// question
While investigating a Windows endpoint where boot repair options have unexpectedly been turned off, search your logs for BCDEdit modifying recovery settings. What was the command executed to disable the recovery console?
Reference KQL answer and model-by-model comparison.
cf21060a-80b3-4238-a595-22525de4ab81
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer
Human-validated correct answer for this question.
bcdedit.exe /set {default} recoveryenabled no
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0124 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2307 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0387 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0384 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0077 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0015 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0660 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.1951 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0143 |
| gpt-5-mini-low | bcdedit /deletevalue {current} safeboot | // BCDEdit modifying recovery settings investigation
// Look for executions of bcdedit that modify recovery settings (recoveryenabled, recoverysequence, displaybootmenu, bootstatuspolicy)
let keywords = dynamic(["recoveryenabled","recoverysequence","displaybootmenu","bootstatuspolicy","/set","/delete","/set {","/enum"]);
// Search process events where commandline or file name mentions bcdedit
let proc = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(ProcessVersionInfoOriginalFileName) or isnotempty(FileName)
| extend pcl = tolower(ProcessCommandLine), fname = tolower(ProcessVersionInfoOriginalFileName), file = tolower(FileName)
| where pcl contains "bcdedit" or fname contains "bcdedit" or file contains "bcdedit"
| extend Source = "DeviceProcessEvents", Cmd = coalesce(ProcessCommandLine, ""), Executable = coalesce(ProcessVersionInfoOriginalFileName, FileName)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid = InitiatingProcessAccountSid, ProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime, Source;
// Search device events (other events) that may include bcdedit invocations
let dev = DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName)
| extend pcl = tolower(ProcessCommandLine), ipl = tolower(InitiatingProcessCommandLine), file = tolower(FileName)
| where pcl contains "bcdedit" or ipl contains "bcdedit" or file contains "bcdedit"
| extend Source = "DeviceEvents", Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""), Executable = FileName
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, AccountSid, ProcessId = InitiatingProcessId, Executable, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime = InitiatingProcessCreationTime, Source;
proc
| union dev
| where isnotempty(Cmd)
| extend cmd_lower = tolower(Cmd)
// keep events that contain any of the keywords (recovery settings or set/delete operations)
| where array_length(keywords) == array_length(keywords) or
cmd_lower has_any (keywords)
// attempt to extract the bcdedit argument portion by finding 'bcdedit' and returning the rest of the command
| extend idx = indexof(cmd_lower, "bcdedit")
| extend cmd_after = iff(idx >= 0, trim(' ', substring(Cmd, idx + strlen("bcdedit"))), Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, AccountSid, Source, ProcessId, Executable, Command = cmd_after, RawCommand = Cmd, ProcessCreationTime
| order by TimeGenerated desc
| take 200
| fail | 2 | 25.29s | 0.0067 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0166 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0089 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0059 |
| grok-3-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0868 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0070 |
| o1-high | no answer | no query generated | fail | 5 | 0.00s | 0.7418 |
| o1-low | no answer | no query generated | fail | 5 | 0.00s | 0.9190 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.0637 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0383 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0399 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0399 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0316 |