Question Analysis
Review process creation logs for an instance where a built-in Windows utility was used to enumerate installed device drivers with verbose list output. What is the name of that tool?
235b30a2-e5b1-441f-9705-be6231c88ddd
Question ID
22/23
Models Correct
1
Valid Answer
96%
Success Rate
Reference Answer
Human-validated correct answer for this question
driverquery
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | driverquery.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "driverquery" and ProcessCommandLine has "/v"
| summarize count() by FileName | Correct | 1 | 6.59s | 0.0023 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0111 |
| gpt-4-turbo-2024-04-09 | driverquery | DeviceProcessEvents
| where ProcessCommandLine contains 'driverquery.exe' and ProcessCommandLine contains '/v'
| project DeviceName, ProcessCommandLine, ProcessCreationTime, FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName | Correct | 1 | 10.52s | 0.0516 |
| gpt-4.1 | driverquery.exe | DeviceProcessEvents
| where FileName =~ "driverquery.exe"
| where ProcessCommandLine has_any("/v", "/verbose")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| limit 100 | Correct | 2 | 6.40s | 0.0145 |
| gpt-4.1-finetuned | driverquery.exe | DeviceProcessEvents
| where ProcessCommandLine has_any ("/v ", "/verbose")
| where AccountName !~ "ANONYMOUS"
| where FileName in~ ("driverquery.exe", "dism.exe", "pnputil.exe", "sigverif.exe") //known native drivers querying commands
| summarize FirstObserved = min(TimeGenerated), LastObserved = max(TimeGenerated), count() by AccountName, AccountDomain, InitiatingProcessLogonId, ProcessCommandLine, FileName, DeviceId, DeviceName
| extend Tactics = "Collection", Techniques = "T1005"
| extend Name = tostring(split(AccountName, "@", 0)[0]), UPNSuffix = tostring(split(AccountName, "@", 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend Device_0_Name = DeviceName
| extend Host_0_Id = DeviceId
| extend Host_0_Name = DeviceName | Correct | 2 | 35.20s | 0.0237 |
| gpt-4.1-mini | driverquery.exe | DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where tolower(ProcessCommandLine) contains "driverquery" or (tolower(ProcessCommandLine) contains "pnputil" and (tolower(ProcessCommandLine) contains "/enum" or tolower(ProcessCommandLine) contains "/verbose"))
| summarize count() by InitiatingProcessFileName, ProcessCommandLine
| order by count_ desc
| project InitiatingProcessFileName, ProcessCommandLine, count_ | Correct | 5 | 30.69s | 0.0077 |
| gpt-4.1-nano | driverquery.exe | DeviceProcessEvents
| where FileName in ('driverquery.exe', 'driverquery')
| where ProcessCommandLine contains '/v'
| project ProcessCommandLine, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, TimeGenerated
| order by TimeGenerated desc | Correct | 3 | 3.77s | 0.0012 |
| gpt-4o | driverquery.exe | DeviceProcessEvents
| where FileName == 'driverquery.exe' and (ProcessCommandLine contains '/V' or ProcessCommandLine contains '/FO')
| project FileName, ProcessCommandLine, DeviceName, TimeGenerated | Correct | 2 | 4.66s | 0.0270 |
| gpt-5-high | driverquery.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| extend cmd = tolower(coalesce(ProcessCommandLine, ""))
| where cmd contains "driverquery" and cmd contains "/v" and cmd contains "/fo list"
| extend ToolName = tolower(FileName)
| summarize Events=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExampleCommand=any(ProcessCommandLine) by ToolName, DeviceName
| order by LastSeen desc | Correct | 1 | 48.44s | 0.0338 |
| gpt-5-mini-high | driverquery | // Look for built-in Windows utilities used to enumerate installed drivers with verbose output
let candidates = dynamic(["driverquery","pnputil","wmic","sc"]);
let procEvents = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| where tolower(FileName) has_any (candidates) or tolower(ProcessCommandLine) has_any (candidates)
| extend file_lower = tolower(FileName), cmd_lower = tolower(ProcessCommandLine)
| extend tool = case(
file_lower contains "driverquery" or cmd_lower contains "driverquery", "driverquery",
file_lower contains "pnputil" or cmd_lower contains "pnputil", "pnputil",
file_lower contains "wmic" or cmd_lower contains "wmic", "wmic",
file_lower contains "sc" or cmd_lower contains "sc", "sc",
"other")
| where tool != "other"
| extend verbose_flag = iff(cmd_lower contains " /v" or cmd_lower contains "/v" or cmd_lower contains " -v", true, false)
| project TimeGenerated, DeviceName, DeviceId, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, tool, verbose_flag
;
let deviceEvents = DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| where tolower(FileName) has_any (candidates) or tolower(ProcessCommandLine) has_any (candidates)
| extend file_lower = tolower(FileName), cmd_lower = tolower(ProcessCommandLine)
| extend tool = case(
file_lower contains "driverquery" or cmd_lower contains "driverquery", "driverquery",
file_lower contains "pnputil" or cmd_lower contains "pnputil", "pnputil",
