// question
On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command?
Reference KQL answer and model-by-model comparison.
56506854-89d6-46a3-9804-b7fde90791f9
question id
22/23
models correct
1
valid answer
96%
success rate
// reference answer
Human-validated correct answer for this question.
cmdkey /list
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | cmdkey.exe /list | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName == "cmdkey.exe" | where ProcessCommandLine has "/list" | project Timestamp, DeviceName, AccountName, ProcessCommandLine | pass | 1 | 14.20s | 0.0054 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0108 |
| gpt-4-turbo-2024-04-09 | cmdkey.exe /list | DeviceProcessEvents
| where FileName in ('cmd.exe', 'powershell.exe')
| where ProcessCommandLine has 'cmdkey'
| project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated | pass | 1 | 12.23s | 0.0532 |
| gpt-4.1 | cmdkey.exe /list | DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc | pass | 1 | 5.45s | 0.0111 |
| gpt-4.1-finetuned | cmdkey.exe /list | DeviceProcessEvents | where ProcessCommandLine has "cmdkey.exe" and ProcessCommandLine has "list" | summarize ProcessCommandLineSet = makeset(ProcessCommandLine) by DeviceId, DeviceName | extend HostName = tostring(split(DeviceName, '.') [0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.')) | project-away DeviceName, DeviceId | extend HostName = tolower(HostName) | extend DnsDomain = tolower(DnsDomain) | pass | 1 | 7.25s | 0.0036 |
| gpt-4.1-mini | cmdkey.exe /list | DeviceProcessEvents | where InitiatingProcessCommandLine contains "cmdkey" and InitiatingProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 2 | 21.17s | 0.0031 |
| gpt-4.1-nano | cmdkey.exe /list | DeviceProcessEvents | where ProcessCommandLine contains 'cmd.exe' or ProcessCommandLine contains 'powershell.exe' or ProcessCommandLine contains 'rundll32.exe' | where ProcessCommandLine contains 'CredentialManager' or ProcessCommandLine contains '/list' or ProcessCommandLine contains 'credman' or ProcessCommandLine contains 'cmdkey' | project Timestamp, DeviceName, ProcessCommandLine | order by Timestamp desc | take 10 | pass | 5 | 27.42s | 0.0017 |
| gpt-4o | cmdkey.exe /list | DeviceProcessEvents | where ProcessCommandLine contains "cmdkey.exe" and ProcessCommandLine has "list" | project DeviceId, DeviceName, ProcessCommandLine | pass | 3 | 28.58s | 0.0343 |
| gpt-5-high | cmdkey.exe /list | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("cmdkey.exe", "vaultcmd.exe")
| where isnotempty(ProcessCommandLine) and (
ProcessCommandLine contains "/list" or // cmdkey /list (or -list)
ProcessCommandLine contains " /l" or // cmdkey /l (short form)
ProcessCommandLine contains "-list" or // alternate switch form
ProcessCommandLine contains "/listcreds" // vaultcmd listing creds
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ExactCommand = ProcessCommandLine
| order by TimeGenerated desc | pass | 1 | 107.59s | 0.0675 |
| gpt-5-mini-high | cmdkey.exe /list | union withsource=SourceTable
DeviceProcessEvents,
DeviceEvents,
DeviceFileEvents,
DeviceImageLoadEvents,
DeviceRegistryEvents,
DeviceNetworkEvents,
DeviceLogonEvents
| extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine))
| where isnotempty(CommandLine)
// Normalize whitespace for matching
| where CommandLine matches regex @"(?i)\bcmdkey(?:\.exe)?\b.*\b(?:/|-)list\b|\bcmdkey(?:\.exe)?\b.*\blist\b"
| project TimeGenerated, SourceTable, DeviceName, AccountName, InitiatingProcessAccountName, FileName = coalesce(FileName, InitiatingProcessFileName), ProcessId, InitiatingProcessId, CommandLine
| summarize Count = count(), LatestTime = max(TimeGenerated), Devices = make_set(DeviceName, 100), Users = make_set(AccountName, 100), SourceTables = make_set(SourceTable) by CommandLine
| order by LatestTime desc
| project ExactCommand = CommandLine, Count, LatestTime, Devices, Users, SourceTables | pass | 3 | 46.09s | 0.0118 |
| gpt-5-mini-low | cmdkey.exe /list | // Search for invocations of Credential Manager utilities that list stored credentials
// Common ways: cmdkey.exe /list, rundll32.exe keymgr.dll, or rundll32.exe with arguments to show saved credentials
let cmdnames = dynamic(["cmdkey.exe","rundll32.exe","keymgr.dll","control.exe","credwiz.exe"]);
DeviceProcessEvents
| where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe")
// also include rundll32 with keymgr.dll in command line
| where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials")
| extend Cmd = strcat(FileName, " ", ProcessCommandLine)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd
| union (
DeviceEvents
| where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe")
| where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials")
| extend Cmd = strcat(FileName, " ", ProcessCommandLine)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd
)
| order by TimeGenerated desc
| distinct Cmd, DeviceName, DeviceId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| top 50 by TimeGenerated
| pass | 1 | 28.73s | 0.0027 |
