// question

On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting?

Reference KQL answer and model-by-model comparison.

9059e8de-3d7d-4954-a322-46161880b9cf
question id
5/23
models correct
1
valid answer
22%
success rate
// reference answer

Human-validated correct answer for this question.

Enable-PSRemoting -Force
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0206
gpt-35-turbo
Enable-PSRemoting -Force
DeviceProcessEvents
| where ProcessCommandLine contains 'Enable-PSRemoting -Force'
pass11.97s0.0032
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2305
gpt-4.1
no answer
no query generatedfail50.00s0.0415
gpt-4.1-finetuned
Enable-PSRemoting -Force
DeviceProcessEvents 
| where ProcessCommandLine has_all ("powershell", "enable-psremoting")
| project Timestamp, ProcessCommandLine, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessParentFileName
| order by Timestamp desc
pass346.20s0.0170
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0083
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0016
gpt-4o
Enable-PSRemoting -Force
DeviceProcessEvents
| where FileName endswith "powershell.exe"
      and ProcessTokenElevation != "" 
      and ProcessTokenElevation !in ("Default")
      and (isnotempty(IsInitiatingProcessRemoteSession) or isnotempty(IsProcessRemoteSession))
| where ProcessCommandLine contains "Enable-PSRemoting" or ProcessCommandLine contains "winrm quickconfig" or ProcessCommandLine contains "Set-WSManQuickConfig"
| project DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TimeGenerated
pass529.47s0.0516
gpt-5-high
no answer
no query generatedfail50.00s0.2888
gpt-5-mini-high
Enable-PSRemoting -Force
union isfuzzy=true DeviceProcessEvents, DeviceEvents
| where (tolower(FileName) contains "powershell" or tolower(FileName) contains "pwsh" or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh")
// Look for common PSRemoting enabling commands
| where (
    tolower(ProcessCommandLine) contains "enable-psremoting" 
    or tolower(ProcessCommandLine) contains "winrm quickconfig"
    or tolower(ProcessCommandLine) contains "set-item wsman"
    or tolower(ProcessCommandLine) contains "enable-wsmancredssp"
    or tolower(ProcessCommandLine) contains "enable-pssessionconfiguration"
)
// Restrict to elevated sessions (token elevation or high integrity)
| where (
    tolower(ProcessTokenElevation) contains "elev" 
    or tolower(InitiatingProcessTokenElevation) contains "elev"
    or tolower(ProcessIntegrityLevel) contains "high"
    or tolower(InitiatingProcessIntegrityLevel) contains "high"
)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ReportId, _ResourceId
| sort by TimeGenerated desc
| take 100
pass128.00s0.0065
gpt-5-mini-low
Enable-PSRemoting -Force
// Find PowerShell executions that enabled PSRemoting or related WSMan settings
let RemotingPatterns = dynamic(["Enable-PSRemoting","Enable-WSManCredSSP","Enable-PsRemoting","winrm quickconfig","winrm qc","Set-Item -Path WSMan:","Set-WSManQuickConfig","Enable-WSMan","Configure-SMRemoting"]);
let pwshNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);

// DeviceProcessEvents: has elevation fields
let dpe = DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceProcessEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, ProcessTokenElevation, InitiatingProcessTokenElevation, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend ElevationConcat = tolower(coalesce(ProcessTokenElevation, InitiatingProcessTokenElevation, ""))
| extend IsElevated = case(ElevationConcat contains "high" or ElevationConcat contains "elevat" or ElevationConcat contains "%%16895", "Yes", ElevationConcat == "" or ElevationConcat == "unknown", "Unknown", "No");

// DeviceEvents: may not have token elevation reliably
let de = DeviceEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend IsElevated = "Unknown";

union dpe, de
| extend DetectedCommand = extract(@"(?i)((Enable-PSRemoting|Enable-WSManCredSSP|Enable-PsRemoting|winrm\s+quickconfig|winrm\s+qc|Set-Item\s+-Path\s+WSMan:|Set-WSManQuickConfig|Enable-WSMan)[^\r\n;]{0,400})", 1, FullCommandLine)
| where isnotempty(DetectedCommand)
| where IsElevated == "Yes" or IsElevated == "Unknown"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyAccount = any(AccountName), AnyInitiatingFile = any(InitiatingFile), AnyInitiatingSession = any(InitiatingSession), AnyFileName = any(FileName), AnyReportId = any(ReportId) by DeviceId, DeviceName, IsElevated, DetectedCommand, FullCommandLine, SourceTable
| order by LastSeen desc
| project FirstSeen, LastSeen, Count, DeviceName, DeviceId, IsElevated, DetectedCommand, FullCommandLine, SourceTable, AnyAccount, AnyInitiatingFile, AnyInitiatingSession, AnyFileName, AnyReportId
pass4375.33s0.0730
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0177
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0075
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0061
grok-3-beta
no answer
no query generatedfail50.00s0.0908
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0070
o1-high
no answer
no query generatedfail50.00s0.7783
o1-low
no answer
no query generatedfail50.00s0.8859
o3-high
no answer
no query generatedfail50.00s0.1136
o3-mini-high
no answer
no query generatedfail50.00s0.0423
o3-mini-low
no answer
no query generatedfail50.00s0.0470
o4-mini-high
no answer
no query generatedfail50.00s0.0477
o4-mini-low
no answer
no query generatedfail50.00s0.0397