// question

On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account?

Reference KQL answer and model-by-model comparison.

173126b7-afe4-45eb-8680-fa9f6400431c
question id
15/23
models correct
1
valid answer
65%
success rate
// reference answer

Human-validated correct answer for this question.

AtomicOperator$
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0249
gpt-35-turbo
no answer
no query generatedfail50.00s0.0116
gpt-4-turbo-2024-04-09
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey endswith 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project HiddenAccountName = RegistryValueName, TimeGenerated, DeviceName
pass19.92s0.0501
gpt-4.1
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
    and RegistryValueData == "0"
    and (RegistryKey has "Winlogon" and RegistryKey has "Microsoft")
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass15.17s0.0111
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0318
gpt-4.1-mini
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey endswith "\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, AccountDomain = InitiatingProcessAccountDomain, HiddenUserAccount = RegistryValueName
| distinct TimeGenerated, DeviceName, AccountDomain, HiddenUserAccount
| order by TimeGenerated desc
pass13.51s0.0021
gpt-4.1-nano
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == '0'
| project Timestamp, DeviceName, RegistryValueName, RegistryValueData, DeviceId
pass28.56s0.0007
gpt-4o
wipro
DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList" and RegistryValueData == "0"
| project InitiatingProcessAccountName, RegistryKey, RegistryValueData
fail29.45s0.0202
gpt-5-high
AtomicOperator$
let HiddenUserChanges =
DeviceRegistryEvents
| where RegistryKey contains @"\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated", "RegistryValueModified")
| extend ValueDataStr = tostring(RegistryValueData)
| extend IsZero = iif(tolong(ValueDataStr) == 0 or ValueDataStr matches regex @"(?i)^\s*(?:0x)?0+\s*(?:\((?:0x)?0+\))?\s*$", true, false)
| where IsZero
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount=RegistryValueName, RegistryKey, RegistryValueData, PreviousRegistryValueData, ActionType,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256;
// Detailed events (latest first)
HiddenUserChanges
| order by TimeGenerated desc
pass192.78s0.0526
gpt-5-mini-high
AtomicOperator$
DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match both the direct SpecialAccounts path and under Policies\Explorer
| where RegistryKey has "SpecialAccounts\\UserList" or RegistryKey has "Policies\\Explorer\\SpecialAccounts\\UserList"
// Only care about entries where a named value (the account name) was written
| where isnotempty(RegistryValueName)
// Normalize RegistryValueData: trim, lowercase
| extend RVD = tolower(tostring(RegistryValueData))
// Recognize common zero representations: "0", "0x0", "dword:00000000" etc.
| where RVD in ("0", "0x0") or RVD has "dword:00000000" or toint(RVD) == 0
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, ActionType, HiddenAccount
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), InitiatingAccounts=make_set(InitiatingProcessAccountName), RegistryKeys=make_set(RegistryKey), ActionTypes=make_set(ActionType) by HiddenAccount
| order by FirstSeen asc
pass211.73s0.0043
gpt-5-mini-low
AtomicOperator$
let events = DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where isnotempty(RegistryValueName)
| extend rv = tostring(RegistryValueData)
// Match common zero representations: "0", "0x0", "dword:0..."
| where rv matches regex @"(?i)^\s*(?:0|0x0+|dword:0+)\s*$"
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData = rv, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, ReportId;
// Show recent matching events
events
| order by TimeGenerated desc
| take 200

// Also show a summary of hidden account names
| union (
    events
    | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count() by RegistryValueName, RegistryKey
    | order by Occurrences desc
)
pass240.09s0.0069
gpt-5-mini-medium
AtomicOperator$
DeviceRegistryEvents
| where isnotempty(RegistryKey)
// Match common path variations case-insensitive
| where tolower(RegistryKey) matches regex ".*\\\b(winlogon)\\\b.*\\\b(specialaccounts)\\\b.*\\\b(userlist)\\\b.*" or tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist"
| where RegistryValueName != "" and RegistryValueName != "(Default)"
// Normalize RegistryValueData to string (trim quotes) and integer
| extend RVD_str = trim('"', tostring(RegistryValueData))
| extend RVD_int = toint(RVD_str)
// If original type is numeric, also try converting direct value
| where RVD_str == "0" or (isnotnull(RVD_int) and RVD_int == 0)
| extend HiddenAccount = RegistryValueName
| project TimeGenerated, DeviceName, DeviceId, HiddenAccount, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, ActionType, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventsCount=count(), Any_InitiatingProcessFileName=any(InitiatingProcessFileName), Any_InitiatingProcessAccount=any(InitiatingProcessAccountName) by DeviceName, DeviceId, HiddenAccount, RegistryKey
| order by LastSeen desc
pass5110.03s0.0271
gpt-5-nano-high
AtomicOperator$
DeviceRegistryEvents
| where tolower(RegistryKey) contains "winlogon" and tolower(RegistryKey) contains "specialaccounts" and tolower(RegistryKey) contains "userlist"
| extend ValueInt = toint(RegistryValueData)
| where isnotnull(ValueInt) and ValueInt == 0
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, HiddenAccount = RegistryValueName, RegistryValueData
| sort by TimeGenerated desc
pass251.43s0.0033
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0064
grok-3-beta
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey contains 'SpecialAccounts\\UserList'
| where RegistryValueData == '0'
| project DeviceName, Timestamp, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc
pass18.10s0.0205
grok-3-mini-beta
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey has 'SpecialAccounts\\UserList' and RegistryValueData == '0'
| project HiddenAccount = RegistryValueName, Timestamp, DeviceName
| summarize HiddenAccounts = make_set(HiddenAccount) by DeviceName
pass114.66s0.0015
o1-high
AtomicOperator$
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated")  // capture the creation or update of the registry value
| where RegistryKey has "\\SpecialAccounts\\UserList"  // only look at that specific registry location
| where tolower(RegistryValueData) == "0"  // hidden account when its value is set to 0
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, RegistryValueData, InitiatingProcessAccountName, ActionType
pass128.90s0.1772
o1-low
AtomicOperator$
DeviceRegistryEvents
| where ActionType in ("ModifyValue", "SetValue", "RegistryValueSet")
| where RegistryKey has "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| project TimeGenerated, DeviceName, HiddenAccount = RegistryValueName, InitiatingProcessAccountName
pass129.37s0.1464
o3-high
AtomicOperator$
// Hidden local user accounts – registry value set to 0 under SpecialAccounts\UserList
DeviceRegistryEvents
| where RegistryKey has "\\SpecialAccounts\\UserList" 
| where ActionType in ("RegistryValueSet","RegistryValueModified","RegistryValueCreated","RegistryKeyValueWritten")
| where RegistryValueData == "0" or RegistryValueData == 0
| project TimeGenerated,
          DeviceName,
          HiddenAccount = RegistryValueName,
          RegistryKey,
          RegistryValueData,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, HiddenAccount, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName
| order by LastSeen desc
pass120.64s0.0188
o3-mini-high
AtomicOperator$
DeviceRegistryEvents
| where RegistryKey contains "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName
pass17.43s0.0065
o3-mini-low
HiddenAccount
DeviceRegistryEvents
| where RegistryKey has "SpecialAccounts\\UserList"
| where RegistryValueData == "0"
| distinct RegistryValueName
| project HiddenAccount=RegistryValueName
fail110.74s0.0077
o4-mini-high
no answer
no query generatedfail50.00s0.0334
o4-mini-low
no answer
no query generatedfail50.00s0.0391