file_lower contains "wmic" or cmd_lower contains "wmic", "wmic",
file_lower contains "sc" or cmd_lower contains "sc", "sc",
"other")
| where tool != "other"
| extend verbose_flag = iff(cmd_lower contains " /v" or cmd_lower contains "/v" or cmd_lower contains " -v", true, false)
| project TimeGenerated, DeviceName, DeviceId, ProcessId = InitiatingProcessId, ProcessCreationTime = InitiatingProcessCreationTime, FileName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, tool, verbose_flag
;
union procEvents, deviceEvents
| where verbose_flag == true or tool == "driverquery" // driverquery commonly used for verbose listing
| summarize first_Time = min(TimeGenerated), any_FileName = any(FileName), any_ProcessCommandLine = any(ProcessCommandLine), any_InitiatingProcessFileName = any(InitiatingProcessFileName), any_InitiatingProcessCommandLine = any(InitiatingProcessCommandLine), any_InitiatingProcessId = any(InitiatingProcessId), any_InitiatingProcessAccountName = any(InitiatingProcessAccountName) by DeviceId, DeviceName, tool
| order by first_Time asc
| project first_Time, DeviceName, DeviceId, tool, any_FileName, any_ProcessCommandLine, any_InitiatingProcessFileName, any_InitiatingProcessCommandLine, any_InitiatingProcessId, any_InitiatingProcessAccountName
| Correct | 1 | 16.99s | 0.0044 |
| gpt-5-mini-low | driverquery | let keywords = dynamic(["driverquery","driverquery.exe","sc query","sc.exe query","wmic sysdriver list","flipped" ]);
DeviceProcessEvents
| where ProcessCommandLine has_any ("driverquery","/v","/verbose","sc query","type= driver","wmic sysdriver","list","drivers")
| extend matched = case(ProcessCommandLine has "driverquery", "driverquery", ProcessCommandLine has "sc query", "sc query", ProcessCommandLine has "wmic sysdriver", "wmic sysdriver", "other")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, matched
| sort by TimeGenerated desc
| distinct ProcessCommandLine, FileName, DeviceName, ProcessId, matched, TimeGenerated
// Also check DeviceEvents and DeviceFileEvents for any occurrences
| union (
DeviceEvents
| where ProcessCommandLine has_any ("driverquery","/v","/verbose","sc query","type= driver","wmic sysdriver","list","drivers")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, ProcessId = tostring(ProcessId), InitiatingProcessFileName, InitiatingProcessCommandLine
), (
DeviceFileEvents
| where InitiatingProcessCommandLine has_any ("driverquery","/v","/verbose","sc query","type= driver","wmic sysdriver","list","drivers")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine = InitiatingProcessCommandLine, FileName = InitiatingProcessFileName, ProcessId = tostring(InitiatingProcessId), InitiatingProcessFileName
)
| sort by TimeGenerated desc
| take 50 | Correct | 1 | 15.14s | 0.0051 |
| gpt-5-mini-medium | driverquery | // Detect usage of built-in Windows utilities enumerating installed device drivers with verbose/list output
let tools_pattern = dynamic(["driverquery","pnputil","driverquery.exe","pnputil.exe"]);
let verbose_flags = dynamic(["/v","-v","/verbose","/fo list","/fo:list","/fo=list","/enum-drivers","/e","/all"]);
// Helper: check if any of the substrings in arr appear in text (case-insensitive)
let any_contains = (text:string, arr:dynamic){
tobool(array_length(arr) > 0 and text has_any(arr))
};
// Normalize and search DeviceProcessEvents
let dpe = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| extend cmd = tostring(ProcessCommandLine), fname = tostring(FileName), icmd = tostring(InitiatingProcessCommandLine)
| extend lcmd = tolower(cmd), lfname = tolower(fname), licmd = tolower(icmd)
| where (
// contains a known tool name in command or file name
lcmd contains "driverquery" or lfname contains "driverquery" or licmd contains "driverquery"
or lcmd contains "pnputil" or lfname contains "pnputil" or licmd contains "pnputil"
)
| where (
// and has one of the verbose/list flags in the command line
lcmd contains "/v" or lcmd contains "-v" or lcmd contains "/verbose" or lcmd contains "/fo" or lcmd contains "enum-drivers" or lcmd contains "/e" or lcmd contains "/all"
or licmd contains "/v" or licmd contains "-v" or licmd contains "/verbose" or licmd contains "/fo" or licmd contains "enum-drivers" or licmd contains "/e" or licmd contains "/all"
)
| extend DetectedTool = case(
lcmd contains "driverquery" or lfname contains "driverquery" or licmd contains "driverquery", "driverquery",
lcmd contains "pnputil" or lfname contains "pnputil" or licmd contains "pnputil", "pnputil",
"unknown"
)
| where DetectedTool != "unknown"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, ReportId, DetectedTool;
// Normalize and search DeviceEvents
let de = DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| extend cmd = tostring(ProcessCommandLine), fname = tostring(FileName), icmd = tostring(InitiatingProcessCommandLine)
| extend lcmd = tolower(cmd), lfname = tolower(fname), licmd = tolower(icmd)
| where (
lcmd contains "driverquery" or lfname contains "driverquery" or licmd contains "driverquery"