| gpt-5-mini-medium | cmdkey.exe /list | // Identify usage of Windows Credential Manager listing commands (cmdkey /list or KRShowKeyMgr via rundll32)
let cmd_names = dynamic(["cmdkey.exe","cmdkey","rundll32.exe","rundll32"]);
// Search process events where the commanded process is cmdkey or rundll32 calling keymgr.dll
union isfuzzy=true
(DeviceProcessEvents
| where tostring(ProcessCommandLine) has_any ("cmdkey","/list","/list:")
or (FileName has_cs "cmdkey" and ProcessCommandLine!="")
| extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine
),
(DeviceEvents
| where isnotempty(ProcessCommandLine) and (tolower(ProcessCommandLine) has "cmdkey" or tolower(ProcessCommandLine) has "krshowkeymgr" or (tolower(ProcessCommandLine) has "rundll32" and tolower(ProcessCommandLine) has "keymgr"))
| extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine
)
| where CmdLine has_any ("cmdkey","/list","krshowkeymgr","keymgr")
| where CmdLine !has "cmdkey /delete" // exclude deletes to focus on listing
| extend CmdLineClean = trim(' ', CmdLine)
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName=ProcFile, CmdLineClean, InitiatingProcessCommandLine=ProcInitiatingCmd, ProcessId
| summarize count(), AnyTime = min(TimeGenerated) by CmdLineClean, DeviceName, DeviceId, FileName
| order by AnyTime desc
| take 100 | pass | 1 | 31.62s | 0.0041 |
| gpt-5-nano-high | cmdkey.exe /list | let credMgrInvocations = (
DeviceProcessEvents
| where (isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine))
| extend CmdLine = tostring(coalesce(InitiatingProcessCommandLine, ProcessCommandLine, ""))
| extend CmdLower = tolower(CmdLine)
| where (CmdLower contains "rundll32.exe" and CmdLower contains "keymgr.dll" and CmdLower contains "krshowkeymgr")
or (CmdLower contains "cmdkey.exe" and CmdLower contains "/list")
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, CmdLine
);
credMgrInvocations
| sort by TimeGenerated desc
| take 100 | pass | 5 | 115.31s | 0.0089 |
| gpt-5-nano-medium | cmdkey.exe /list | let WindowsDevices = DeviceInfo | where OSPlatform contains "Windows" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (WindowsDevices) | where (InitiatingProcessFileName contains "cmdkey" or ProcessCommandLine contains "cmdkey" or InitiatingProcessCommandLine contains "cmdkey") | where (InitiatingProcessCommandLine contains "/list" or ProcessCommandLine contains "/list" or InitiatingProcessCommandLine contains "-list" or ProcessCommandLine contains "-list") | extend FullCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, FullCommand, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessAccountName, InitiatingProcessAccountDomain | pass | 1 | 67.43s | 0.0024 |
| grok-3-beta | cmdkey.exe /list | DeviceProcessEvents | where FileName == 'cmdkey.exe' and ProcessCommandLine contains '/list' | project DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine | order by ProcessCreationTime desc | pass | 1 | 9.70s | 0.0215 |
| grok-3-mini-beta | cmdkey.exe /list | DeviceProcessEvents | where FileName == 'cmdkey.exe' | where ProcessCommandLine contains '/list' | project TimeGenerated, DeviceName, ProcessCommandLine, AccountName | pass | 1 | 11.63s | 0.0015 |
| o1-high | cmdkey.exe /list | DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine has "/list" | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ProcessCommandLine | order by TimeGenerated desc | pass | 1 | 41.01s | 0.2296 |
| o1-low | cmdkey.exe /list | DeviceProcessEvents | where FileName =~ "cmdkey.exe" or FileName =~ "vaultcmd.exe" | where ProcessCommandLine contains "list" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath | order by TimeGenerated desc | pass | 1 | 89.57s | 0.4932 |
| o3-high | cmdkey.exe /list | DeviceProcessEvents
| where FileName =~ "cmdkey.exe" // built-in credential manager CLI
| where ProcessCommandLine has_any("/list", "/l") // listing stored credentials
| project TimeGenerated,
DeviceName,
AccountSid,
AccountName,
ProcessCommandLine
| summarize Executions=count() by ProcessCommandLine
| order by Executions desc | pass | 1 | 24.85s | 0.0171 |
| o3-mini-high | cmdkey.exe /list | union (DeviceProcessEvents | where FileName == "cmdkey.exe" and ProcessCommandLine has "/list" | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine), (DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has "keymgr.dll,KRShowKeyMgr" | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine) | sort by TimeGenerated desc | pass | 1 | 16.29s | 0.0113 |
| o3-mini-low | cmdkey.exe /list | DeviceProcessEvents | where tolower(FileName) == "cmdkey.exe" | where ProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc | pass | 1 | 34.17s | 0.0109 |
| o4-mini-high | cmdkey.exe /list | DeviceProcessEvents | where ProcessCommandLine has_cs "cmdkey" and ProcessCommandLine has_cs "/list" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | distinct TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc | pass | 1 | 40.44s | 0.0150 |
| o4-mini-low | cmdkey.exe /list | DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine has "/list" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc | pass | 3 | 116.97s | 0.0298 |