// question

On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change.

Reference KQL answer and model-by-model comparison.

68254a85-aa42-4312-a695-38b7276307f8
question id
17/23
models correct
2
valid answers
74%
success rate
// reference answers

Human-validated correct answers for this question.

Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction IgnoreSet-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
pass113.61s0.0056
gpt-35-turbo
Set-ItemProperty
DeviceRegistryEvents
| where RegistryKey contains 'WDigest'
| project InitiatingProcessCommandLine
fail12.25s0.0025
gpt-4-turbo-2024-04-09
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'WDigest'
| where InitiatingProcessFileName contains 'powershell'
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine
pass217.04s0.1016
gpt-4.1
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType contains "Set" or ActionType contains "Modif"
| where RegistryKey has_any ("WDigest", "wdigest", "securityproviders\\wdigest", "SecurityProviders\\WDigest")
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
pass232.87s0.0234
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0557
gpt-4.1-mini
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName has "powershell" or InitiatingProcessFileName has "pwsh"
| project DeviceName, TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass16.64s0.0024
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0016
gpt-4o
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey contains "WDigest" and InitiatingProcessFileName has "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
pass221.70s0.0283
gpt-5-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest"
// | where RegistryValueName =~ "UseLogonCredential"  // optional: focus on the typical WDigest abuse
| where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe")
    or InitiatingProcessParentFileName in~ ("powershell.exe","pwsh.exe")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime,
          InitiatingProcessParentFileName, InitiatingProcessParentId,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc
pass1114.55s0.0550
gpt-5-mini-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where Timestamp >= ago(30d)
| where tolower(RegistryKey) contains "wdigest" or tolower(RegistryValueName) contains "wdigest" or tolower(RegistryValueData) contains "wdigest"
| where ActionType in ("SetValue", "Create", "Modify", "Set") or RegistryValueName has_any ("UseLogonCredential", "wdigest")
| where tolower(InitiatingProcessFileName) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, ActionType
| order by Timestamp desc
pass116.36s0.0041
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0186
gpt-5-mini-medium
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where tolower(tostring(RegistryKey)) contains "wdigest"
// look for PowerShell as the initiating process or parent process
| where (
    tolower(tostring(InitiatingProcessFileName)) contains "powershell"
    or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell"
    or tolower(tostring(InitiatingProcessParentFileName)) contains "powershell"
)
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc
| take 50
pass235.52s0.0098
gpt-5-nano-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where isnotempty(RegistryKey)
| where tolower(RegistryKey) contains "wdigest"
| where tolower(RegistryValueName) contains "uselogoncredential"
| where tolower(InitiatingProcessFileName) contains "powershell"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCreationTime
| sort by TimeGenerated desc
| take 100
pass140.85s0.0026
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0073
grok-3-beta
powershell.exe & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
pass18.88s0.0229
grok-3-mini-beta
The exact command lines are: "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey has 'WDigest'
| where InitiatingProcessFileName has 'powershell.exe'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine
| order by Timestamp desc
pass114.44s0.0017
o1-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc
pass153.75s0.4048
o1-low
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(InitiatingProcessFileName) contains "powershell"
| where ActionType in~ ("ModifiedValue", "SetValue", "RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated asc
pass264.45s0.4811
o3-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore}
// 1. Identify registry events that change a value (RegistryValueSet)
// 2. Focus on the WDigest provider key under the SecurityProviders hive
// 3. Keep only modifications performed by PowerShell (powershell.exe or pwsh.exe)
// 4. Surface the full command line that carried out the change

DeviceRegistryEvents
| where ActionType == "RegistryValueSet"  // value alterations only
| where RegistryKey has "SecurityProviders" and RegistryKey has "WDigest"  // WDigest provider key
| where tolower(InitiatingProcessFileName) in ("powershell.exe", "pwsh.exe")
// -- Output investigation details
| project TimeGenerated,
          DeviceName,
          RegistryKey,
          RegistryValueName,
          RegistryValueData,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessCommandLine,
          InitiatingProcessId,
          InitiatingProcessSHA256
| order by TimeGenerated desc
pass141.83s0.0260
o3-mini-high
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass129.23s0.0137
o3-mini-low
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName contains "powershell"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, CommandLine=InitiatingProcessCommandLine
| order by TimeGenerated desc
pass119.98s0.0151
o4-mini-high
no answer
no query generatedfail50.00s0.0504
o4-mini-low
"powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore}
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where tolower(InitiatingProcessFileName) == "powershell.exe"
| project TimeGenerated,
          DeviceName,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          RegistryKey,
          RegistryValueName,
          RegistryValueData
| sort by TimeGenerated desc
pass248.93s0.0131