Question Analysis
On a Windows system, a process has introduced a new shim database into the default apppatch directory. Investigate file creation logs to reveal the database filename that appeared under C:\Windows\apppatch\Custom.
aefd6866-d753-431f-a7a4-215ca7e3f13d
Question ID
16/23
Models Correct
1
Valid Answer
70%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1546.011CompatDatabase.sdb
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0225 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2293 |
| gpt-4.1 | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == 'FileCreated'
| where FolderPath has @'C:\Windows\apppatch\Custom'
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | Correct | 1 | 4.89s | 0.0116 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0433 |
| gpt-4.1-mini | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith @"C:\Windows\apppatch\Custom"
| where ActionType == "FileCreated" or ActionType == "Created"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| order by TimeGenerated desc | Correct | 1 | 18.00s | 0.0024 |
| gpt-4.1-nano | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath has_cs ("\\Windows\\apppatch\\Custom") and ActionType == 'FileCreated'
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, DeviceName | Correct | 2 | 5.13s | 0.0007 |
| gpt-4o | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated" and FolderPath contains "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, FileName, FolderPath, DeviceName, DeviceId | Correct | 1 | 4.08s | 0.0148 |
| gpt-5-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Windows\AppPatch\Custom"
| where FileName endswith ".sdb"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, FileName, FullPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessId, InitiatingProcessSHA256
| order by TimeGenerated desc | Correct | 1 | 62.86s | 0.0371 |
| gpt-5-mini-high | T1546.011CompatDatabase.sdb | let targetFolder = "c:\\windows\\apppatch\\custom";
let extensions = dynamic([".sdb", ".dat", ".mdb", ".txt"]);
// helper to check if filename ends with any of the extensions
let hasExt = (fname:string) {
tolower(fname)
| extend _fname = tostring(fnamE)
};
// Query DeviceFileEvents
DeviceFileEvents
| where isnotempty(FolderPath)
| extend FolderPathLower = tolower(tostring(FolderPath))
| where FolderPathLower contains targetFolder
| where isnotempty(FileName)
| extend FileNameLower = tolower(tostring(FileName))
| where FileNameLower endswith ".sdb" or FileNameLower endswith ".dat" or FileNameLower endswith ".mdb" or FileNameLower endswith ".txt"
| where ActionType in ("Created","FileCreated","Create","Write","WriteFile","CreatedFile","Added","Modify") or tolower(ActionType) contains "create" or tolower(ActionType) contains "write"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DeviceId, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FileName, FullPath, FileSize, ActionType
| union (
DeviceEvents
| where isnotempty(FolderPath)
| extend FolderPathLower = tolower(tostring(FolderPath))
| where FolderPathLower contains targetFolder
| where isnotempty(FileName)
| extend FileNameLower = tolower(tostring(FileName))
| where FileNameLower endswith ".sdb" or FileNameLower endswith ".dat" or FileNameLower endswith ".mdb" or FileNameLower endswith ".txt"
| where ActionType in ("Created","FileCreated","Create","Write","WriteFile","CreatedFile","Added","Modify") or tolower(ActionType) contains "create" or tolower(ActionType) contains "write"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DeviceId, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FileName, FullPath, FileSize, ActionType
)
| summarize LatestTime = max(TimeGenerated) by DeviceId, DeviceName, FileName, FullPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ActionType
| order by LatestTime desc
| limit 100 | Correct | 3 | 32.78s | 0.0090 |
| gpt-5-mini-low | T1546.011CompatDatabase.sdb | // Search for files created under C:\Windows\apppatch\Custom
(
DeviceFileEvents
| where ActionType in ("FileCreated", "Created", "CreatedFile", "Create", "Added")
| where FolderPath has_cs "C:\\Windows\\apppatch\\Custom" or tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, FileName, FolderPath, FullPath, FileSize, SHA256
)
| union (
DeviceEvents
| where ActionType in ("FileCreated", "Created", "CreatedFile", "Create", "Added")
| where FolderPath has_cs "C:\\Windows\\apppatch\\Custom" or tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, FileName, FolderPath, FullPath, FileSize, SHA256
)
| order by TimeGenerated desc
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = make_set(DeviceName), InitiatingProcesses = make_set(InitiatingProcessFileName), SampleCmd = any(InitiatingProcessCommandLine) by FileName, FolderPath, FullPath, SHA256
| project FileName, FullPath, FolderPath, SHA256, FirstSeen, LastSeen, Devices, InitiatingProcesses, SampleCmd
| sort by FirstSeen desc
| take 100 | Correct | 1 | 13.55s | 0.0035 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0197 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0069 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0084 |
| grok-3-beta | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 10.28s | 0.0215 |
| grok-3-mini-beta | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated' or ActionType contains 'Create'
| where FileName endswith '.sdb'
| project FileName, FolderPath, Timestamp
| sort by Timestamp desc
| limit 10 | Correct | 3 | 34.07s | 0.0043 |
| o1-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256
| order by TimeGenerated desc | Correct | 2 | 54.65s | 0.3303 |
| o1-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
| where tolower(FolderPath) contains "c:\\windows\\apppatch\\custom"
| project TimeGenerated, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 48.51s | 0.3971 |
| o3-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType in ("FileCreated", "FileCreate", "Created", "Create")
| where tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
| where tolower(FileName) endswith ".sdb"
// Build the full on-disk path
| extend ShimDatabasePath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated,
DeviceName,
ShimDatabasePath,
FileSize,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256
| summarize FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
EventCount = count()
by DeviceName, ShimDatabasePath, FileSize,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256
| order by LastSeen desc | Correct | 3 | 78.98s | 0.0544 |
| o3-mini-high | T1546.011CompatDatabase.sdb | union DeviceFileEvents, DeviceEvents
| where FolderPath contains "C:\\Windows\\apppatch\\Custom"
| where tolower(ActionType) == "filecreated"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 26.89s | 0.0151 |
| o3-mini-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| where ActionType == "FileCreated"
| project TimeGenerated, FileName, FolderPath | Correct | 1 | 34.03s | 0.0081 |
| o4-mini-high | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
and FolderPath has "\\Windows\\apppatch\\Custom"
and FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| sort by TimeGenerated desc | Correct | 2 | 57.43s | 0.0193 |
| o4-mini-low | T1546.011CompatDatabase.sdb | DeviceFileEvents
| where ActionType == "FileCreated"
// Look for the Custom folder under C:\Windows\AppPatch
| where tolower(FolderPath) contains "\\windows\\apppatch\\custom"
// Shim databases have .sdb extension
| where FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FullFilePath = strcat(FolderPath, "\\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 2 | 42.31s | 0.0200 |