Question Analysis
On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?
5f8e36de-37ca-455e-b054-a2584f043c06
Question ID
10/23
Models Correct
1
Valid Answer
43%
Success Rate
Reference Answer
Human-validated correct answer for this question
fDenyTSConnections
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0329 |
| gpt-35-turbo | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType == "RegistryValueSet"
| where RegistryValueData == "0"
| project RegistryValueName | Correct | 1 | 1.83s | 0.0024 |
| gpt-4-turbo-2024-04-09 | fDenyTSConnections | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 12.60s | 0.0570 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0499 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0436 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0469 |
| gpt-5-high | fDenyTSConnections | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Terminal Server config path (handles CurrentControlSet/ControlSet00x) and policy path
| where tolower(RegistryKey) has @"\control\terminal server"
or tolower(RegistryKey) has @"\software\policies\microsoft\windows nt\terminal services"
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| extend NewValueNorm = trim(' ', tolower(NewValue))
// Either the specific value name or any write that clearly set it to disabled (1)
| where tolower(RegistryValueName) == "fdenytsconnections"
or NewValueNorm in ("1","0x1","0x00000001","dword:00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, OldValue, NewValue,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 4 | 353.61s | 0.1738 |
| gpt-5-mini-high | fdenytsconnections | DeviceRegistryEvents
| where TimeGenerated between (startofday(ago(30d)) .. now())
| where tolower(RegistryKey) has_any ("terminal server", "currentcontrolset\\control\\terminal server", "winstations", "rdp-tcp", "termsrv")
| where ActionType has_any ("set", "setvalue", "write", "modify", "registryvalueset", "registryvaluechanged")
| extend ChangedValueName = tolower(coalesce(RegistryValueName, PreviousRegistryValueName))
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| where isnotempty(ChangedValueName)
| where ChangedValueName in ("fdenytsconnections", "userauthentication", "fallowtogethelp") or ChangedValueName contains "deny" or ChangedValueName contains "allow" or ChangedValueName contains "auth"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ActionType, RegistryKey, ChangedValueName, OldValue, NewValue
| order by TimeGenerated desc
| take 100 | Correct | 5 | 77.74s | 0.0178 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0080 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0116 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| gpt-5-nano-medium | fDenyTSConnections | let TerminalServerKey = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server";
DeviceRegistryEvents
| where TimeGenerated >= ago(7d)
| where RegistryKey has (TerminalServerKey) or RegistryKey has "CurrentControlSet\\Control\\Terminal Server" or RegistryKey has "Terminal Server"
| where RegistryValueName in ("fDenyTSConnections", "fDisableRDP")
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite", "RegistryValueCreated")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryKey, PreviousRegistryValueName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 40.11s | 0.0032 |
| grok-3-beta | fDenyTSConnections | DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc | Correct | 1 | 9.63s | 0.0221 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0073 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.6471 |
| o1-low | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueUpdate")
| where RegistryValueName == "fDenyTSConnections"
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey
| order by TimeGenerated desc | Correct | 1 | 20.28s | 0.1795 |
| o3-high | fDenyTSConnections | // --- RDP disabled via registry investigation
DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server" // Terminal Server branch
| where ActionType in ("SetValue", // MDE normalised action types
"RegistryValueSet",
"RegistryValueModified",
"CreateValue")
// timerange placeholder will be injected by the calling function
// | where TimeGenerated between (datetime_start .. datetime_end)
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| extend DisabledRDP = iff(RegistryValueName == "fDenyTSConnections" and RegistryValueData == "1", "Yes", "No")
| summarize FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated),
EventCount=count()
by DeviceName, RegistryValueName, DisabledRDP, RegistryKey
| order by LastSeen desc | Correct | 1 | 25.60s | 0.0192 |
| o3-mini-high | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType =~ "RegistryValueSet"
| summarize EventCount=count() by RegistryValueName
| order by EventCount desc | Correct | 1 | 7.69s | 0.0067 |
| o3-mini-low | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Control\\Terminal Server"
| where ActionType has "RegistryValueSet" // Adjust this filter if needed to capture modification events
| summarize count() by RegistryValueName
| order by count_ desc
| project RegistryValueName, Count = count_
| Correct | 1 | 8.21s | 0.0067 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0392 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0326 |