Question Analysis
On a Windows host, sift through registry modification events targeting HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin. What new value was written to disable the admin consent prompt?
251c5936-569f-42f4-9ac2-87a173b9e9b8
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
0
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0260 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2282 |
| gpt-4.1 | 0 | DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Policies\\System"
| where RegistryValueName =~ "ConsentPromptBehaviorAdmin"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| where RegistryValueData == "0"
| sort by TimeGenerated desc | Correct | 2 | 7.68s | 0.0162 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0467 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0076 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0473 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0883 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| o1-high | 0 | union DeviceRegistryEvents, DeviceEvents
| where isnotempty(RegistryKey)
| where tolower(RegistryKey) has "software\\microsoft\\windows\\currentversion\\policies\\system"
| where tolower(RegistryValueName) == "consentpromptbehavioradmin"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueAdded", "RegistryValueNameSet", "RegistryKeyValueSet", "RegistryKeyCreate", "RegistryKeyModified")
| extend NewValue = tostring(RegistryValueData)
| extend IsDisabled = case(
NewValue matches regex "^(0x0+|0|00000000)$", 1,
0
)
| where IsDisabled == 1
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
NewValue,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 5 | 116.50s | 0.8599 |
| o1-low | 0 | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has_all ("Software", "Policies", "System")
| where RegistryValueName =~ "ConsentPromptBehaviorAdmin"
| where RegistryValueData in~ ("0", "0x0", "0x00000000 (0)", "0x00000000", "00000000")
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountUpn,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 52.91s | 0.3821 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0362 |
| o3-mini-low | 0 | DeviceRegistryEvents
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "ConsentPromptBehaviorAdmin"
| where ActionType contains "Set"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 21.94s | 0.0186 |
| o4-mini-high | 0 | DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
and RegistryValueName == "ConsentPromptBehaviorAdmin"
and ActionType in~ ("RegistryValueSet","SetValue","ValueSet")
| extend NewValue = toint(RegistryValueData), OldValue = toint(PreviousRegistryValueData)
| where NewValue == 0
| project TimeGenerated, DeviceName, InitiatingUser = InitiatingProcessAccountName, InitiatingProcess = InitiatingProcessFileName, ActionType, OldValue, NewValue
| order by TimeGenerated desc | Correct | 4 | 119.08s | 0.0430 |
| o4-mini-low | 0 | DeviceRegistryEvents
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "ConsentPromptBehaviorAdmin"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryValueData
| distinct RegistryValueData | Correct | 1 | 22.52s | 0.0090 |