Question Analysis
On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change.
68254a85-aa42-4312-a695-38b7276307f8
Question ID
12/16
Models Correct
2
Valid Answers
75%
Success Rate
Reference Answers
Human-validated correct answers for this question
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction IgnoreSet-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 13.61s | 0.0056 |
| gpt-35-turbo | Set-ItemProperty | DeviceRegistryEvents
| where RegistryKey contains 'WDigest'
| project InitiatingProcessCommandLine | Incorrect | 1 | 2.25s | 0.0025 |
| gpt-4-turbo-2024-04-09 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'WDigest'
| where InitiatingProcessFileName contains 'powershell'
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine | Correct | 2 | 17.04s | 0.1016 |
| gpt-4.1 | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType contains "Set" or ActionType contains "Modif"
| where RegistryKey has_any ("WDigest", "wdigest", "securityproviders\\wdigest", "SecurityProviders\\WDigest")
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | Correct | 2 | 32.87s | 0.0234 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0557 |
| gpt-4.1-mini | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName has "powershell" or InitiatingProcessFileName has "pwsh"
| project DeviceName, TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 6.64s | 0.0024 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest" and InitiatingProcessFileName has "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | Correct | 2 | 21.70s | 0.0283 |
| grok-3-beta | powershell.exe & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 8.88s | 0.0229 |
| grok-3-mini-beta | The exact command lines are: "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey has 'WDigest'
| where InitiatingProcessFileName has 'powershell.exe'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 14.44s | 0.0017 |
| o1-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc | Correct | 1 | 53.75s | 0.4048 |
| o1-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore} and "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where tolower(RegistryKey) contains "wdigest"
| where tolower(InitiatingProcessFileName) contains "powershell"
| where ActionType in~ ("ModifiedValue", "SetValue", "RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated asc | Correct | 2 | 64.45s | 0.4811 |
| o3-mini-high | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 29.23s | 0.0137 |
| o3-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where RegistryKey contains "WDigest"
| where InitiatingProcessFileName contains "powershell"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, CommandLine=InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 19.98s | 0.0151 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0504 |
| o4-mini-low | "powershell.exe" & {Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore} | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WDigest"
| where tolower(InitiatingProcessFileName) == "powershell.exe"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueName,
RegistryValueData
| sort by TimeGenerated desc | Correct | 2 | 48.93s | 0.0131 |