// question
On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change.
Reference KQL answer and model-by-model comparison.
68254a85-aa42-4312-a695-38b7276307f8
question id
17/23
models correct
2
valid answers
74%
success rate
// reference answers
Human-validated correct answers for this question.
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction IgnoreSet-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey contains "WDigest" | where InitiatingProcessFileName =~ "powershell.exe" | project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | pass | 1 | 13.61s | 0.0056 |
| gpt-35-turbo | Set-ItemProperty | DeviceRegistryEvents | where RegistryKey contains 'WDigest' | project InitiatingProcessCommandLine | fail | 1 | 2.25s | 0.0025 |
| gpt-4-turbo-2024-04-09 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where ActionType == 'RegistryValueSet' | where RegistryKey contains 'WDigest' | where InitiatingProcessFileName contains 'powershell' | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine | pass | 2 | 17.04s | 0.1016 |
| gpt-4.1 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType contains "Set" or ActionType contains "Modif"
| where RegistryKey has_any ("WDigest", "wdigest", "securityproviders\\wdigest", "SecurityProviders\\WDigest")
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | pass | 2 | 32.87s | 0.0234 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0557 |
| gpt-4.1-mini | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where RegistryKey contains "WDigest" | where InitiatingProcessFileName has "powershell" or InitiatingProcessFileName has "pwsh" | project DeviceName, TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 6.64s | 0.0024 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0016 |
| gpt-4o | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where RegistryKey contains "WDigest" and InitiatingProcessFileName has "powershell.exe" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | pass | 2 | 21.70s | 0.0283 |
| gpt-5-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest"
// | where RegistryValueName =~ "UseLogonCredential" // optional: focus on the typical WDigest abuse
| where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe")
or InitiatingProcessParentFileName in~ ("powershell.exe","pwsh.exe")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime,
InitiatingProcessParentFileName, InitiatingProcessParentId,
InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc | pass | 1 | 114.55s | 0.0550 |
| gpt-5-mini-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where Timestamp >= ago(30d)
| where tolower(RegistryKey) contains "wdigest" or tolower(RegistryValueName) contains "wdigest" or tolower(RegistryValueData) contains "wdigest"
| where ActionType in ("SetValue", "Create", "Modify", "Set") or RegistryValueName has_any ("UseLogonCredential", "wdigest")
| where tolower(InitiatingProcessFileName) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by Timestamp desc | pass | 1 | 16.36s | 0.0041 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0186 |
| gpt-5-mini-medium | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where tolower(tostring(RegistryKey)) contains "wdigest"
// look for PowerShell as the initiating process or parent process
| where (
tolower(tostring(InitiatingProcessFileName)) contains "powershell"
or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell"
or tolower(tostring(InitiatingProcessParentFileName)) contains "powershell"
)
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc
| take 50 | pass | 2 | 35.52s | 0.0098 |
| gpt-5-nano-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where isnotempty(RegistryKey) | where tolower(RegistryKey) contains "wdigest" | where tolower(RegistryValueName) contains "uselogoncredential" | where tolower(InitiatingProcessFileName) contains "powershell" | project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCreationTime | sort by TimeGenerated desc | take 100 | pass | 1 | 40.85s | 0.0026 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0073 |
| grok-3-beta | powershell.exe & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | pass | 1 | 8.88s | 0.0229 |
| grok-3-mini-beta | The exact command lines are: "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents | where RegistryKey has 'WDigest' | where InitiatingProcessFileName has 'powershell.exe' | project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine | order by Timestamp desc | pass | 1 | 14.44s | 0.0017 |
| o1-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc | pass | 1 | 53.75s | 0.4048 |
| o1-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(InitiatingProcessFileName) contains "powershell"
| where ActionType in~ ("ModifiedValue", "SetValue", "RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated asc | pass | 2 | 64.45s | 0.4811 |
| o3-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | // 1. Identify registry events that change a value (RegistryValueSet)
// 2. Focus on the WDigest provider key under the SecurityProviders hive
// 3. Keep only modifications performed by PowerShell (powershell.exe or pwsh.exe)
// 4. Surface the full command line that carried out the change
DeviceRegistryEvents
| where ActionType == "RegistryValueSet" // value alterations only
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest" // WDigest provider key
| where tolower(InitiatingProcessFileName) in ("powershell.exe", "pwsh.exe")
// -- Output investigation details
| project TimeGenerated,
DeviceName,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessId,
InitiatingProcessSHA256
| order by TimeGenerated desc | pass | 1 | 41.83s | 0.0260 |
| o3-mini-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where RegistryKey contains "WDigest" | where InitiatingProcessFileName =~ "powershell.exe" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | sort by TimeGenerated desc | pass | 1 | 29.23s | 0.0137 |
| o3-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents | where RegistryKey contains "WDigest" | where InitiatingProcessFileName contains "powershell" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, CommandLine=InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 19.98s | 0.0151 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0504 |
| o4-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where tolower(InitiatingProcessFileName) == "powershell.exe"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueName,
RegistryValueData
| sort by TimeGenerated desc | pass | 2 | 48.93s | 0.0131 |