Question Analysis
On a Windows system, a process has introduced a new shim database into the default apppatch directory. Investigate file creation logs to reveal the database filename that appeared under C:\Windows\apppatch\Custom.
aefd6866-d753-431f-a7a4-215ca7e3f13d
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1546.011CompatDatabase.sdb
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0225 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2293 |
| gpt-4.1 | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == 'FileCreated'
| where FolderPath has @'C:\Windows\apppatch\Custom'
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | Correct | 1 | 4.89s | 0.0116 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0433 |
| gpt-4.1-mini | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith @"C:\Windows\apppatch\Custom"
| where ActionType == "FileCreated" or ActionType == "Created"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| order by TimeGenerated desc | Correct | 1 | 18.00s | 0.0024 |
| gpt-4.1-nano | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath has_cs ("\\Windows\\apppatch\\Custom") and ActionType == 'FileCreated'
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, DeviceName | Correct | 2 | 5.13s | 0.0007 |
| gpt-4o | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated" and FolderPath contains "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, FileName, FolderPath, DeviceName, DeviceId | Correct | 1 | 4.08s | 0.0148 |
| grok-3-beta | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 10.28s | 0.0215 |
| grok-3-mini-beta | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated' or ActionType contains 'Create'
| where FileName endswith '.sdb'
| project FileName, FolderPath, Timestamp
| sort by Timestamp desc
| limit 10 | Correct | 3 | 34.07s | 0.0043 |
| o1-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256
| order by TimeGenerated desc | Correct | 2 | 54.65s | 0.3303 |
| o1-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
| where tolower(FolderPath) contains "c:\\windows\\apppatch\\custom"
| project TimeGenerated, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 48.51s | 0.3971 |
| o3-mini-high | T1546.011CompatDatabase.sdb | union DeviceFileEvents, DeviceEvents
| where FolderPath contains "C:\\Windows\\apppatch\\Custom"
| where tolower(ActionType) == "filecreated"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 26.89s | 0.0151 |
| o3-mini-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| where ActionType == "FileCreated"
| project TimeGenerated, FileName, FolderPath | Correct | 1 | 34.03s | 0.0081 |
| o4-mini-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
and FolderPath has "\\Windows\\apppatch\\Custom"
and FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| sort by TimeGenerated desc | Correct | 2 | 57.43s | 0.0193 |
| o4-mini-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
// Look for the Custom folder under C:\Windows\AppPatch
| where tolower(FolderPath) contains "\\windows\\apppatch\\custom"
// Shim databases have .sdb extension
| where FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FullFilePath = strcat(FolderPath, "\\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 2 | 42.31s | 0.0200 |