Osquery TryHackMe Walkthrough

6 min readSep 10, 2023


TL;DR walkthrough of one way to complete the osquery room on TryHackMe, part of the Cyber Defense pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.


Much like the ZeroLogon room, we did not find the answers the way TryHackMe intended. I messed around with osquery just enough to get a feel for it, but I wanted to query the raw data so to speak and see where osquery was getting its answers.

One has to use PowerShell to run osqueryi, it did not function in PowerShell_ISE. Along with PowerCat.ps1 and Invoke-PowerShellTcp.ps1, osqueryi is one of the very few things I have tried out in the lab like this.

As always, we start by connecting to the VM with xfreerdp:

xfreerdp /v: /u:James /p:thm_4n6 /dynamic-resolution

— Task 3 —

How many tables are returned when we query “table process” in the interactive mode of Osquery?

.table process


Looking at the schema of the processes table, which column displays the process id for the particular process?

.schema process


Examine the .help command, how many output display modes are available for the .mode command?


.mode MODE

— Task 4 —

All Task 4 answers are found on https://osquery.io/schema/5.5.1/

In Osquery version 5.5.1, how many common tables are returned, when we select both Linux and Window Operating system?


In Osquery version 5.5.1, how many tables for MAC OS are available?


In the Windows Operating system, which table is used to display the installed programs?


In Windows Operating system, which column contains the registry value within the registry table?


— Task 5 —

I only used osquery to find the answer to one of these.

Using Osquery, how many programs are installed on this host?

PS C:\Users\James> (Get-Package | Where-Object {($_.ProviderName -eq “Programs”) -or ($_.ProviderName -eq “msi”)}).Count


Using Osquery, what is the description for the user James?

PS C:\Users\James> (Get-LocalUser James).Description

Creative Artist

When we run the following search query, what is the full SID of the user with RID ‘1009’?

PS C:\Users\James> (Get-LocalUser | Where-Object {$_.SID -like “*1009”}).SID.Value



PS C:\Users\James> (Get-ChildItem “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” | Where-Object {$_.Name -like “*1009”}).Name.Split(“\”)[6]


When we run the following search query, what is the Internet Explorer browser extension installed on this machine?


select * from ie_extensions;



PS C:\Users\James> Get-ItemProperty "Registry::HKEY_USERS\S-1–5–21–1966530601–3185510712–10604624–1009\Software\Classes\Local Settings\MuiCache\70\52C64B7E" | Out-File Testing.txt

PS C:\Users\James> Get-Content .\Testing.txt | Select-String "Internet Explorer" -Context 1

@C:\Windows\System32\ie4uinit.exe,-731 : Internet Explorer

@C:\Windows\System32\ieframe.dll,-55175 : Internet Explorer

This seems to be where osquery is getting it from. This one was tricky to find as I don’t use Internet Explorer anymore and hadn’t tried to query its extensions. I was curious where osquery was getting its data though.

After running the following query, what is the full name of the program returned?

Query: select name,install_location from programs where name LIKE ‘%wireshark%’;

PS C:\Users\James> (Get-Package | Where-Object {$_.Name -like “*wireshark*”}).Meta.Attributes.Values[0]

Wireshark 3.6.8 64-bit

— Task 6 —

Which table stores the evidence of process execution in Windows OS?

This one is found on https://osquery.io/schema/5.5.1/ , just like Task 4’s questions.


One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?

I couldn’t find this one in the Application log. In the end I gave up and did it the osquery way.

osquery way:

select sid,path from userassist where sid=’S-1–5–21–1966530601–3185510712–10604624–1009';


PowerShell way:

Get-Childitem –Path C:\Users\James -Include “*.exe” -File -Recurse -ErrorAction SilentlyContinue

Both methods make an educated guess that the user is James as that is the user who is in all the other questions. I didn’t think to just check James’s user folder for any *.exe files until after I gave up checking the logs and tried osquery. Had I simply checked their folder I would have found this one in seconds. Live and learn.

Create a search query to identify the VPN installed on this host. What is name of the software?

PS C:\Windows\system32> (Get-Package | Where-Object {($_.Name -like “*VPN*”) -and ($_.ProviderName -eq “Programs”)}).Name


How many services are running on this host?

TryHackMe kinda made an error on this one, much like their booboo regarding the “local admin” on a DC in the ZeroLogon room. It’s all good though, I learned more in the process.

PS C:\Windows\system32> (Get-Service | Where-Object {$_.Status -eq “Running”}).Count


PS C:\Windows\system32> (Get-Service).Count


TryHackMe wants 214, the question is poorly worded. Luckily their answer boxes let you know how many characters the answer should have.

A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?

PS C:\Windows\system32> wmic startup get caption,command


What is the full path of the batch file found in the above question? (Last in the List)

Get-Childitem –Path C:\ -Include *batstartup.bat* -File -Recurse -ErrorAction SilentlyContinue

Directory: C:\AtomicRedTeam\atomics\T1547.001\src

There’s another copy in:

Directory: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

TryHackMe wants the second copy that’s in James’ folder. In fact, all the questions regarding a given user were about James. Hence I simply used Explorer to search their folder on this one.


Just in case anyone was curious like I was, the content of the *.bat file was

TryHackMe put some other legacy file types in there that attackers like to use as well with the same content.

I have nothing against osquery, I was just curious where it was pulling the data from. Hence I ran almost all the queries to find the answers in this room without using osquery.

There are numerous other walkthroughs for this room already out there on Google, however the ones I saw either didn’t show their work or only used osquery, so I figured I’d post my notes on how we found the answers using builtin PowerShell.


Good writeup that used osquery: https://classroom.anir0y.in/post/tryhackme-osquerythebasics/

Find installed programs: https://devblogs.microsoft.com/scripting/use-powershell-to-quickly-find-installed-software/

Show startup programs: https://www.online-tech-tips.com/computer-tips/list-windows-startup-programs/

Find a file: https://devblogs.microsoft.com/scripting/use-windows-powershell-to-search-for-files/




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.