or lcmd contains "pnputil" or lfname contains "pnputil" or licmd contains "pnputil"
)
| where (
lcmd contains "/v" or lcmd contains "-v" or lcmd contains "/verbose" or lcmd contains "/fo" or lcmd contains "enum-drivers" or lcmd contains "/e" or lcmd contains "/all"
or licmd contains "/v" or licmd contains "-v" or licmd contains "/verbose" or licmd contains "/fo" or licmd contains "enum-drivers" or licmd contains "/e" or licmd contains "/all"
)
| extend DetectedTool = case(
lcmd contains "driverquery" or lfname contains "driverquery" or licmd contains "driverquery", "driverquery",
lcmd contains "pnputil" or lfname contains "pnputil" or licmd contains "pnputil", "pnputil",
"unknown"
)
| where DetectedTool != "unknown"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCreationTime=InitiatingProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, DetectedTool;
// Combine results and summarize
(dpe
| union de)
| sort by TimeGenerated desc
| take 500
| summarize Count = count(), AnyCommand = any(ProcessCommandLine), AnyInitiatingCommand = any(InitiatingProcessCommandLine), SampleFileNames = makeset(FileName, 10) by DetectedTool, DeviceName, AccountName, ReportId
| order by Count desc
| Correct | 4 | 51.88s | 0.0161 |
| gpt-5-nano-high | driverquery | DeviceProcessEvents
| where (FileName endswith "driverquery.exe" or InitiatingProcessFileName endswith "driverquery.exe" or ProcessCommandLine contains "driverquery" or InitiatingProcessCommandLine contains "driverquery")
| where ProcessCommandLine contains "/v" and ProcessCommandLine contains "/fo" and ProcessCommandLine contains "list"
| extend ToolUsed = "driverquery"
| project TimeGenerated, ToolUsed, FileName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine | Correct | 1 | 35.74s | 0.0022 |
| gpt-5-nano-medium | driverquery | DeviceProcessEvents
| where (InitiatingProcessFileName has "driverquery" or InitiatingProcessCommandLine has "driverquery")
| where (InitiatingProcessCommandLine has "/v" or InitiatingProcessCommandLine has "/fo" or InitiatingProcessCommandLine has "/FO")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| distinct TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 31.89s | 0.0017 |
| grok-3-beta | driverquery | DeviceProcessEvents
| where FileName == 'driverquery.exe'
| where ProcessCommandLine contains '/v'
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 7.09s | 0.0194 |
| grok-3-mini-beta | driverquery | DeviceProcessEvents
| where ProcessCommandLine has "driverquery" and ProcessCommandLine has "/v"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc
| limit 10 | Correct | 1 | 12.62s | 0.0016 |
| o1-high | driverquery.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "driverquery.exe" or (FileName endswith ".exe" and ProcessCommandLine contains "driverquery")
| where ProcessCommandLine has "/v" or ProcessCommandLine has "/fo list"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 17.57s | 0.1473 |
| o1-low | driverquery | DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where ActionType == "CreateProcess" or ActionType == "ProcessCreated"
| where tolower(FileName) has "driverquery" or tolower(ProcessCommandLine) contains "driverquery"
| where tolower(ProcessCommandLine) contains " /v"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine | Correct | 4 | 76.08s | 0.5825 |
| o3-high | driverquery.exe | // Process creation events for driver enumeration done with verbose list output
DeviceProcessEvents
| where FileName =~ "driverquery.exe" // built-in driver enumeration tool
| where ProcessCommandLine has "/v" // verbose switch
| where ProcessCommandLine matches regex @"/fo\s+list" // list-formatted output
// Return useful context
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, LogonId, ReportId | Correct | 1 | 26.08s | 0.0168 |
| o3-mini-high | driverquery.exe | union DeviceProcessEvents, DeviceEvents
| where ((InitiatingProcessFileName has "driverquery" or FileName has "driverquery")
and (InitiatingProcessCommandLine has "/v" or ProcessCommandLine has "/v"))
| project TimeGenerated, FileName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 18.90s | 0.0192 |
| o3-mini-low | driverquery.exe | DeviceProcessEvents
| where tolower(FileName) contains "driverquery"
| where tolower(ProcessCommandLine) contains "/v"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, ProcessId, InitiatingProcessId | Correct | 3 | 32.62s | 0.0230 |
| o4-mini-high | driverquery | DeviceProcessEvents
// Filter within external time range
| where FileName == "driverquery.exe" or ProcessCommandLine has "driverquery"
// Look for verbose output switches
| where ProcessCommandLine has_any ("/v", "-v", "/verbose")
// Show relevant details
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId
| sort by TimeGenerated desc | Correct | 1 | 21.08s | 0.0096 |
| o4-mini-low | driverquery.exe | DeviceProcessEvents
| where FileName == "driverquery.exe"
| where ProcessCommandLine contains "/v"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 16.68s | 0.0052 |