Question Analysis
On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?
5f8e36de-37ca-455e-b054-a2584f043c06
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
fDenyTSConnections
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0329 |
| gpt-35-turbo | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType == "RegistryValueSet"
| where RegistryValueData == "0"
| project RegistryValueName | Correct | 1 | 1.83s | 0.0024 |
| gpt-4-turbo-2024-04-09 | fDenyTSConnections | DeviceRegistryEvents
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 12.60s | 0.0570 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0499 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0436 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0469 |
| grok-3-beta | fDenyTSConnections | DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType == 'RegistryValueSet'
| where RegistryKey contains 'Terminal Server'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc | Correct | 1 | 9.63s | 0.0221 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0073 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.6471 |
| o1-low | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "\\Control\\Terminal Server"
| where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueUpdate")
| where RegistryValueName == "fDenyTSConnections"
| project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey
| order by TimeGenerated desc | Correct | 1 | 20.28s | 0.1795 |
| o3-mini-high | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Terminal Server"
| where ActionType =~ "RegistryValueSet"
| summarize EventCount=count() by RegistryValueName
| order by EventCount desc | Correct | 1 | 7.69s | 0.0067 |
| o3-mini-low | fDenyTSConnections | DeviceRegistryEvents
| where RegistryKey has "Control\\Terminal Server"
| where ActionType has "RegistryValueSet" // Adjust this filter if needed to capture modification events
| summarize count() by RegistryValueName
| order by count_ desc
| project RegistryValueName, Count = count_
| Correct | 1 | 8.21s | 0.0067 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0392 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0326 |