Question Analysis
On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account?
173126b7-afe4-45eb-8680-fa9f6400431c
Question ID
9/16
Models Correct
1
Valid Answer
56%
Success Rate
Reference Answer
Human-validated correct answer for this question
AtomicOperator$
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0249 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0116 |
| gpt-4-turbo-2024-04-09 | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey endswith 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project HiddenAccountName = RegistryValueName, TimeGenerated, DeviceName | Correct | 1 | 9.92s | 0.0501 |
| gpt-4.1 | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
and RegistryValueData == "0"
and (RegistryKey has "Winlogon" and RegistryKey has "Microsoft")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 5.17s | 0.0111 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0318 |
| gpt-4.1-mini | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey endswith "\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, AccountDomain = InitiatingProcessAccountDomain, HiddenUserAccount = RegistryValueName
| distinct TimeGenerated, DeviceName, AccountDomain, HiddenUserAccount
| order by TimeGenerated desc | Correct | 1 | 3.51s | 0.0021 |
| gpt-4.1-nano | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == '0'
| project Timestamp, DeviceName, RegistryValueName, RegistryValueData, DeviceId | Correct | 2 | 8.56s | 0.0007 |
| gpt-4o | wipro | DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList" and RegistryValueData == "0"
| project InitiatingProcessAccountName, RegistryKey, RegistryValueData | Incorrect | 2 | 9.45s | 0.0202 |
| grok-3-beta | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey contains 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project DeviceName, Timestamp, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc | Correct | 1 | 8.10s | 0.0205 |
| grok-3-mini-beta | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has 'SpecialAccounts\\UserList' and RegistryValueData == '0'
| project HiddenAccount = RegistryValueName, Timestamp, DeviceName
| summarize HiddenAccounts = make_set(HiddenAccount) by DeviceName | Correct | 1 | 14.66s | 0.0015 |
| o1-high | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated") // capture the creation or update of the registry value
| where RegistryKey has "\\SpecialAccounts\\UserList" // only look at that specific registry location
| where tolower(RegistryValueData) == "0" // hidden account when its value is set to 0
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType | Correct | 1 | 28.90s | 0.1772 |
| o1-low | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "SetValue", "RegistryValueSet")
| where RegistryKey has "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, InitiatingProcessAccountName | Correct | 1 | 29.37s | 0.1464 |
| o3-mini-high | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName | Correct | 1 | 7.43s | 0.0065 |
| o3-mini-low | HiddenAccount | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName
| project HiddenAccount=RegistryValueName | Incorrect | 1 | 10.74s | 0.0077 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0334 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0391 |