Question Analysis
On a Windows system, a registry event shows the EnableLUA value under the System policies key was set to 0, effectively disabling UAC. Which utility carried out this change?
9e8af564-53ec-407e-aaa8-3cb20c3af7f9
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
reg.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | reg.exe | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains @"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
| where RegistryValueName == "EnableLUA"
| where RegistryValueData == "0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, RegistryKey, RegistryValueName, RegistryValueData | Correct | 2 | 174.58s | 0.0079 |
| gpt-35-turbo | reg.exe | DeviceRegistryEvents
| where RegistryKey == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' and RegistryValueName == 'EnableLUA' and RegistryValueData == '0'
| project DeviceName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 2.65s | 0.0024 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2213 |
| gpt-4.1 | reg.exe | DeviceRegistryEvents
| where RegistryKey has "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
and RegistryValueName == "EnableLUA"
and RegistryValueData == "0"
and (ActionType == "RegistryValueSet" or ActionType == "RegistryKeyValueUpdated")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessParentFileName, InitiatingProcessParentId
| order by TimeGenerated desc | Correct | 2 | 8.00s | 0.0223 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0428 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0052 |
| gpt-4.1-nano | reg.exe | DeviceRegistryEvents
| where RegistryKey == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where RegistryValueName == 'EnableLUA'
| where RegistryValueData == '0'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc | Correct | 3 | 7.93s | 0.0012 |
| gpt-4o | reg.exe | DeviceRegistryEvents
| where RegistryKey endswith "\\Policies\\System" and RegistryValueName == "EnableLUA" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | Correct | 2 | 4.60s | 0.0271 |
| gpt-5-high | reg.exe | let UacPolicyKeySuffix = "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
DeviceRegistryEvents
| where ActionType in~ ("RegistryValueSet", "RegistryValueCreate")
| where RegistryKey contains UacPolicyKeySuffix
| where RegistryValueName =~ "EnableLUA"
// match 0 in decimal/hex/dword formats: 0, 00000000, 0x00000000, dword:00000000
| where tostring(RegistryValueData) matches regex "^(?i)(dword:)?(0x)?0+$"
| extend ChangerUtility = coalesce(InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName)
| project TimeGenerated, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData,
ChangerUtility,
InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessSHA1, InitiatingProcessSHA256,
InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription,
InitiatingProcessParentFileName, InitiatingProcessParentId
| order by TimeGenerated desc | Correct | 3 | 229.55s | 0.1384 |
| gpt-5-mini-high | reg.exe | // Find registry events that set EnableLUA to 0 under the Policies\System key
DeviceRegistryEvents
| where RegistryKey has_cs "Policies\\System" and RegistryValueName == "EnableLUA" and RegistryValueData == "0"
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCreationTime
// Lookup more details about the initiating process from DeviceProcessEvents
| join kind=leftouter (
DeviceProcessEvents
| project ProcessId = InitiatingProcessId, ProcessFileName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, ProcessCreationTime = InitiatingProcessCreationTime, InitiatingProcessAccountName, InitiatingProcessAccountDomain, DeviceId, TimeGenerated
) on $left.DeviceId == $right.DeviceId and $left.InitiatingProcessId == $right.ProcessId
| project TimeGenerated = coalesce(TimeGenerated, TimeGenerated1), DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessFileName = coalesce(InitiatingProcessFileName, ProcessFileName), InitiatingProcessCommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine), InitiatingProcessCreationTime = coalesce(InitiatingProcessCreationTime, ProcessCreationTime), InitiatingProcessAccountName = coalesce(InitiatingProcessAccountName, InitiatingProcessAccountName1), InitiatingProcessAccountDomain = coalesce(InitiatingProcessAccountDomain, InitiatingProcessAccountDomain1), RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc
