Question Analysis
Review process creation logs for an instance where a built-in Windows utility was used to enumerate installed device drivers with verbose list output. What is the name of that tool?
235b30a2-e5b1-441f-9705-be6231c88ddd
Question ID
15/16
Models Correct
1
Valid Answer
94%
Success Rate
Reference Answer
Human-validated correct answer for this question
driverquery
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | driverquery.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "driverquery" and ProcessCommandLine has "/v"
| summarize count() by FileName | Correct | 1 | 6.59s | 0.0023 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0111 |
| gpt-4-turbo-2024-04-09 | driverquery | DeviceProcessEvents
| where ProcessCommandLine contains 'driverquery.exe' and ProcessCommandLine contains '/v'
| project DeviceName, ProcessCommandLine, ProcessCreationTime, FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName | Correct | 1 | 10.52s | 0.0516 |
| gpt-4.1 | driverquery.exe | DeviceProcessEvents
| where FileName =~ "driverquery.exe"
| where ProcessCommandLine has_any("/v", "/verbose")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| limit 100 | Correct | 2 | 6.40s | 0.0145 |
| gpt-4.1-finetuned | driverquery.exe | DeviceProcessEvents
| where ProcessCommandLine has_any ("/v ", "/verbose")
| where AccountName !~ "ANONYMOUS"
| where FileName in~ ("driverquery.exe", "dism.exe", "pnputil.exe", "sigverif.exe") //known native drivers querying commands
| summarize FirstObserved = min(TimeGenerated), LastObserved = max(TimeGenerated), count() by AccountName, AccountDomain, InitiatingProcessLogonId, ProcessCommandLine, FileName, DeviceId, DeviceName
| extend Tactics = "Collection", Techniques = "T1005"
| extend Name = tostring(split(AccountName, "@", 0)[0]), UPNSuffix = tostring(split(AccountName, "@", 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend Device_0_Name = DeviceName
| extend Host_0_Id = DeviceId
| extend Host_0_Name = DeviceName | Correct | 2 | 35.20s | 0.0237 |
| gpt-4.1-mini | driverquery.exe | DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where tolower(ProcessCommandLine) contains "driverquery" or (tolower(ProcessCommandLine) contains "pnputil" and (tolower(ProcessCommandLine) contains "/enum" or tolower(ProcessCommandLine) contains "/verbose"))
| summarize count() by InitiatingProcessFileName, ProcessCommandLine
| order by count_ desc
| project InitiatingProcessFileName, ProcessCommandLine, count_ | Correct | 5 | 30.69s | 0.0077 |
| gpt-4.1-nano | driverquery.exe | DeviceProcessEvents
| where FileName in ('driverquery.exe', 'driverquery')
| where ProcessCommandLine contains '/v'
| project ProcessCommandLine, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, TimeGenerated
| order by TimeGenerated desc | Correct | 3 | 3.77s | 0.0012 |
| gpt-4o | driverquery.exe | DeviceProcessEvents
| where FileName == 'driverquery.exe' and (ProcessCommandLine contains '/V' or ProcessCommandLine contains '/FO')
| project FileName, ProcessCommandLine, DeviceName, TimeGenerated | Correct | 2 | 4.66s | 0.0270 |
| grok-3-beta | driverquery | DeviceProcessEvents
| where FileName == 'driverquery.exe'
| where ProcessCommandLine contains '/v'
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 7.09s | 0.0194 |
| grok-3-mini-beta | driverquery | DeviceProcessEvents
| where ProcessCommandLine has "driverquery" and ProcessCommandLine has "/v"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc
| limit 10 | Correct | 1 | 12.62s | 0.0016 |
| o1-high | driverquery.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "driverquery.exe" or (FileName endswith ".exe" and ProcessCommandLine contains "driverquery")
| where ProcessCommandLine has "/v" or ProcessCommandLine has "/fo list"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 17.57s | 0.1473 |
| o1-low | driverquery | DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where ActionType == "CreateProcess" or ActionType == "ProcessCreated"
| where tolower(FileName) has "driverquery" or tolower(ProcessCommandLine) contains "driverquery"
| where tolower(ProcessCommandLine) contains " /v"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine | Correct | 4 | 76.08s | 0.5825 |
| o3-mini-high | driverquery.exe | union DeviceProcessEvents, DeviceEvents
| where ((InitiatingProcessFileName has "driverquery" or FileName has "driverquery")
and (InitiatingProcessCommandLine has "/v" or ProcessCommandLine has "/v"))
| project TimeGenerated, FileName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 18.90s | 0.0192 |
| o3-mini-low | driverquery.exe | DeviceProcessEvents
| where tolower(FileName) contains "driverquery"
| where tolower(ProcessCommandLine) contains "/v"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, ProcessId, InitiatingProcessId | Correct | 3 | 32.62s | 0.0230 |
| o4-mini-high | driverquery | DeviceProcessEvents
// Filter within external time range
| where FileName == "driverquery.exe" or ProcessCommandLine has "driverquery"
// Look for verbose output switches
| where ProcessCommandLine has_any ("/v", "-v", "/verbose")
// Show relevant details
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId
| sort by TimeGenerated desc | Correct | 1 | 21.08s | 0.0096 |
| o4-mini-low | driverquery.exe | DeviceProcessEvents
| where FileName == "driverquery.exe"
| where ProcessCommandLine contains "/v"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 16.68s | 0.0052 |