// question

On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command?

Reference KQL answer and model-by-model comparison.

56506854-89d6-46a3-9804-b7fde90791f9
question id
22/23
models correct
1
valid answer
96%
success rate
// reference answer

Human-validated correct answer for this question.

cmdkey /list
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
cmdkey.exe /list
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "cmdkey.exe"
| where ProcessCommandLine has "/list"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
pass114.20s0.0054
gpt-35-turbo
no answer
no query generatedfail50.00s0.0108
gpt-4-turbo-2024-04-09
cmdkey.exe /list
DeviceProcessEvents
| where FileName in ('cmd.exe', 'powershell.exe')
| where ProcessCommandLine has 'cmdkey'
| project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated
pass112.23s0.0532
gpt-4.1
cmdkey.exe /list
DeviceProcessEvents
| where FileName =~ "cmdkey.exe"
| where ProcessCommandLine contains "/list"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc
pass15.45s0.0111
gpt-4.1-finetuned
cmdkey.exe /list
DeviceProcessEvents
| where ProcessCommandLine has "cmdkey.exe" and ProcessCommandLine has "list"
| summarize ProcessCommandLineSet = makeset(ProcessCommandLine) by DeviceId, DeviceName
| extend HostName = tostring(split(DeviceName, '.') [0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
| project-away DeviceName, DeviceId
| extend HostName = tolower(HostName)
| extend DnsDomain = tolower(DnsDomain)
pass17.25s0.0036
gpt-4.1-mini
cmdkey.exe /list
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "cmdkey" and InitiatingProcessCommandLine contains "/list"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass221.17s0.0031
gpt-4.1-nano
cmdkey.exe /list
DeviceProcessEvents
| where ProcessCommandLine contains 'cmd.exe' or ProcessCommandLine contains 'powershell.exe' or ProcessCommandLine contains 'rundll32.exe'
| where ProcessCommandLine contains 'CredentialManager' or ProcessCommandLine contains '/list' or ProcessCommandLine contains 'credman' or ProcessCommandLine contains 'cmdkey'
| project Timestamp, DeviceName, ProcessCommandLine
| order by Timestamp desc
| take 10
pass527.42s0.0017
gpt-4o
cmdkey.exe /list
DeviceProcessEvents
| where ProcessCommandLine contains "cmdkey.exe" and ProcessCommandLine has "list"
| project DeviceId, DeviceName, ProcessCommandLine
pass328.58s0.0343
gpt-5-high
cmdkey.exe /list
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("cmdkey.exe", "vaultcmd.exe")
| where isnotempty(ProcessCommandLine) and (
    ProcessCommandLine contains "/list" or   // cmdkey /list (or -list)
    ProcessCommandLine contains " /l" or      // cmdkey /l (short form)
    ProcessCommandLine contains "-list" or    // alternate switch form
    ProcessCommandLine contains "/listcreds" // vaultcmd listing creds
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ExactCommand = ProcessCommandLine
| order by TimeGenerated desc
pass1107.59s0.0675
gpt-5-mini-high
cmdkey.exe /list
union withsource=SourceTable
    DeviceProcessEvents,
    DeviceEvents,
    DeviceFileEvents,
    DeviceImageLoadEvents,
    DeviceRegistryEvents,
    DeviceNetworkEvents,
    DeviceLogonEvents
| extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine))
| where isnotempty(CommandLine)
// Normalize whitespace for matching
| where CommandLine matches regex @"(?i)\bcmdkey(?:\.exe)?\b.*\b(?:/|-)list\b|\bcmdkey(?:\.exe)?\b.*\blist\b"
| project TimeGenerated, SourceTable, DeviceName, AccountName, InitiatingProcessAccountName, FileName = coalesce(FileName, InitiatingProcessFileName), ProcessId, InitiatingProcessId, CommandLine
| summarize Count = count(), LatestTime = max(TimeGenerated), Devices = make_set(DeviceName, 100), Users = make_set(AccountName, 100), SourceTables = make_set(SourceTable) by CommandLine
| order by LatestTime desc
| project ExactCommand = CommandLine, Count, LatestTime, Devices, Users, SourceTables
pass346.09s0.0118
gpt-5-mini-low
cmdkey.exe /list
// Search for invocations of Credential Manager utilities that list stored credentials
// Common ways: cmdkey.exe /list, rundll32.exe keymgr.dll, or rundll32.exe with arguments to show saved credentials
let cmdnames = dynamic(["cmdkey.exe","rundll32.exe","keymgr.dll","control.exe","credwiz.exe"]);

DeviceProcessEvents
| where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe")
// also include rundll32 with keymgr.dll in command line
| where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials")
| extend Cmd = strcat(FileName, " ", ProcessCommandLine)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd
| union (
    DeviceEvents
    | where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe")
    | where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials")
    | extend Cmd = strcat(FileName, " ", ProcessCommandLine)
    | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd
)
| order by TimeGenerated desc
| distinct Cmd, DeviceName, DeviceId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| top 50 by TimeGenerated
pass128.73s0.0027
gpt-5-mini-medium
cmdkey.exe /list
// Identify usage of Windows Credential Manager listing commands (cmdkey /list or KRShowKeyMgr via rundll32)
let cmd_names = dynamic(["cmdkey.exe","cmdkey","rundll32.exe","rundll32"]);

