While investigating a Windows endpoint where boot repair options have unexpectedly been turned off, search your logs for BCDEdit modifying recovery settings. What was the command executed to disable the recovery console?

// BCDEdit modifying recovery settings investigation // Look for executions of bcdedit that modify recovery settings (recoveryenabled, recoverysequence, displaybootmenu, bootstatuspolicy) let keywords = dynamic(["recoveryenabled","recoverysequence","displaybootmenu","bootstatuspolicy","/set","/delete","/set {","/enum"]); // Search process events where commandline or file name mentions bcdedit let proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(ProcessVersionInfoOriginalFileName) or isnotempty(FileName) | extend pcl = tolower(ProcessCommandLine), fname = tolower(ProcessVersionInfoOriginalFileName), file = tolower(FileName) | where pcl contains "bcdedit" or fname contains "bcdedit" or file contains "bcdedit" | extend Source = "DeviceProcessEvents", Cmd = coalesce(ProcessCommandLine, ""), Executable = coalesce(ProcessVersionInfoOriginalFileName, FileName) | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid = InitiatingProcessAccountSid, ProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime, Source; // Search device events (other events) that may include bcdedit invocations let dev = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) | extend pcl = tolower(ProcessCommandLine), ipl = tolower(InitiatingProcessCommandLine), file = tolower(FileName) | where pcl contains "bcdedit" or ipl contains "bcdedit" or file contains "bcdedit" | extend Source = "DeviceEvents", Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""), Executable = FileName | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid, ProcessId = InitiatingProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime = InitiatingProcessCreationTime, Source; proc | union dev | where isnotempty(Cmd) | extend cmd_lower = tolower(Cmd) // keep events that contain any of the keywords (recovery settings or set/delete operations) | where array_length(keywords) == array_length(keywords) or cmd_lower has_any (keywords) // attempt to extract the bcdedit argument portion by finding 'bcdedit' and returning the rest of the command | extend idx = indexof(cmd_lower, "bcdedit") | extend cmd_after = iff(idx >= 0, trim(' ', substring(Cmd, idx + strlen("bcdedit"))), Cmd) | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, AccountSid, Source, ProcessId, Executable, Command = cmd_after, RawCommand = Cmd, ProcessCreationTime | order by TimeGenerated desc | take 200