// question
On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account?
Reference KQL answer and model-by-model comparison.
173126b7-afe4-45eb-8680-fa9f6400431c
question id
15/23
models correct
1
valid answer
65%
success rate
// reference answer
Human-validated correct answer for this question.
AtomicOperator$
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0249 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0116 |
| gpt-4-turbo-2024-04-09 | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey endswith 'SpecialAccounts\\UserList' | where RegistryValueData == '0' | project HiddenAccountName = RegistryValueName, TimeGenerated, DeviceName | pass | 1 | 9.92s | 0.0501 |
| gpt-4.1 | AtomicOperator$ | DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
and RegistryValueData == "0"
and (RegistryKey has "Winlogon" and RegistryKey has "Microsoft")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc | pass | 1 | 5.17s | 0.0111 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0318 |
| gpt-4.1-mini | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey endswith "\\SpecialAccounts\\UserList" | where RegistryValueData == "0" | project TimeGenerated, DeviceName, AccountDomain = InitiatingProcessAccountDomain, HiddenUserAccount = RegistryValueName | distinct TimeGenerated, DeviceName, AccountDomain, HiddenUserAccount | order by TimeGenerated desc | pass | 1 | 3.51s | 0.0021 |
| gpt-4.1-nano | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey has "SpecialAccounts\\UserList" | where RegistryValueData == '0' | project Timestamp, DeviceName, RegistryValueName, RegistryValueData, DeviceId | pass | 2 | 8.56s | 0.0007 |
| gpt-4o | wipro | DeviceRegistryEvents | where RegistryKey contains "SpecialAccounts\\UserList" and RegistryValueData == "0" | project InitiatingProcessAccountName, RegistryKey, RegistryValueData | fail | 2 | 9.45s | 0.0202 |
| gpt-5-high | AtomicOperator$ | let HiddenUserChanges =
DeviceRegistryEvents
| where RegistryKey contains @"\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated", "RegistryValueModified")
| extend ValueDataStr = tostring(RegistryValueData)
| extend IsZero = iif(tolong(ValueDataStr) == 0 or ValueDataStr matches regex @"(?i)^\s*(?:0x)?0+\s*(?:\((?:0x)?0+\))?\s*$", true, false)
| where IsZero
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount=RegistryValueName, RegistryKey, RegistryValueData, PreviousRegistryValueData, ActionType,
InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256;
// Detailed events (latest first)
HiddenUserChanges
| order by TimeGenerated desc | pass | 1 | 92.78s | 0.0526 |
| gpt-5-mini-high | AtomicOperator$ | DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match both the direct SpecialAccounts path and under Policies\Explorer
| where RegistryKey has "SpecialAccounts\\UserList" or RegistryKey has "Policies\\Explorer\\SpecialAccounts\\UserList"
// Only care about entries where a named value (the account name) was written
| where isnotempty(RegistryValueName)
// Normalize RegistryValueData: trim, lowercase
| extend RVD = tolower(tostring(RegistryValueData))
// Recognize common zero representations: "0", "0x0", "dword:00000000" etc.
| where RVD in ("0", "0x0") or RVD has "dword:00000000" or toint(RVD) == 0
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, ActionType, HiddenAccount
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), InitiatingAccounts=make_set(InitiatingProcessAccountName), RegistryKeys=make_set(RegistryKey), ActionTypes=make_set(ActionType) by HiddenAccount
| order by FirstSeen asc | pass | 2 | 11.73s | 0.0043 |
| gpt-5-mini-low | AtomicOperator$ | let events = DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where isnotempty(RegistryValueName)
| extend rv = tostring(RegistryValueData)
// Match common zero representations: "0", "0x0", "dword:0..."