| take 50 | Correct | 1 | 16.39s | 0.0039 |
| gpt-5-mini-low | reg.exe | let targetPaths = dynamic(["system\\currentcontrolset\\policies\\system","hklm\\system\\currentcontrolset\\policies\\system","hkml\\system\\currentcontrolset\\policies\\system","software\\microsoft\\windows\\currentversion\\policies\\system"]);
DeviceRegistryEvents
| where tolower(RegistryKey) has_any (targetPaths)
| where tolower(RegistryValueName) == "enablelua"
| where tostring(RegistryValueData) == "0" or tolong(RegistryValueData) == 0
// Keep the most recent change per device/report/key/value
| summarize arg_max(TimeGenerated, *) by ReportId, RegistryKey, RegistryValueName
| project RegTime=TimeGenerated,
DeviceId,
RegDeviceName=DeviceName,
ReportId,
RegistryKey,
RegistryValueName,
RegistryValueData=tostring(RegistryValueData),
PreviousRegistryValueData=tostring(PreviousRegistryValueData),
ActionType,
InitiatingProcessId,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountSid,
InitiatingProcessCreationTime,
InitiatingProcessParentId,
InitiatingProcessParentFileName
| join kind=leftouter (
DeviceProcessEvents
| project ProcReportId=ReportId,
ProcId=ProcessId,
ProcFileName=FileName,
ProcCommandLine=ProcessCommandLine,
ProcCreationTime=ProcessCreationTime,
ProcAccountName=AccountName,
ProcAccountDomain=AccountDomain,
ProcParentFileName=InitiatingProcessParentFileName
) on $left.ReportId == $right.ProcReportId and $left.InitiatingProcessId == $right.ProcId
| join kind=leftouter (
DeviceFileEvents
| project FileReportId=ReportId,
FileName,
FolderPath,
FileInitiatingProcessId=InitiatingProcessId,
FileInitiatingProcessFileName=InitiatingProcessFileName
) on $left.ReportId == $right.FileReportId and $left.InitiatingProcessId == $right.FileInitiatingProcessId
| extend InitiatingProcessFileName = coalesce(InitiatingProcessFileName, ProcFileName, FileName),
InitiatingProcessCommandLine = coalesce(InitiatingProcessCommandLine, ProcCommandLine),
InitiatingProcessAccountName = coalesce(InitiatingProcessAccountName, ProcAccountName),
InitiatingProcessAccountDomain = coalesce(InitiatingProcessAccountDomain, ProcAccountDomain),
InitiatingProcessCreationTime = coalesce(InitiatingProcessCreationTime, ProcCreationTime),
InitiatingProcessParentFileName = coalesce(InitiatingProcessParentFileName, ProcParentFileName)
| project RegTime, DeviceId, RegDeviceName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType,
InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountSid, InitiatingProcessCreationTime, InitiatingProcessParentId, InitiatingProcessParentFileName
| order by RegTime desc
| take 50 | Correct | 5 | 79.79s | 0.0135 |
| gpt-5-mini-medium | reg.exe | // Find registry events setting EnableLUA to 0 under Policies\System and show the initiating utility
DeviceRegistryEvents
| where RegistryValueName has_cs "EnableLUA"
// Normalize key path comparisons: Windows registry paths can be logged with or without leading backslashes
| where RegistryKey has_cs "Policies\\System" or RegistryKey has_cs "\\Policies\\System" or RegistryKey has_cs "System" and RegistryKey has_cs "Policies"
// RegistryValueData may be string or numeric; coalesce both
| where tostring(RegistryValueData) == "0" or toint(RegistryValueData) == 0
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by TimeGenerated desc
| extend EventTime = TimeGenerated
// Enrich with process details by matching initiating process id and device within a short time window
| join kind=leftouter (
DeviceProcessEvents
| project ProcessTime = TimeGenerated, DeviceId, ProcessId = InitiatingProcessId, ProcessFileName = FileName, ProcessCommandLine, ProcessCreationTime, ProcessSHA256 = SHA256, ProcessParentId = InitiatingProcessParentId
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| where isnull(ProcessTime) or abs(todatetime(EventTime) - todatetime(ProcessTime)) < 1m
| project EventTime, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName = coalesce(ProcessFileName, InitiatingProcessFileName), InitiatingProcessId, InitiatingProcessCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), ProcessCreationTime = coalesce(ProcessCreationTime, InitiatingProcessCreationTime), ProcessSHA256, ProcessParentId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData
