// question

On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?

Reference KQL answer and model-by-model comparison.

5f8e36de-37ca-455e-b054-a2584f043c06
question id
10/23
models correct
1
valid answer
43%
success rate
// reference answer

Human-validated correct answer for this question.

fDenyTSConnections
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0329
gpt-35-turbo
fDenyTSConnections
DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType == "RegistryValueSet"
| where RegistryValueData == "0"
| project RegistryValueName
pass11.83s0.0024
gpt-4-turbo-2024-04-09
fDenyTSConnections
DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData
pass112.60s0.0570
gpt-4.1
no answer
no query generatedfail50.00s0.0499
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0436
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0071
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0012
gpt-4o
no answer
no query generatedfail50.00s0.0469
gpt-5-high
fDenyTSConnections
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Terminal Server config path (handles CurrentControlSet/ControlSet00x) and policy path
| where tolower(RegistryKey) has @"\control\terminal server"
   or tolower(RegistryKey) has @"\software\policies\microsoft\windows nt\terminal services"
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| extend NewValueNorm = trim(' ', tolower(NewValue))
// Either the specific value name or any write that clearly set it to disabled (1)
| where tolower(RegistryValueName) == "fdenytsconnections"
   or NewValueNorm in ("1","0x1","0x00000001","dword:00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, OldValue, NewValue,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass4353.61s0.1738
gpt-5-mini-high
fdenytsconnections
DeviceRegistryEvents
| where TimeGenerated between (startofday(ago(30d)) .. now())
| where tolower(RegistryKey) has_any ("terminal server", "currentcontrolset\\control\\terminal server", "winstations", "rdp-tcp", "termsrv")
| where ActionType has_any ("set", "setvalue", "write", "modify", "registryvalueset", "registryvaluechanged")
| extend ChangedValueName = tolower(coalesce(RegistryValueName, PreviousRegistryValueName))
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| where isnotempty(ChangedValueName)
| where ChangedValueName in ("fdenytsconnections", "userauthentication", "fallowtogethelp") or ChangedValueName contains "deny" or ChangedValueName contains "allow" or ChangedValueName contains "auth"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ActionType, RegistryKey, ChangedValueName, OldValue, NewValue
| order by TimeGenerated desc
| take 100
pass577.74s0.0178
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0080
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0116
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0077
gpt-5-nano-medium
fDenyTSConnections
let TerminalServerKey = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server";
DeviceRegistryEvents
| where TimeGenerated >= ago(7d)
| where RegistryKey has (TerminalServerKey) or RegistryKey has "CurrentControlSet\\Control\\Terminal Server" or RegistryKey has "Terminal Server"
| where RegistryValueName in ("fDenyTSConnections", "fDisableRDP")
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite", "RegistryValueCreated")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryKey, PreviousRegistryValueName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass240.11s0.0032
grok-3-beta
fDenyTSConnections
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc
pass19.63s0.0221
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0073
o1-high
no answer
no query generatedfail50.00s0.6471
o1-low
fDenyTSConnections
DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueUpdate")
| where RegistryValueName == "fDenyTSConnections"
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey
| order by TimeGenerated desc
pass120.28s0.1795
o3-high
fDenyTSConnections
// --- RDP disabled via registry investigation
DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"          // Terminal Server branch
| where ActionType in ("SetValue",               // MDE normalised action types
                       "RegistryValueSet",
                       "RegistryValueModified",
                       "CreateValue")
// timerange placeholder will be injected by the calling function
// | where TimeGenerated between (datetime_start .. datetime_end)
| project TimeGenerated,
          DeviceName,
          ActionType,
          RegistryKey,
          RegistryValueName,
          PreviousRegistryValueData,
          RegistryValueData,
          InitiatingProcessAccountName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| extend DisabledRDP = iff(RegistryValueName == "fDenyTSConnections" and RegistryValueData == "1", "Yes", "No")
| summarize FirstSeen=min(TimeGenerated),
            LastSeen=max(TimeGenerated),
            EventCount=count() 
          by DeviceName, RegistryValueName, DisabledRDP, RegistryKey
| order by LastSeen desc
pass125.60s0.0192
o3-mini-high
fDenyTSConnections
DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType =~ "RegistryValueSet"
| summarize EventCount=count() by RegistryValueName
| order by EventCount desc
pass17.69s0.0067
o3-mini-low
fDenyTSConnections
DeviceRegistryEvents
| where RegistryKey has "Control\\Terminal Server"
| where ActionType has "RegistryValueSet"  // Adjust this filter if needed to capture modification events
| summarize count() by RegistryValueName
| order by count_ desc
| project RegistryValueName, Count = count_
pass18.21s0.0067
o4-mini-high
no answer
no query generatedfail50.00s0.0392
o4-mini-low
no answer
no query generatedfail50.00s0.0326