// question

Review registry event logs on the Windows host for PowerShell-driven writes to system policy and file system keys. Which registry value names were created during this BlackByte preparation simulation?

Reference KQL answer and model-by-model comparison.

0b79c06f-c788-44a2-8630-d69051f1123d
question id
3/23
models correct
3
valid answers
13%
success rate
// reference answers

Human-validated correct answers for this question.

LocalAccountTokenFilterPolicyEnableLinkedConnectionsLongPathsEnabled
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
'', 'Blob', 'Debugger', 'PromptOnSecureDesktop', 'UseLogonCredential', 'ConsentPromptBehaviorAdmin', 'DisableAntiSpyware', 'DelegateExecute', 'AutoRun', 'Userinit', 'Shell', 'ReportingMode', 'EnableLinkedConnections', 'ServiceDll', 'Common Startup', 'Startup', 'GlobalFlag', 'BootExecute', 'Security Packages', 'LegalNoticeText', 'StubPath', 'ProcessCreationIncludeCmdLine_Enabled', 'DisableAntiVirus', 'MonitorProcess', 'LegalNoticeCaption', 'ASRRules', 'AmsiEnable', 'Shell-backup', 'Userinit-backup', 'atomictest', 'socks5_powershell', 'NextRun'
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where InitiatingProcessFileName =~ "powershell.exe"
| distinct RegistryValueName
pass19.01s0.0036
gpt-35-turbo
no answer
no query generatedfail50.00s0.0110
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2253
gpt-4.1
no answer
no query generatedfail50.00s0.0433
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0829
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0064
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0014
gpt-4o
GlobalFlag, ReportingMode, MonitorProcess, AmsiEnable
DeviceRegistryEvents
| where InitiatingProcessFileName contains "powershell" and (ActionType contains "Create" or ActionType contains "Add")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName
fail15.37s0.0241
gpt-5-high
no answer
no query generatedfail50.00s0.2615
gpt-5-mini-high
DisableAntiSpyware,PromptOnSecureDesktop,Common Startup,ConsentPromptBehaviorAdmin,DisableAntiVirus,LegalNoticeCaption,LegalNoticeText,ProcessCreationIncludeCmdLine_Enabled,ServiceDll,Startup,ASRRules,EnableLinkedConnections,NextRun,atomictest,socks5_powershell
DeviceRegistryEvents
| where (
    tolower(InitiatingProcessFileName) contains "powershell"
    or tolower(InitiatingProcessCommandLine) contains "powershell"
    or tolower(InitiatingProcessFileName) contains "pwsh"
    or tolower(InitiatingProcessCommandLine) contains "pwsh"
    or tolower(InitiatingProcessCommandLine) contains "-encodedcommand"
    or tolower(InitiatingProcessCommandLine) contains "-enc"
)
| where (
    ActionType contains "Create"
    or ActionType contains "Set"
    or ActionType contains "Write"
    or ActionType contains "Changed"
)
| where (
    tolower(RegistryKey) contains "\\software\\policies"
    or tolower(RegistryKey) contains "\\system\\currentcontrolset\\services"
    or tolower(RegistryKey) contains "windows\\currentversion\\policies"
    or tolower(RegistryKey) contains "\\currentversion\\run"
    or tolower(RegistryKey) contains "\\controlset001\\services"
    or tolower(RegistryKey) contains "\\explorer"
    or tolower(RegistryKey) contains "\\policies"
)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName = coalesce(RegistryValueName, "<empty>"), RegistryValueData, RegistryValueType, ActionType
| summarize Count = count(), AnyCommandLine = any(InitiatingProcessCommandLine), AnyProcess = any(InitiatingProcessFileName), AnyValueData = any(RegistryValueData) by RegistryValueName, RegistryKey, DeviceName
| where Count > 0
| order by Count desc, RegistryValueName asc
pass237.02s0.0113
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0132
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0186
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0071
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0060
grok-3-beta
Shell
DeviceRegistryEvents
| where TimeGenerated between (startofday(ago(7d)) .. endofday(now()))
| where InitiatingProcessFileName has_cs 'powershell'
| where ActionType in ('RegistryValueSet', 'RegistryValueWritten')
| summarize by RegistryValueName, DeviceName, RegistryKey, InitiatingProcessFileName
| project RegistryValueName, DeviceName, RegistryKey, InitiatingProcessFileName
fail337.47s0.0617
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0070
o1-high
None
DeviceRegistryEvents
| where ActionType contains "create" // focuses on new registry value creations
| where InitiatingProcessCommandLine has "powershell" // identifies PowerShell-driven changes
| where RegistryKey has_any ("Policy", "FileSystem") // filters only relevant policy/file system keys
| summarize CreatedRegistryValueNames = make_set(RegistryValueName)
fail123.52s0.1943
o1-low
PromptOnSecureDesktop_ConsentPromptBehaviorAdmin_DisableAntiSpyware_EnableLinkedConnections_LegalNoticeText_ProcessCreationIncludeCmdLine_Enabled_DisableAntiVirus_LegalNoticeCaption_ASRRules_atomictest
DeviceRegistryEvents
| where InitiatingProcessFileName endswith "powershell.exe"
| where RegistryKey has_any ("Policies", "FileSystem")
| where ActionType in ("RegistryValueSet", "RegistryValueCreated", "SetValue")
| distinct RegistryValueName
pass145.09s0.2942
o3-high
ASRRules,DisableAntiVirus,DisableAntiSpyware
// ---- BlackByte preparation – PowerShell-driven writes to system policy & file-system registry keys
let targetPaths = dynamic(["\\SOFTWARE\\Policies\\", "\\SYSTEM\\CurrentControlSet\\Control\\FileSystem"]);
DeviceRegistryEvents
// (Time range filter supplied by the hunting portal)
| where ActionType in ("RegistryValueSet", "RegValueSet", "RegistryKeyCreated", "RegistryKeySet")
| where RegistryKey has_any (targetPaths)
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine has_cs "powershell"
| where isnotempty(RegistryValueName)
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| summarize CreatedRegistryValueNames = make_set(RegistryValueName)
fail244.18s0.0303
o3-mini-high
atomictest
DeviceRegistryEvents
| where ActionType in ("RegistryValueCreated", "RegistryValueSet")
| where (InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessFileName has_cs "powershell.exe" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessFileName has_cs "pwsh.exe")
| where tolower(RegistryKey) has "policies" or tolower(RegistryKey) has "filesystem"
| distinct RegistryValueName
fail4103.35s0.0391
o3-mini-low
atomictest
DeviceRegistryEvents
| where InitiatingProcessFileName has "powershell.exe"
| where RegistryKey has_any ("Policies", "FileSystem")
| distinct RegistryValueName
fail126.99s0.0135
o4-mini-high
ASRRules, DisableAntiVirus, DisableAntiSpyware
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryValueAdded")
| where tolower(InitiatingProcessFileName) has "powershell"
| where RegistryKey has "\\SYSTEM\\CurrentControlSet\\Control\\FileSystem" or RegistryKey has "\\SOFTWARE\\Policies"
| where isnotempty(RegistryValueName)
| summarize CreatedValueNames = make_set(RegistryValueName) by RegistryKey
| project RegistryKey, CreatedValueNames
fail250.65s0.0167
o4-mini-low
ASRRules, DisableAntiSpyware, DisableAntiVirus
DeviceRegistryEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies"
    or RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies"
    or RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem"
| distinct RegistryValueName
| sort by RegistryValueName asc
fail257.16s0.0223