| order by EventTime desc | Correct | 2 | 16.78s | 0.0044 |
| gpt-5-nano-high | reg.exe | DeviceRegistryEvents
| where RegistryKey contains "Policies" and RegistryKey contains "System"
| where RegistryValueName == "EnableLUA" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| extend RegUtility = iif(InitiatingProcessFileName contains "reg.exe", "reg.exe",
iif(InitiatingProcessFileName contains "regedit.exe", "regedit.exe",
iif(InitiatingProcessCommandLine contains "reg add", "Command: reg add", "Other")))
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 27.36s | 0.0019 |
| gpt-5-nano-medium | reg.exe | DeviceRegistryEvents
| where RegistryKey endswith "\\Policies\\System" and RegistryValueName == "EnableLUA"
| where toint(RegistryValueData) == 0
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime
| summarize ChangeCount = count() by InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by ChangeCount desc | Correct | 1 | 33.90s | 0.0016 |
| grok-3-beta | reg.exe | DeviceRegistryEvents
| where RegistryKey contains 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
| where RegistryValueName == 'EnableLUA' and RegistryValueData == '0'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc | Correct | 1 | 9.51s | 0.0222 |
| grok-3-mini-beta | reg.exe | DeviceRegistryEvents
| where RegistryValueName == 'EnableLUA' and RegistryValueData == '0' and RegistryKey contains 'Policies' and RegistryKey contains 'System'
| project Timestamp, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueData
| order by Timestamp desc
| summarize Utility=make_set(InitiatingProcessFileName) by DeviceName | Correct | 1 | 10.69s | 0.0015 |
| o1-high | reg.exe | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName =~ "EnableLUA"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoFileDescription
| order by TimeGenerated desc | Correct | 1 | 18.66s | 0.1511 |
| o1-low | reg.exe | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "RegistryValueSet", "SetValue")
| where RegistryKey has "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName == "EnableLUA"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoOriginalFileName
| order by TimeGenerated desc | Correct | 1 | 18.00s | 0.1540 |
| o3-high | reg.exe | DeviceRegistryEvents
// 1. Registry write operations that could modify a value
| where ActionType in ("RegistryValueSet", "RegistryKeyValueSet", "SetValue", "Modify")
// 2. Target the UAC switch-off location: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
| where RegistryKey has "\\Windows\\CurrentVersion\\Policies\\System"
| where RegistryValueName =~ "EnableLUA"
| where tolower(tostring(RegistryValueData)) in ("0", "0x00000000")
// 3. Bring back the columns that reveal the changing utility
| project TimeGenerated,
DeviceName,
RegistryKey,
RegistryValueData,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessSHA256,
InitiatingProcessVersionInfoCompanyName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName
// 4. Summarise so we can quickly see which tool did it (and how often)
| summarize FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated),
EventCount=count(),
AffectedDevices=dcount(DeviceName)
by InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessSHA256,
InitiatingProcessVersionInfoCompanyName
| order by EventCount desc, LastSeen desc | Correct | 4 | 106.80s | 0.0682 |
| o3-mini-high | reg.exe | DeviceRegistryEvents
| where RegistryKey has "Policies\\System"
and RegistryValueName == "EnableLUA"
and RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by TimeGenerated desc | Correct | 1 | 8.93s | 0.0072 |
| o3-mini-low | reg.exe | DeviceRegistryEvents
| where RegistryValueName == "EnableLUA"
| where RegistryValueData == "0"
| where RegistryKey has "Policies" and RegistryKey has "System"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| sort by TimeGenerated desc | Correct | 1 | 17.35s | 0.0102 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0451 |
| o4-mini-low | reg.exe | DeviceRegistryEvents
| where tolower(RegistryKey) startswith "hkey_local_machine\\software\\microsoft\\windows\\currentversion\\policies\\system"
and RegistryValueName == "EnableLUA"
and RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated asc | Correct | 1 | 19.45s | 0.0101 |