// question
On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting?
Reference KQL answer and model-by-model comparison.
9059e8de-3d7d-4954-a322-46161880b9cf
question id
5/23
models correct
1
valid answer
22%
success rate
// reference answer
Human-validated correct answer for this question.
Enable-PSRemoting -Force
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0206 |
| gpt-35-turbo | Enable-PSRemoting -Force | DeviceProcessEvents | where ProcessCommandLine contains 'Enable-PSRemoting -Force' | pass | 1 | 1.97s | 0.0032 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2305 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0415 |
| gpt-4.1-finetuned | Enable-PSRemoting -Force | DeviceProcessEvents
| where ProcessCommandLine has_all ("powershell", "enable-psremoting")
| project Timestamp, ProcessCommandLine, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessParentFileName
| order by Timestamp desc | pass | 3 | 46.20s | 0.0170 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0083 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0016 |
| gpt-4o | Enable-PSRemoting -Force | DeviceProcessEvents
| where FileName endswith "powershell.exe"
and ProcessTokenElevation != ""
and ProcessTokenElevation !in ("Default")
and (isnotempty(IsInitiatingProcessRemoteSession) or isnotempty(IsProcessRemoteSession))
| where ProcessCommandLine contains "Enable-PSRemoting" or ProcessCommandLine contains "winrm quickconfig" or ProcessCommandLine contains "Set-WSManQuickConfig"
| project DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TimeGenerated | pass | 5 | 29.47s | 0.0516 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.2888 |
| gpt-5-mini-high | Enable-PSRemoting -Force | union isfuzzy=true DeviceProcessEvents, DeviceEvents
| where (tolower(FileName) contains "powershell" or tolower(FileName) contains "pwsh" or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh")
// Look for common PSRemoting enabling commands
| where (
tolower(ProcessCommandLine) contains "enable-psremoting"
or tolower(ProcessCommandLine) contains "winrm quickconfig"
or tolower(ProcessCommandLine) contains "set-item wsman"
or tolower(ProcessCommandLine) contains "enable-wsmancredssp"
or tolower(ProcessCommandLine) contains "enable-pssessionconfiguration"
)
// Restrict to elevated sessions (token elevation or high integrity)
| where (
tolower(ProcessTokenElevation) contains "elev"
or tolower(InitiatingProcessTokenElevation) contains "elev"
or tolower(ProcessIntegrityLevel) contains "high"
or tolower(InitiatingProcessIntegrityLevel) contains "high"
)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ReportId, _ResourceId
| sort by TimeGenerated desc
| take 100 | pass | 1 | 28.00s | 0.0065 |
| gpt-5-mini-low | Enable-PSRemoting -Force | // Find PowerShell executions that enabled PSRemoting or related WSMan settings
let RemotingPatterns = dynamic(["Enable-PSRemoting","Enable-WSManCredSSP","Enable-PsRemoting","winrm quickconfig","winrm qc","Set-Item -Path WSMan:","Set-WSManQuickConfig","Enable-WSMan","Configure-SMRemoting"]);
let pwshNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
// DeviceProcessEvents: has elevation fields
let dpe = DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceProcessEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, ProcessTokenElevation, InitiatingProcessTokenElevation, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend ElevationConcat = tolower(coalesce(ProcessTokenElevation, InitiatingProcessTokenElevation, ""))
| extend IsElevated = case(ElevationConcat contains "high" or ElevationConcat contains "elevat" or ElevationConcat contains "%%16895", "Yes", ElevationConcat == "" or ElevationConcat == "unknown", "Unknown", "No");
// DeviceEvents: may not have token elevation reliably
let de = DeviceEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend IsElevated = "Unknown";
union dpe, de
| extend DetectedCommand = extract(@"(?i)((Enable-PSRemoting|Enable-WSManCredSSP|Enable-PsRemoting|winrm\s+quickconfig|winrm\s+qc|Set-Item\s+-Path\s+WSMan:|Set-WSManQuickConfig|Enable-WSMan)[^\r\n;]{0,400})", 1, FullCommandLine)
| where isnotempty(DetectedCommand)
| where IsElevated == "Yes" or IsElevated == "Unknown"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyAccount = any(AccountName), AnyInitiatingFile = any(InitiatingFile), AnyInitiatingSession = any(InitiatingSession), AnyFileName = any(FileName), AnyReportId = any(ReportId) by DeviceId, DeviceName, IsElevated, DetectedCommand, FullCommandLine, SourceTable
| order by LastSeen desc
| project FirstSeen, LastSeen, Count, DeviceName, DeviceId, IsElevated, DetectedCommand, FullCommandLine, SourceTable, AnyAccount, AnyInitiatingFile, AnyInitiatingSession, AnyFileName, AnyReportId | pass | 4 | 375.33s | 0.0730 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0177 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0075 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0061 |
| grok-3-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0908 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0070 |
| o1-high | no answer | no query generated | fail | 5 | 0.00s | 0.7783 |
| o1-low | no answer | no query generated | fail | 5 | 0.00s | 0.8859 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.1136 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0423 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0470 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0477 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0397 |