// question

While investigating a Windows endpoint where boot repair options have unexpectedly been turned off, search your logs for BCDEdit modifying recovery settings. What was the command executed to disable the recovery console?

Reference KQL answer and model-by-model comparison.

cf21060a-80b3-4238-a595-22525de4ab81
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer

Human-validated correct answer for this question.

bcdedit.exe /set {default} recoveryenabled no
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0124
gpt-35-turbo
no answer
no query generatedfail50.00s0.0109
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2307
gpt-4.1
no answer
no query generatedfail50.00s0.0387
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0384
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0077
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
no answer
no query generatedfail50.00s0.0660
gpt-5-high
no answer
no query generatedfail50.00s0.1951
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0143
gpt-5-mini-low
bcdedit /deletevalue {current} safeboot
// BCDEdit modifying recovery settings investigation
// Look for executions of bcdedit that modify recovery settings (recoveryenabled, recoverysequence, displaybootmenu, bootstatuspolicy)
let keywords = dynamic(["recoveryenabled","recoverysequence","displaybootmenu","bootstatuspolicy","/set","/delete","/set {","/enum"]);

// Search process events where commandline or file name mentions bcdedit
let proc = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(ProcessVersionInfoOriginalFileName) or isnotempty(FileName)
| extend pcl = tolower(ProcessCommandLine), fname = tolower(ProcessVersionInfoOriginalFileName), file = tolower(FileName)
| where pcl contains "bcdedit" or fname contains "bcdedit" or file contains "bcdedit"
| extend Source = "DeviceProcessEvents", Cmd = coalesce(ProcessCommandLine, ""), Executable = coalesce(ProcessVersionInfoOriginalFileName, FileName)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid = InitiatingProcessAccountSid, ProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime, Source;

// Search device events (other events) that may include bcdedit invocations
let dev = DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName)
| extend pcl = tolower(ProcessCommandLine), ipl = tolower(InitiatingProcessCommandLine), file = tolower(FileName)
| where pcl contains "bcdedit" or ipl contains "bcdedit" or file contains "bcdedit"
| extend Source = "DeviceEvents", Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""), Executable = FileName
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid, ProcessId = InitiatingProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime = InitiatingProcessCreationTime, Source;

proc
| union dev
| where isnotempty(Cmd)
| extend cmd_lower = tolower(Cmd)
// keep events that contain any of the keywords (recovery settings or set/delete operations)
| where array_length(keywords) == array_length(keywords) or
      cmd_lower has_any (keywords)
// attempt to extract the bcdedit argument portion by finding 'bcdedit' and returning the rest of the command
| extend idx = indexof(cmd_lower, "bcdedit")
| extend cmd_after = iff(idx >= 0, trim(' ', substring(Cmd, idx + strlen("bcdedit"))), Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, AccountSid, Source, ProcessId, Executable, Command = cmd_after, RawCommand = Cmd, ProcessCreationTime
| order by TimeGenerated desc
| take 200
fail225.29s0.0067
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0166
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0089
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0059
grok-3-beta
no answer
no query generatedfail50.00s0.0868
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0070
o1-high
no answer
no query generatedfail50.00s0.7418
o1-low
no answer
no query generatedfail50.00s0.9190
o3-high
no answer
no query generatedfail50.00s0.0637
o3-mini-high
no answer
no query generatedfail50.00s0.0383
o3-mini-low
no answer
no query generatedfail50.00s0.0399
o4-mini-high
no answer
no query generatedfail50.00s0.0399
o4-mini-low
no answer
no query generatedfail50.00s0.0316