Question Analysis
Review Windows registry event logs for the ProcessCreationIncludeCmdLine_Enabled value being set to 0. Which PowerShell cmdlet performed this change?
95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
Question ID
16/23
Models Correct
1
Valid Answer
70%
Success Rate
Reference Answer
Human-validated correct answer for this question
New-ItemProperty
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | New-ItemProperty | DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName contains "powershell"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 13.58s | 0.0045 |
| gpt-35-turbo | Set-ItemProperty | DeviceRegistryEvents | where RegistryValueData == '0' | project InitiatingProcessCommandLine | Incorrect | 1 | 3.78s | 0.0035 |
| gpt-4-turbo-2024-04-09 | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| project InitiatingProcessCommandLine | Correct | 1 | 11.78s | 0.0495 |
| gpt-4.1 | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName has_cs "powershell"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | Correct | 1 | 4.14s | 0.0113 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0335 |
| gpt-4.1-mini | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 22.11s | 0.0022 |
| gpt-4.1-nano | powershell | // Set the time of the latest registry change with the target value
let registry_change_time = toscalar(DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| summarize max(TimeGenerated));
// Find devices where this change occurred at the latest change time
DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled' and RegistryValueData == '0'
| where TimeGenerated == registry_change_time
| project DeviceId, TimeGenerated
| join kind=inner (
// Find PowerShell processes on the same device that started before the change
DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| extend ProcessStartTime = ProcessCreationTime
) on DeviceId
| where ProcessStartTime < TimeGenerated
// Find the latest process start time per device
| summarize arg_max(ProcessStartTime, ProcessCommandLine) by DeviceId
| project DeviceId, ProcessCommandLine, ProcessStartTime | Incorrect | 2 | 6.16s | 0.0009 |
| gpt-4o | powershell.exe | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine | Incorrect | 3 | 24.24s | 0.0419 |
| gpt-5-high | New-ItemProperty | DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryValueCreate","RegistryValueModified")
| where RegistryValueName =~ "ProcessCreationIncludeCmdLine_Enabled"
// Registry path for the policy (keep flexible but prefer the expected location)
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
// Normalize value data variants like 0, 0x00000000, dword:00000000
| where tostring(RegistryValueData) matches regex @"^(?i)(?:0|0x0+|dword:0+)$"
// Limit to PowerShell engines
| where tolower(InitiatingProcessFileName) in ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// Extract likely cmdlet used in the command line
| extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|New-ItemProperty|Set-Item|New-Item|Remove-ItemProperty|Clear-ItemProperty)\b", 1, InitiatingProcessCommandLine)
| extend Cmdlet = iif(isempty(Cmdlet), "Unknown", Cmdlet)
| summarize EventCount=count(), Devices=dcount(DeviceId), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), SampleCommands=make_set(InitiatingProcessCommandLine, 3)
by Cmdlet
| order by EventCount desc | Correct | 1 | 77.92s | 0.0579 |
| gpt-5-mini-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName has_cs "ProcessCreationIncludeCmdLine_Enabled"
| where tostring(RegistryValueData) == "0" or toint(RegistryValueData) == 0
| extend InitiatingUser = coalesce(InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountSid)
| where isnotempty(InitiatingProcessCommandLine)
// focus on PowerShell / pwsh or common registry modification commands
| where InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "Set-ItemProperty" or InitiatingProcessCommandLine has_cs "Set-Item" or InitiatingProcessCommandLine has_cs "New-ItemProperty" or InitiatingProcessCommandLine has_cs "Remove-ItemProperty" or InitiatingProcessCommandLine has_cs "Add-ItemProperty" or InitiatingProcessCommandLine has_cs "reg.exe" or InitiatingProcessCommandLine has_cs "reg add"
| extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty|Add-ItemProperty|Set-ItemPropertyValue|Set-Item|Get-ItemProperty|Get-Item|reg(?:\.exe)?\s+add|reg\s+add)\b", 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, DeviceId, InitiatingUser, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, Cmdlet, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryKey, PreviousRegistryValueData
| order by TimeGenerated desc
| take 50 | Correct | 2 | 31.02s | 0.0076 |
| gpt-5-mini-low | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName =~ "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0" or RegistryValueData == 0
| where TimeGenerated between (startofday(ago(30d))..now())
| extend InitiatorExe = tolower(InitiatingProcessFileName), InitiatorCmd = tostring(InitiatingProcessCommandLine)
