// question

On a Windows host, sift through registry modification events targeting HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin. What new value was written to disable the admin consent prompt?

Reference KQL answer and model-by-model comparison.

251c5936-569f-42f4-9ac2-87a173b9e9b8
question id
9/23
models correct
1
valid answer
39%
success rate
// reference answer

Human-validated correct answer for this question.

0
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0260
gpt-35-turbo
no answer
no query generatedfail50.00s0.0112
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2282
gpt-4.1
0
DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Policies\\System"
| where RegistryValueName =~ "ConsentPromptBehaviorAdmin"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| where RegistryValueData == "0"
| sort by TimeGenerated desc
pass27.68s0.0162
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0467
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0076
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
no answer
no query generatedfail50.00s0.0473
gpt-5-high
0
let targetPath = @"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System";
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryValueName =~ "ConsentPromptBehaviorAdmin"
| where RegistryKey has targetPath
| extend NewValueRaw = tostring(RegistryValueData)
| extend NewValueLc = tolower(trim(" ", NewValueRaw))
| where NewValueLc in ("0", "dword:0", "dword:00000000")
    or NewValueLc matches regex "^0x0+$"
    or NewValueLc has "(0)"
| project TimeGenerated,
          DeviceName,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          RegistryKey,
          RegistryValueName,
          PreviousValue = PreviousRegistryValueData,
          NewValue = NewValueRaw,
          RegistryValueType
| order by TimeGenerated desc
pass2146.69s0.0938
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0155
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0216
gpt-5-mini-medium
0
let matches = DeviceRegistryEvents
| where tolower(RegistryKey) contains "currentversion\\policies\\system"
| where tolower(RegistryValueName) == "consentpromptbehavioradmin"
| where ActionType has_any ("Set","Write","Create","Modify","RegistryValueSet","Update","Add")
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, PreviousRegistryValueData;

matches
| summarize Count = count(), LastSeen = max(TimeGenerated), SampleEvents = make_list(pack('TimeGenerated', TimeGenerated, 'DeviceName', DeviceName, 'Account', InitiatingProcessAccountName, 'Process', InitiatingProcessFileName, 'Cmd', InitiatingProcessCommandLine, 'Action', ActionType), 5), PreviousValues = make_set(iff(isnull(PreviousRegistryValueData) or PreviousRegistryValueData == "", "<empty>", PreviousRegistryValueData)) by NewValue = coalesce(tostring(trim(" ", RegistryValueData)), "<empty>")
| order by LastSeen desc
pass240.19s0.0095
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0060
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0068
grok-3-beta
no answer
no query generatedfail50.00s0.0883
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0071
o1-high
0
union DeviceRegistryEvents, DeviceEvents
| where isnotempty(RegistryKey)
| where tolower(RegistryKey) has "software\\microsoft\\windows\\currentversion\\policies\\system"
| where tolower(RegistryValueName) == "consentpromptbehavioradmin"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueAdded", "RegistryValueNameSet", "RegistryKeyValueSet", "RegistryKeyCreate", "RegistryKeyModified")
| extend NewValue = tostring(RegistryValueData)
| extend IsDisabled = case(
    NewValue matches regex "^(0x0+|0|00000000)$", 1,
    0
)
| where IsDisabled == 1
| project TimeGenerated,
          DeviceName,
          ActionType,
          RegistryKey,
          RegistryValueName,
          PreviousRegistryValueData,
          NewValue,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessCommandLine
| order by TimeGenerated desc
pass5116.50s0.8599
o1-low
0
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| where RegistryKey has_all ("Software", "Policies", "System")
| where RegistryValueName =~ "ConsentPromptBehaviorAdmin"
| where RegistryValueData in~ ("0", "0x0", "0x00000000 (0)", "0x00000000", "00000000")
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountUpn,
          InitiatingProcessCommandLine
| order by TimeGenerated desc
pass252.91s0.3821
o3-high
0
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"            // registry value modifications
| where tolower(RegistryKey) has "software\\microsoft\\windows\\currentversion\\policies\\system"  // target path
| where RegistryValueName == "ConsentPromptBehaviorAdmin"             // target value name
// optional: uncomment next line if you only care about the disabling value (DWORD 0)
// | where RegistryValueData == "0"
| summarize arg_max(TimeGenerated, RegistryKey, RegistryValueData, PreviousRegistryValueData,
                    InitiatingProcessAccountDomain, InitiatingProcessAccountName,
                    InitiatingProcessFileName, InitiatingProcessCommandLine) 
            by DeviceId, DeviceName
| project TimeGenerated,
          DeviceName,
          DeviceId,
          NewValue   = RegistryValueData,
          OldValue   = PreviousRegistryValueData,
          ChangedBy  = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName),
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by TimeGenerated desc
pass234.50s0.0269
o3-mini-high
no answer
no query generatedfail50.00s0.0362
o3-mini-low
0
DeviceRegistryEvents
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "ConsentPromptBehaviorAdmin"
| where ActionType contains "Set"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass221.94s0.0186
o4-mini-high
0
DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
      and RegistryValueName == "ConsentPromptBehaviorAdmin"
      and ActionType in~ ("RegistryValueSet","SetValue","ValueSet")
| extend NewValue = toint(RegistryValueData), OldValue = toint(PreviousRegistryValueData)
| where NewValue == 0
| project TimeGenerated, DeviceName, InitiatingUser = InitiatingProcessAccountName, InitiatingProcess = InitiatingProcessFileName, ActionType, OldValue, NewValue
| order by TimeGenerated desc
pass4119.08s0.0430
o4-mini-low
0
DeviceRegistryEvents
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "ConsentPromptBehaviorAdmin"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryValueData
| distinct RegistryValueData
pass122.52s0.0090