Question Analysis
Review Windows registry event logs for the ProcessCreationIncludeCmdLine_Enabled value being set to 0. Which PowerShell cmdlet performed this change?
95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
Question ID
10/16
Models Correct
1
Valid Answer
63%
Success Rate
Reference Answer
Human-validated correct answer for this question
New-ItemProperty
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | New-ItemProperty | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName contains "powershell"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 13.58s | 0.0045 |
| gpt-35-turbo | Set-ItemProperty | DeviceRegistryEvents | where RegistryValueData == '0' | project InitiatingProcessCommandLine | Incorrect | 1 | 3.78s | 0.0035 |
| gpt-4-turbo-2024-04-09 | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| project InitiatingProcessCommandLine | Correct | 1 | 11.78s | 0.0495 |
| gpt-4.1 | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName has_cs "powershell"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 4.14s | 0.0113 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0335 |
| gpt-4.1-mini | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 22.11s | 0.0022 |
| gpt-4.1-nano | powershell | // Set the time of the latest registry change with the target value
let registry_change_time = toscalar(DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| summarize max(TimeGenerated));
// Find devices where this change occurred at the latest change time
DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| where TimeGenerated == registry_change_time
| project DeviceId, TimeGenerated
| join kind=inner (
// Find PowerShell processes on the same device that started before the change
DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| extend ProcessStartTime = ProcessCreationTime
) on DeviceId
| where ProcessStartTime < TimeGenerated
// Find the latest process start time per device
| summarize arg_max(ProcessStartTime, ProcessCommandLine) by DeviceId
| project DeviceId, ProcessCommandLine, ProcessStartTime | Incorrect | 2 | 6.16s | 0.0009 |
| gpt-4o | powershell.exe | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine | Incorrect | 3 | 24.24s | 0.0419 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0879 |
| grok-3-mini-beta | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled'
| where RegistryValueData == '0'
| where InitiatingProcessFileName has 'powershell.exe'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by Timestamp desc
| limit 100 | Correct | 1 | 12.40s | 0.0016 |
| o1-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc | Correct | 1 | 29.19s | 0.2257 |
| o1-low | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName =~ "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 26.32s | 0.1974 |
| o3-mini-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| where tolower(InitiatingProcessFileName) contains "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData
| order by TimeGenerated desc | Correct | 1 | 8.75s | 0.0096 |
| o3-mini-low | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| where tolower(InitiatingProcessFileName) contains "powershell"
// Attempt to extract common PowerShell cmdlets that might change registry settings
| extend CmdletName = extract("(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty)", 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, CmdletName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 11.07s | 0.0090 |
| o4-mini-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
// include any PowerShell host in the command line
| where tolower(InitiatingProcessCommandLine) contains "powershell"
// extract the cmdlet name from the command line
| extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty|Set-Item|Clear-ItemProperty)\b", 1, InitiatingProcessCommandLine)
| where isnotempty(Cmdlet)
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
Cmdlet,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueData | Correct | 3 | 151.73s | 0.0325 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0586 |