| where InitiatorExe contains "powershell" or InitiatorCmd contains "Set-ItemProperty" or InitiatorCmd contains "Set-Item" or InitiatorCmd contains "New-ItemProperty" or InitiatorCmd contains "reg.exe" or InitiatorCmd contains "reg add"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessSessionId, InitiatingProcessCreationTime, ReportId
| order by TimeGenerated desc | Correct | 1 | 11.77s | 0.0019 |
| gpt-5-mini-medium | New-ItemProperty | let targetValueName = "ProcessCreationIncludeCmdLine_Enabled";
let targetValueData = "0";
DeviceRegistryEvents
| where tostring(RegistryValueName) == targetValueName
| where tostring(RegistryValueData) == targetValueData
| extend InitiatingProcessCommandLine = coalesce(tostring(InitiatingProcessCommandLine), "")
| extend InitiatingProcessFileNameLower = tolower(tostring(InitiatingProcessFileName)), InitiatingProcessCommandLineLower = tolower(InitiatingProcessCommandLine)
| extend IsPowerShell = InitiatingProcessFileNameLower contains "powershell" or InitiatingProcessFileNameLower contains "pwsh" or InitiatingProcessCommandLineLower contains "powershell" or InitiatingProcessCommandLineLower contains "pwsh"
| extend IsRegExe = InitiatingProcessFileNameLower contains "reg.exe" or InitiatingProcessCommandLineLower contains "reg add" or InitiatingProcessCommandLineLower startswith "reg "
| extend CmdletFromPowerShell = extract(@"(?i)\b([A-Za-z]+-[A-Za-z]+)\b", 1, InitiatingProcessCommandLine)
| extend ExtractedCmdlet = iif(IsPowerShell, CmdletFromPowerShell, iif(IsRegExe, "reg.exe", ""))
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, IsPowerShell, IsRegExe, ExtractedCmdlet, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType
| sort by TimeGenerated desc | Correct | 2 | 34.30s | 0.0081 |
| gpt-5-nano-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where toint(RegistryValueData) == 0
| where isnotempty(InitiatingProcessCommandLine)
| extend PSLine = tostring(InitiatingProcessCommandLine)
| extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|Set-ItemPropertyValue|New-ItemProperty|Set-RegistryValue)\b", 1, PSLine)
| project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet
| sort by TimeGenerated desc | Correct | 1 | 26.53s | 0.0019 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0879 |
| grok-3-mini-beta | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == 'ProcessCreationIncludeCmdLine_Enabled'
| where RegistryValueData == '0'
| where InitiatingProcessFileName has 'powershell.exe'
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by Timestamp desc
| limit 100 | Correct | 1 | 12.40s | 0.0016 |
| o1-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc | Correct | 1 | 29.19s | 0.2257 |
| o1-low | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName =~ "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 26.32s | 0.1974 |
| o3-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where tostring(RegistryValueData) == "0" or RegistryValueData == 0
// Limit to modifications (for some tenants ActionType could be RegistryValueSet, CreateKey, etc.)
| where ActionType =~ "RegistryValueSet" or ActionType =~ "RegistryValueChange" or ActionType =~ "SetValue"
// Make sure the change was done from a PowerShell host
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine has "powershell"
// Extract the first PowerShell cmdlet that appears in the command line
| extend Cmdlet = extract(@"\b([A-Za-z]+-[A-Za-z]+)\b", 1, InitiatingProcessCommandLine)
| extend Cmdlet = iff(isempty(Cmdlet), "Unknown", Cmdlet)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, Cmdlet
| summarize
FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated),
Events=count()
by Cmdlet, DeviceName, InitiatingProcessAccountName
| order by Events desc, LastSeen desc | Correct | 1 | 32.47s | 0.0220 |
| o3-mini-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| where tolower(InitiatingProcessFileName) contains "powershell.exe"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData
| order by TimeGenerated desc | Correct | 1 | 8.75s | 0.0096 |
| o3-mini-low | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" and RegistryValueData == "0"
| where tolower(InitiatingProcessFileName) contains "powershell"
// Attempt to extract common PowerShell cmdlets that might change registry settings
| extend CmdletName = extract("(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty)", 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, CmdletName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 11.07s | 0.0090 |
| o4-mini-high | New-ItemProperty | DeviceRegistryEvents
| where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled"
| where RegistryValueData == "0"
// include any PowerShell host in the command line
| where tolower(InitiatingProcessCommandLine) contains "powershell"
// extract the cmdlet name from the command line
| extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty|Set-Item|Clear-ItemProperty)\b", 1, InitiatingProcessCommandLine)
| where isnotempty(Cmdlet)
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
Cmdlet,
InitiatingProcessCommandLine,
RegistryKey,
RegistryValueData | Correct | 3 | 151.73s | 0.0325 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0586 |