answers
Human-validated correct answers for this question
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction IgnoreSet-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 13.61s | 0.0056 |
| gpt-35-turbo | Set-ItemProperty | DeviceRegistryEvents
| where RegistryKey contains 'WDigest'
| project InitiatingProcessCommandLine | Incorrect | 1 | 2.25s | 0.0025 |
| gpt-4-turbo-2024-04-09 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'WDigest'
| where InitiatingProcessFileName contains 'powershell'
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine | Correct | 2 | 17.04s | 0.1016 |
| gpt-4.1 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType contains "Set" or ActionType contains "Modif"
| where RegistryKey has_any ("WDigest", "wdigest", "securityproviders\\wdigest", "SecurityProviders\\WDigest")
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | Correct | 2 | 32.87s | 0.0234 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0557 |
| gpt-4.1-mini | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName has "powershell" or InitiatingProcessFileName has "pwsh"
| project DeviceName, TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 6.64s | 0.0024 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest" and InitiatingProcessFileName has "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | Correct | 2 | 21.70s | 0.0283 |
| gpt-5-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest"
// | where RegistryValueName =~ "UseLogonCredential" // optional: focus on the typical WDigest abuse
| where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe")
or InitiatingProcessParentFileName in~ ("powershell.exe","pwsh.exe")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime,
InitiatingProcessParentFileName, InitiatingProcessParentId,
InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 114.55s | 0.0550 |
| gpt-5-mini-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where Timestamp >= ago(30d)
| where tolower(RegistryKey) contains "wdigest" or tolower(RegistryValueName) contains "wdigest" or tolower(RegistryValueData) contains "wdigest"
| where ActionType in ("SetValue", "Create", "Modify", "Set") or RegistryValueName has_any ("UseLogonCredential", "wdigest")
| where tolower(InitiatingProcessFileName) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by Timestamp desc | Correct | 1 | 16.36s | 0.0041 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0186 |
| gpt-5-mini-medium | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where tolower(tostring(RegistryKey)) contains "wdigest"
// look for PowerShell as the initiating process or parent process
| where (
tolower(tostring(InitiatingProcessFileName)) contains "powershell"
or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell"
or tolower(tostring(InitiatingProcessParentFileName)) contains "powershell"
)
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc
| take 50 | Correct | 2 | 35.52s | 0.0098 |
| gpt-5-nano-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where isnotempty(RegistryKey)
| where tolower(RegistryKey) contains "wdigest"
| where tolower(RegistryValueName) contains "uselogoncredential"
| where tolower(InitiatingProcessFileName) contains "powershell"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCreationTime
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 40.85s | 0.0026 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0073 |
| grok-3-beta | powershell.exe & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 8.88s | 0.0229 |
| grok-3-mini-beta | The exact command lines are: "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey has 'WDigest'
| where InitiatingProcessFileName has 'powershell.exe'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 14.44s | 0.0017 |
| o1-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc | Correct | 1 | 53.75s | 0.4048 |
| o1-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(InitiatingProcessFileName) contains "powershell"
| where ActionType in~ ("ModifiedValue", "SetValue", "RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated asc | Correct | 2 | 64.45s | 0.4811 |
| o3-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | // 1. Identify registry events that change a value (RegistryValueSet)
// 2. Focus on the WDigest provider key under the SecurityProviders hive
// 3. Keep only modifications performed by PowerShell (powershell.exe or pwsh.exe)
// 4. Surface the full command line that carried out the change
DeviceRegistryEvents
| where ActionType == "RegistryValueSet" // value alterations only
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest" // WDigest provider key
| where tolower(InitiatingProcessFileName) in ("powershell.exe", "pwsh.exe")
// -- Output investigation details
| project TimeGenerated,
DeviceName,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessId,
InitiatingProcessSHA256
| order by TimeGenerated desc | Correct | 1 | 41.83s | 0.0260 |
| o3-mini-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 29.23s | 0.0137 |
| o3-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName contains "powershell"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, CommandLine=InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 19.98s | 0.0151 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0504 |
| o4-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where tolower(InitiatingProcessFileName) == "powershell.exe"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueName,
RegistryValueData
| sort by TimeGenerated desc | Correct | 2 | 48.93s | 0.0131 |