// question

On a Windows system, a process has introduced a new shim database into the default apppatch directory. Investigate file creation logs to reveal the database filename that appeared under C:\Windows\apppatch\Custom.

Reference KQL answer and model-by-model comparison.

aefd6866-d753-431f-a7a4-215ca7e3f13d
question id
16/23
models correct
1
valid answer
70%
success rate
// reference answer

Human-validated correct answer for this question.

T1546.011CompatDatabase.sdb
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0225
gpt-35-turbo
no answer
no query generatedfail50.00s0.0109
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2293
gpt-4.1
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == 'FileCreated'
| where FolderPath has @'C:\Windows\apppatch\Custom'
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
pass14.89s0.0116
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0433
gpt-4.1-mini
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where FolderPath startswith @"C:\Windows\apppatch\Custom"
| where ActionType == "FileCreated" or ActionType == "Created"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| order by TimeGenerated desc
pass118.00s0.0024
gpt-4.1-nano
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where FolderPath has_cs ("\\Windows\\apppatch\\Custom") and ActionType == 'FileCreated'
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, DeviceName
pass25.13s0.0007
gpt-4o
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated" and FolderPath contains "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, FileName, FolderPath, DeviceName, DeviceId
pass14.08s0.0148
gpt-5-high
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Windows\AppPatch\Custom"
| where FileName endswith ".sdb"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, FileName, FullPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName,
          InitiatingProcessId, InitiatingProcessSHA256
| order by TimeGenerated desc
pass162.86s0.0371
gpt-5-mini-high
T1546.011CompatDatabase.sdb
let targetFolder = "c:\\windows\\apppatch\\custom";
let extensions = dynamic([".sdb", ".dat", ".mdb", ".txt"]);

// helper to check if filename ends with any of the extensions
let hasExt = (fname:string) {
    tolower(fname)
    | extend _fname = tostring(fnamE)
};

// Query DeviceFileEvents
DeviceFileEvents
| where isnotempty(FolderPath)
| extend FolderPathLower = tolower(tostring(FolderPath))
| where FolderPathLower contains targetFolder
| where isnotempty(FileName)
| extend FileNameLower = tolower(tostring(FileName))
| where FileNameLower endswith ".sdb" or FileNameLower endswith ".dat" or FileNameLower endswith ".mdb" or FileNameLower endswith ".txt"
| where ActionType in ("Created","FileCreated","Create","Write","WriteFile","CreatedFile","Added","Modify") or tolower(ActionType) contains "create" or tolower(ActionType) contains "write"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DeviceId, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FileName, FullPath, FileSize, ActionType

| union (
    DeviceEvents
    | where isnotempty(FolderPath)
    | extend FolderPathLower = tolower(tostring(FolderPath))
    | where FolderPathLower contains targetFolder
    | where isnotempty(FileName)
    | extend FileNameLower = tolower(tostring(FileName))
    | where FileNameLower endswith ".sdb" or FileNameLower endswith ".dat" or FileNameLower endswith ".mdb" or FileNameLower endswith ".txt"
    | where ActionType in ("Created","FileCreated","Create","Write","WriteFile","CreatedFile","Added","Modify") or tolower(ActionType) contains "create" or tolower(ActionType) contains "write"
    | extend FullPath = strcat(FolderPath, "\\", FileName)
    | project TimeGenerated, DeviceName, DeviceId, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FileName, FullPath, FileSize, ActionType
)
| summarize LatestTime = max(TimeGenerated) by DeviceId, DeviceName, FileName, FullPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ActionType
| order by LatestTime desc
| limit 100
pass332.78s0.0090
gpt-5-mini-low
T1546.011CompatDatabase.sdb
// Search for files created under C:\Windows\apppatch\Custom
(
    DeviceFileEvents
    | where ActionType in ("FileCreated", "Created", "CreatedFile", "Create", "Added")
    | where FolderPath has_cs "C:\\Windows\\apppatch\\Custom" or tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
    | extend FullPath = strcat(FolderPath, "\\", FileName)
    | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, FileName, FolderPath, FullPath, FileSize, SHA256
)
| union (
    DeviceEvents
    | where ActionType in ("FileCreated", "Created", "CreatedFile", "Create", "Added")
    | where FolderPath has_cs "C:\\Windows\\apppatch\\Custom" or tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
    | extend FullPath = strcat(FolderPath, "\\", FileName)
    | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, FileName, FolderPath, FullPath, FileSize, SHA256
)
| order by TimeGenerated desc
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = make_set(DeviceName), InitiatingProcesses = make_set(InitiatingProcessFileName), SampleCmd = any(InitiatingProcessCommandLine) by FileName, FolderPath, FullPath, SHA256
| project FileName, FullPath, FolderPath, SHA256, FirstSeen, LastSeen, Devices, InitiatingProcesses, SampleCmd
| sort by FirstSeen desc
| take 100
pass113.55s0.0035
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0197
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0069
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0084
grok-3-beta
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by Timestamp desc
pass110.28s0.0215
grok-3-mini-beta
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where FolderPath startswith 'C:\\Windows\\apppatch\\Custom'
| where ActionType == 'FileCreated' or ActionType contains 'Create'
| where FileName endswith '.sdb'
| project FileName, FolderPath, Timestamp
| sort by Timestamp desc
| limit 10
pass334.07s0.0043
o1-high
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256
| order by TimeGenerated desc
pass254.65s0.3303
o1-low
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated"
| where tolower(FolderPath) contains "c:\\windows\\apppatch\\custom"
| project TimeGenerated, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass348.51s0.3971
o3-high
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType in ("FileCreated", "FileCreate", "Created", "Create")
| where tolower(FolderPath) startswith "c:\\windows\\apppatch\\custom"
| where tolower(FileName) endswith ".sdb"
// Build the full on-disk path
| extend ShimDatabasePath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated,
          DeviceName,
          ShimDatabasePath,
          FileSize,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessSHA256
| summarize FirstSeen = min(TimeGenerated),
            LastSeen  = max(TimeGenerated),
            EventCount = count()
            by DeviceName, ShimDatabasePath, FileSize,
               InitiatingProcessFileName,
               InitiatingProcessCommandLine,
               InitiatingProcessAccountDomain,
               InitiatingProcessAccountName,
               InitiatingProcessSHA256
| order by LastSeen desc
pass378.98s0.0544
o3-mini-high
T1546.011CompatDatabase.sdb
union DeviceFileEvents, DeviceEvents
| where FolderPath contains "C:\\Windows\\apppatch\\Custom"
| where tolower(ActionType) == "filecreated"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass226.89s0.0151
o3-mini-low
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where FolderPath has "C:\\Windows\\apppatch\\Custom"
| where ActionType == "FileCreated"
| project TimeGenerated, FileName, FolderPath
pass134.03s0.0081
o4-mini-high
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated"
      and FolderPath has "\\Windows\\apppatch\\Custom"
      and FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName
| sort by TimeGenerated desc
pass257.43s0.0193
o4-mini-low
T1546.011CompatDatabase.sdb
DeviceFileEvents
| where ActionType == "FileCreated"
// Look for the Custom folder under C:\Windows\AppPatch
| where tolower(FolderPath) contains "\\windows\\apppatch\\custom"
// Shim databases have .sdb extension
| where FileName endswith ".sdb"
| project TimeGenerated, DeviceName, FullFilePath = strcat(FolderPath, "\\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine
pass242.31s0.0200