// Search process events where the commanded process is cmdkey or rundll32 calling keymgr.dll
union isfuzzy=true
    (DeviceProcessEvents
        | where tostring(ProcessCommandLine) has_any ("cmdkey","/list","/list:")
              or (FileName has_cs "cmdkey" and ProcessCommandLine!="")
        | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine
    ),
    (DeviceEvents
        | where isnotempty(ProcessCommandLine) and (tolower(ProcessCommandLine) has "cmdkey" or tolower(ProcessCommandLine) has "krshowkeymgr" or (tolower(ProcessCommandLine) has "rundll32" and tolower(ProcessCommandLine) has "keymgr"))
        | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine
    )
| where CmdLine has_any ("cmdkey","/list","krshowkeymgr","keymgr")
| where CmdLine !has "cmdkey /delete" // exclude deletes to focus on listing
| extend CmdLineClean = trim(' ', CmdLine)
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName=ProcFile, CmdLineClean, InitiatingProcessCommandLine=ProcInitiatingCmd, ProcessId
| summarize count(), AnyTime = min(TimeGenerated) by CmdLineClean, DeviceName, DeviceId, FileName
| order by AnyTime desc
| take 100
pass131.62s0.0041
gpt-5-nano-high
cmdkey.exe /list
let credMgrInvocations = (
  DeviceProcessEvents
  | where (isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine))
  | extend CmdLine = tostring(coalesce(InitiatingProcessCommandLine, ProcessCommandLine, ""))
  | extend CmdLower = tolower(CmdLine)
  | where (CmdLower contains "rundll32.exe" and CmdLower contains "keymgr.dll" and CmdLower contains "krshowkeymgr")
     or (CmdLower contains "cmdkey.exe" and CmdLower contains "/list")
  | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, CmdLine
);
credMgrInvocations
| sort by TimeGenerated desc
| take 100
pass5115.31s0.0089
gpt-5-nano-medium
cmdkey.exe /list
let WindowsDevices = DeviceInfo
| where OSPlatform contains "Windows"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (WindowsDevices)
| where (InitiatingProcessFileName contains "cmdkey" or ProcessCommandLine contains "cmdkey" or InitiatingProcessCommandLine contains "cmdkey")
| where (InitiatingProcessCommandLine contains "/list" or ProcessCommandLine contains "/list" or InitiatingProcessCommandLine contains "-list" or ProcessCommandLine contains "-list")
| extend FullCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| project TimeGenerated, DeviceName, DeviceId, FullCommand, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessAccountName, InitiatingProcessAccountDomain
pass167.43s0.0024
grok-3-beta
cmdkey.exe /list
DeviceProcessEvents
| where FileName == 'cmdkey.exe' and ProcessCommandLine contains '/list'
| project DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by ProcessCreationTime desc
pass19.70s0.0215
grok-3-mini-beta
cmdkey.exe /list
DeviceProcessEvents
| where FileName == 'cmdkey.exe'
| where ProcessCommandLine contains '/list'
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountName
pass111.63s0.0015
o1-high
cmdkey.exe /list
DeviceProcessEvents
| where FileName =~ "cmdkey.exe"
| where ProcessCommandLine has "/list"
| project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ProcessCommandLine
| order by TimeGenerated desc
pass141.01s0.2296
o1-low
cmdkey.exe /list
DeviceProcessEvents
| where FileName =~ "cmdkey.exe" or FileName =~ "vaultcmd.exe"
| where ProcessCommandLine contains "list"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath
| order by TimeGenerated desc
pass189.57s0.4932
o3-high
cmdkey.exe /list
DeviceProcessEvents
| where FileName =~ "cmdkey.exe"         // built-in credential manager CLI
| where ProcessCommandLine has_any("/list", "/l")   // listing stored credentials
| project TimeGenerated,
          DeviceName,
          AccountSid,
          AccountName,
          ProcessCommandLine
| summarize Executions=count() by ProcessCommandLine
| order by Executions desc
pass124.85s0.0171
o3-mini-high
cmdkey.exe /list
union
  (DeviceProcessEvents
  | where FileName == "cmdkey.exe" and ProcessCommandLine has "/list"
  | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine), 
  (DeviceProcessEvents
  | where FileName == "rundll32.exe" and ProcessCommandLine has "keymgr.dll,KRShowKeyMgr"
  | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine)
| sort by TimeGenerated desc
pass116.29s0.0113
o3-mini-low
cmdkey.exe /list
DeviceProcessEvents
| where tolower(FileName) == "cmdkey.exe"
| where ProcessCommandLine contains "/list"
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc
pass134.17s0.0109
o4-mini-high
cmdkey.exe /list
DeviceProcessEvents
| where ProcessCommandLine has_cs "cmdkey" and ProcessCommandLine has_cs "/list"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| distinct TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc
pass140.44s0.0150
o4-mini-low
cmdkey.exe /list
DeviceProcessEvents
| where FileName =~ "cmdkey.exe"
| where ProcessCommandLine has "/list"
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc
pass3116.97s0.0298