| where rv matches regex @"(?i)^\s*(?:0|0x0+|dword:0+)\s*$"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData = rv, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, ReportId;
// Show recent matching events
events
| order by TimeGenerated desc
| take 200
// Also show a summary of hidden account names
| union (
events
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count() by RegistryValueName, RegistryKey
| order by Occurrences desc
) | pass | 2 | 40.09s | 0.0069 |
| gpt-5-mini-medium | AtomicOperator$ | DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match common path variations case-insensitive
| where tolower(RegistryKey) matches regex ".*\\\b(winlogon)\\\b.*\\\b(specialaccounts)\\\b.*\\\b(userlist)\\\b.*" or tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist"
| where RegistryValueName != "" and RegistryValueName != "(Default)"
// Normalize RegistryValueData to string (trim quotes) and integer
| extend RVD_str = trim('"', tostring(RegistryValueData))
| extend RVD_int = toint(RVD_str)
// If original type is numeric, also try converting direct value
| where RVD_str == "0" or (isnotnull(RVD_int) and RVD_int == 0)
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, ActionType, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventsCount=count(), Any_InitiatingProcessFileName=any(InitiatingProcessFileName), Any_InitiatingProcessAccount=any(InitiatingProcessAccountName) by DeviceName, DeviceId, HiddenAccount, RegistryKey
| order by LastSeen desc | pass | 5 | 110.03s | 0.0271 |
| gpt-5-nano-high | AtomicOperator$ | DeviceRegistryEvents | where tolower(RegistryKey) contains "winlogon" and tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist" | extend ValueInt = toint(RegistryValueData) | where isnotnull(ValueInt) and ValueInt == 0 | project TimeGenerated, DeviceName, DeviceId, RegistryKey, HiddenAccount = RegistryValueName, RegistryValueData | sort by TimeGenerated desc | pass | 2 | 51.43s | 0.0033 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0064 |
| grok-3-beta | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey contains 'SpecialAccounts\\UserList' | where RegistryValueData == '0' | project DeviceName, Timestamp, RegistryKey, RegistryValueName, RegistryValueData | order by Timestamp desc | pass | 1 | 8.10s | 0.0205 |
| grok-3-mini-beta | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey has 'SpecialAccounts\\UserList' and RegistryValueData == '0' | project HiddenAccount = RegistryValueName, Timestamp, DeviceName | summarize HiddenAccounts = make_set(HiddenAccount) by DeviceName | pass | 1 | 14.66s | 0.0015 |
| o1-high | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated") // capture the creation or update of the registry value
| where RegistryKey has "\\SpecialAccounts\\UserList" // only look at that specific registry location
| where tolower(RegistryValueData) == "0" // hidden account when its value is set to 0
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType | pass | 1 | 28.90s | 0.1772 |
| o1-low | AtomicOperator$ | DeviceRegistryEvents
| where ActionType in ("ModifyValue", "SetValue", "RegistryValueSet")
| where RegistryKey has "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, InitiatingProcessAccountName | pass | 1 | 29.37s | 0.1464 |
| o3-high | AtomicOperator$ | // Hidden local user accounts – registry value set to 0 under SpecialAccounts\UserList
DeviceRegistryEvents
| where RegistryKey has "\\SpecialAccounts\\UserList"
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated","RegistryKeyValueWritten")
| where RegistryValueData == "0" or RegistryValueData == 0
| project TimeGenerated,
DeviceName,
HiddenAccount = RegistryValueName,
RegistryKey,
RegistryValueData,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, HiddenAccount, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName
| order by LastSeen desc | pass | 1 | 20.64s | 0.0188 |
| o3-mini-high | AtomicOperator$ | DeviceRegistryEvents | where RegistryKey contains "SpecialAccounts\\UserList" | where RegistryValueData == "0" | distinct RegistryValueName | pass | 1 | 7.43s | 0.0065 |
| o3-mini-low | HiddenAccount | DeviceRegistryEvents | where RegistryKey has "SpecialAccounts\\UserList" | where RegistryValueData == "0" | distinct RegistryValueName | project HiddenAccount=RegistryValueName | fail | 1 | 10.74s | 0.0077 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0334 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0391 |