Question Analysis
On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account?
173126b7-afe4-45eb-8680-fa9f6400431c
Question ID
15/23
Models Correct
1
Valid Answer
65%
Success Rate
Reference Answer
Human-validated correct answer for this question
AtomicOperator$
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0249 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0116 |
| gpt-4-turbo-2024-04-09 | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey endswith 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project HiddenAccountName = RegistryValueName, TimeGenerated, DeviceName | Correct | 1 | 9.92s | 0.0501 |
| gpt-4.1 | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
and RegistryValueData == "0"
and (RegistryKey has "Winlogon" and RegistryKey has "Microsoft")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 5.17s | 0.0111 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0318 |
| gpt-4.1-mini | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey endswith "\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, AccountDomain = InitiatingProcessAccountDomain, HiddenUserAccount = RegistryValueName
| distinct TimeGenerated, DeviceName, AccountDomain, HiddenUserAccount
| order by TimeGenerated desc | Correct | 1 | 3.51s | 0.0021 |
| gpt-4.1-nano | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == '0'
| project Timestamp, DeviceName, RegistryValueName, RegistryValueData, DeviceId | Correct | 2 | 8.56s | 0.0007 |
| gpt-4o | wipro | DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList" and RegistryValueData == "0"
| project InitiatingProcessAccountName, RegistryKey, RegistryValueData | Incorrect | 2 | 9.45s | 0.0202 |
| gpt-5-high | AtomicOperator$ | let HiddenUserChanges =
DeviceRegistryEvents
| where RegistryKey contains @"\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated", "RegistryValueModified")
| extend ValueDataStr = tostring(RegistryValueData)
| extend IsZero = iif(tolong(ValueDataStr) == 0 or ValueDataStr matches regex @"(?i)^\s*(?:0x)?0+\s*(?:\((?:0x)?0+\))?\s*$", true, false)
| where IsZero
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount=RegistryValueName, RegistryKey, RegistryValueData, PreviousRegistryValueData, ActionType,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256;
// Detailed events (latest first)
HiddenUserChanges
| order by TimeGenerated desc | Correct | 1 | 92.78s | 0.0526 |
| gpt-5-mini-high | AtomicOperator$ | DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match both the direct SpecialAccounts path and under Policies\Explorer
| where RegistryKey has "SpecialAccounts\\UserList" or RegistryKey has "Policies\\Explorer\\SpecialAccounts\\UserList"
// Only care about entries where a named value (the account name) was written
| where isnotempty(RegistryValueName)
// Normalize RegistryValueData: trim, lowercase
| extend RVD = tolower(tostring(RegistryValueData))
// Recognize common zero representations: "0", "0x0", "dword:00000000" etc.
| where RVD in ("0", "0x0") or RVD has "dword:00000000" or toint(RVD) == 0
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, ActionType, HiddenAccount
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), InitiatingAccounts=make_set(InitiatingProcessAccountName), RegistryKeys=make_set(RegistryKey), ActionTypes=make_set(ActionType) by HiddenAccount
| order by FirstSeen asc | Correct | 2 | 11.73s | 0.0043 |
| gpt-5-mini-low | AtomicOperator$ | let events = DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where isnotempty(RegistryValueName)
| extend rv = tostring(RegistryValueData)
// Match common zero representations: "0", "0x0", "dword:0..."
| where rv matches regex @"(?i)^\s*(?:0|0x0+|dword:0+)\s*$"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData = rv, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, ReportId;
// Show recent matching events
events
| order by TimeGenerated desc
| take 200
// Also show a summary of hidden account names
| union (
events
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count() by RegistryValueName, RegistryKey
| order by Occurrences desc
) | Correct | 2 | 40.09s | 0.0069 |
| gpt-5-mini-medium | AtomicOperator$ | DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match common path variations case-insensitive
| where tolower(RegistryKey) matches regex ".*\\\b(winlogon)\\\b.*\\\b(specialaccounts)\\\b.*\\\b(userlist)\\\b.*" or tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist"
| where RegistryValueName != "" and RegistryValueName != "(Default)"
// Normalize RegistryValueData to string (trim quotes) and integer
| extend RVD_str = trim('"', tostring(RegistryValueData))
| extend RVD_int = toint(RVD_str)
// If original type is numeric, also try converting direct value
| where RVD_str == "0" or (isnotnull(RVD_int) and RVD_int == 0)
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, ActionType, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventsCount=count(), Any_InitiatingProcessFileName=any(InitiatingProcessFileName), Any_InitiatingProcessAccount=any(InitiatingProcessAccountName) by DeviceName, DeviceId, HiddenAccount, RegistryKey
| order by LastSeen desc | Correct | 5 | 110.03s | 0.0271 |
| gpt-5-nano-high | AtomicOperator$ | DeviceRegistryEvents
| where tolower(RegistryKey) contains "winlogon" and tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist"
| extend ValueInt = toint(RegistryValueData)
| where isnotnull(ValueInt) and ValueInt == 0
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, HiddenAccount = RegistryValueName, RegistryValueData
| sort by TimeGenerated desc | Correct | 2 | 51.43s | 0.0033 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0064 |
| grok-3-beta | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey contains 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project DeviceName, Timestamp, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc | Correct | 1 | 8.10s | 0.0205 |
| grok-3-mini-beta | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has 'SpecialAccounts\\UserList' and RegistryValueData == '0'
| project HiddenAccount = RegistryValueName, Timestamp, DeviceName
| summarize HiddenAccounts = make_set(HiddenAccount) by DeviceName | Correct | 1 | 14.66s | 0.0015 |
| o1-high | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated") // capture the creation or update of the registry value
| where RegistryKey has "\\SpecialAccounts\\UserList" // only look at that specific registry location
| where tolower(RegistryValueData) == "0" // hidden account when its value is set to 0
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType | Correct | 1 | 28.90s | 0.1772 |
| o1-low | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "SetValue", "RegistryValueSet")
| where RegistryKey has "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, InitiatingProcessAccountName | Correct | 1 | 29.37s | 0.1464 |
| o3-high | AtomicOperator$ | // Hidden local user accounts – registry value set to 0 under SpecialAccounts\UserList
DeviceRegistryEvents
| where RegistryKey has "\\SpecialAccounts\\UserList"
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated","RegistryKeyValueWritten")
| where RegistryValueData == "0" or RegistryValueData == 0
| project TimeGenerated,
DeviceName,
HiddenAccount = RegistryValueName,
RegistryKey,
RegistryValueData,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, HiddenAccount, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName
| order by LastSeen desc | Correct | 1 | 20.64s | 0.0188 |
| o3-mini-high | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName | Correct | 1 | 7.43s | 0.0065 |
| o3-mini-low | HiddenAccount | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName
| project HiddenAccount=RegistryValueName | Incorrect | 1 | 10.74s | 0.0077 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0334 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0391 |