// question

On Windows, an elevated SecEdit.exe process was observed exporting the local security policy. Review the process execution records to identify the name of the text file where the policy was saved.

Reference KQL answer and model-by-model comparison.

510cc97f-56ac-4cd3-a198-d3218c23d889
question id
3/23
models correct
1
valid answer
13%
success rate
// reference answer

Human-validated correct answer for this question.

output_mysecpol.txt
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0296
gpt-35-turbo
no answer
no query generatedfail50.00s0.0111
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2345
gpt-4.1
no answer
no query generatedfail50.00s0.0545
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0373
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0082
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0019
gpt-4o
no answer
no query generatedfail50.00s0.0419
gpt-5-high
output_mysecpol.txt
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FileName) == "secedit.exe"
// Must be an export action
| where ProcessCommandLine matches regex @'(?i)(?:^|\s)[/-]export(?:\s|$)'
// Elevated token (either explicit elevation flag or high/system integrity)
| where ProcessTokenElevation =~ "Elevated" or ProcessIntegrityLevel in~ ("High", "System")
// Extract the policy output path after /cfg (handles quotes and no quotes)
| extend SavedPolicyPath = coalesce(
        extract(@'(?i)(?:^|\s)[/-]cfg\s+"([^"]+)"', 1, ProcessCommandLine),
        extract(@'(?i)(?:^|\s)[/-]cfg\s+(\S+)', 1, ProcessCommandLine)
    )
| extend SavedPolicyFileName = tostring(extract(@'([^\\/:*?"<>|]+)$', 1, SavedPolicyPath))
// Optional: also capture /log file if present
| extend LogFilePath = coalesce(
        extract(@'(?i)(?:^|\s)[/-]log\s+"([^"]+)"', 1, ProcessCommandLine),
        extract(@'(?i)(?:^|\s)[/-]log\s+(\S+)', 1, ProcessCommandLine)
    )
| extend LogFileName = tostring(extract(@'([^\\/:*?"<>|]+)$', 1, LogFilePath))
| where isnotempty(SavedPolicyFileName)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessTokenElevation, ProcessIntegrityLevel, ProcessCommandLine, SavedPolicyPath, SavedPolicyFileName, LogFilePath, LogFileName
| order by TimeGenerated desc
pass2166.64s0.0949
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0209
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0182
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0246
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0104
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0104
grok-3-beta
no answer
no query generatedfail50.00s0.0900
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0075
o1-high
no answer
no query generatedfail50.00s0.7866
o1-low
no answer
no query generatedfail50.00s0.7574
o3-high
output_mysecpol.txt
// 1. Filter for SecEdit executions
// 2. Keep only runs that performed an export of the Local Security Policy
// 3. Make sure the process was running elevated (token elevation or high integrity)
// 4. Parse the value that follows the “/cfg” switch – this is the path where the policy is written
// 5. Split the path to obtain the file name only
// 6. Summarise so we get a single (latest) record per device / user / output file
DeviceProcessEvents
| where FileName =~ "secedit.exe"
| where ProcessCommandLine has_any ("/export", " /export", "/EXPORT")
| where ProcessTokenElevation =~ "Elevated" or ProcessIntegrityLevel in ("High", "System")
// try to capture something like  /cfg C:\Temp\policydump.txt  (quotes optional)
| extend ExportedPolicyPath = extract("/cfg\\s+\"?([^\\s\"]+\\.txt)", 1, ProcessCommandLine)
| where isnotempty(ExportedPolicyPath)
| extend ExportedPolicyFileName = tostring(split(ExportedPolicyPath, "\\")[-1])
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ExportedPolicyPath, ExportedPolicyFileName
| summarize LatestExportTime = max(TimeGenerated)                
          by DeviceName, AccountName, ExportedPolicyPath, ExportedPolicyFileName
| order by LatestExportTime desc
pass270.60s0.0392
o3-mini-high
no answer
no query generatedfail50.00s0.0348
o3-mini-low
output_mysecpol.txt
DeviceProcessEvents
| where FileName =~ "SecEdit.exe"
| where ProcessCommandLine contains "/export"
// Optionally, ensure the process was elevated
// | where ProcessTokenElevation has "Elevated"
| extend ExportedFile = extract("(?i)/cfg\\s+(\\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, ExportedFile
pass217.92s0.0151
o4-mini-high
no answer
no query generatedfail50.00s0.0471
o4-mini-low
no answer
no query generatedfail50.00s0.0366