// question
On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?
Reference KQL answer and model-by-model comparison.
5f8e36de-37ca-455e-b054-a2584f043c06
question id
10/23
models correct
1
valid answer
43%
success rate
// reference answer
Human-validated correct answer for this question.
fDenyTSConnections
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0329 |
| gpt-35-turbo | fDenyTSConnections | DeviceRegistryEvents | where RegistryKey has "Terminal Server" | where ActionType == "RegistryValueSet" | where RegistryValueData == "0" | project RegistryValueName | pass | 1 | 1.83s | 0.0024 |
| gpt-4-turbo-2024-04-09 | fDenyTSConnections | DeviceRegistryEvents | where ActionType == 'RegistryValueSet' | where RegistryKey contains 'Terminal Server' | project TimeGenerated, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData | pass | 1 | 12.60s | 0.0570 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0499 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0436 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0071 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0012 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0469 |
| gpt-5-high | fDenyTSConnections | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
// Terminal Server config path (handles CurrentControlSet/ControlSet00x) and policy path
| where tolower(RegistryKey) has @"\control\terminal server"
or tolower(RegistryKey) has @"\software\policies\microsoft\windows nt\terminal services"
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| extend NewValueNorm = trim(' ', tolower(NewValue))
// Either the specific value name or any write that clearly set it to disabled (1)
| where tolower(RegistryValueName) == "fdenytsconnections"
or NewValueNorm in ("1","0x1","0x00000001","dword:00000001")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, OldValue, NewValue,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | pass | 4 | 353.61s | 0.1738 |
| gpt-5-mini-high | fdenytsconnections | DeviceRegistryEvents
| where TimeGenerated between (startofday(ago(30d)) .. now())
| where tolower(RegistryKey) has_any ("terminal server", "currentcontrolset\\control\\terminal server", "winstations", "rdp-tcp", "termsrv")
| where ActionType has_any ("set", "setvalue", "write", "modify", "registryvalueset", "registryvaluechanged")
| extend ChangedValueName = tolower(coalesce(RegistryValueName, PreviousRegistryValueName))
| extend NewValue = tostring(RegistryValueData), OldValue = tostring(PreviousRegistryValueData)
| where isnotempty(ChangedValueName)
| where ChangedValueName in ("fdenytsconnections", "userauthentication", "fallowtogethelp") or ChangedValueName contains "deny" or ChangedValueName contains "allow" or ChangedValueName contains "auth"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ActionType, RegistryKey, ChangedValueName, OldValue, NewValue
| order by TimeGenerated desc
| take 100 | pass | 5 | 77.74s | 0.0178 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0080 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0116 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0077 |
| gpt-5-nano-medium | fDenyTSConnections | let TerminalServerKey = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server";
DeviceRegistryEvents
| where TimeGenerated >= ago(7d)
| where RegistryKey has (TerminalServerKey) or RegistryKey has "CurrentControlSet\\Control\\Terminal Server" or RegistryKey has "Terminal Server"
| where RegistryValueName in ("fDenyTSConnections", "fDisableRDP")
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueWrite", "RegistryValueCreated")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryKey, PreviousRegistryValueName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | pass | 2 | 40.11s | 0.0032 |
| grok-3-beta | fDenyTSConnections | DeviceRegistryEvents | where Timestamp > ago(30d) | where ActionType == 'RegistryValueSet' | where RegistryKey contains 'Terminal Server' | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData | order by Timestamp desc | pass | 1 | 9.63s | 0.0221 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0073 |
| o1-high | no answer | no query generated | fail | 5 | 0.00s | 0.6471 |
| o1-low | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueUpdate")
| where RegistryValueName == "fDenyTSConnections"
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey
| order by TimeGenerated desc | pass | 1 | 20.28s | 0.1795 |
| o3-high | fDenyTSConnections | // --- RDP disabled via registry investigation
DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server" // Terminal Server branch
| where ActionType in ("SetValue", // MDE normalised action types
"RegistryValueSet",
"RegistryValueModified",
"CreateValue")
// timerange placeholder will be injected by the calling function
// | where TimeGenerated between (datetime_start .. datetime_end)
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
PreviousRegistryValueData,
RegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| extend DisabledRDP = iff(RegistryValueName == "fDenyTSConnections" and RegistryValueData == "1", "Yes", "No")
| summarize FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated),
EventCount=count()
by DeviceName, RegistryValueName, DisabledRDP, RegistryKey
| order by LastSeen desc | pass | 1 | 25.60s | 0.0192 |
| o3-mini-high | fDenyTSConnections | DeviceRegistryEvents | where RegistryKey has "Terminal Server" | where ActionType =~ "RegistryValueSet" | summarize EventCount=count() by RegistryValueName | order by EventCount desc | pass | 1 | 7.69s | 0.0067 |
| o3-mini-low | fDenyTSConnections | DeviceRegistryEvents | where RegistryKey has "Control\\Terminal Server" | where ActionType has "RegistryValueSet" // Adjust this filter if needed to capture modification events | summarize count() by RegistryValueName | order by count_ desc | project RegistryValueName, Count = count_ | pass | 1 | 8.21s | 0.0067 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0392 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0326 |