Windows Hardening TryHackMe Walkthrough

5 min readApr 22, 2024


TL;DR Walkthrough of the TryHackMe Windows Hardening room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.


I have been slow rolling my way through the Security Engineer pathway, one of TryHackMe’s newer learning paths. I didn’t win anything back when THM was doing a raffle when the pathway was brand new circa Sep 2023. Hopefully one of you did.

I just finished up my college program at WGU and am coming into my renewal window for a couple certifications, so it’s a great time to get back into TryHackMe, learn something, get some good practice, and get some CPEs.

TryHackMe showed how to perform Windows hardening and querying in the GUI, but I’m partial to PowerShell, hence why almost everything in here is in the CLI.

As always connect via

xfreerdp /v: /u:Harden /p:harden /dynamic-resolution


— — Task 2 — -

What is the startup type of App Readiness service in the services panel?

(Get-Service | Where-Object {$_.DisplayName -like “*App Readiness*”}).Status


The answer THM is looking for is Manual.

Open Registry Editor and find the key “tryhackme”. What is the default value of the key?

Get-ChildItem -Path HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like “*tryhackme*”}

Name Property
- - - - - -
tryhackme (default) : {THM_REG_FLAG}

The answer THM is looking for is of course {THM_REG_FLAG}

Open the Diagnosis folder and go through the various log files. Can you find the flag?

Get-Content “C:\ProgramData\Microsoft\Diagnosis\flag.txt.txt”


Open the Event Viewer and play with various event viewer filters like Information, Error, Warning etc. Which error type has the maximum number of logs?

No answer needed.

However I was curious, so I queried the list of logs and number of events per log. The answer is the security log.

$Logs = (Get-EventLog -List).Log
ForEach($Log in $Logs)
(Get-EventLog -LogName $Log).Count
Write-Host " "



Internet Explorer

Key Management Service



Windows PowerShell

— — Task 3 — -

Find the name of the Administrator Account of the attached VM.

(Get-LocalGroupMember -Group Administrators).Name


The answer that THM is looking for is Harden.

Go to the User Account Control Setting Panel (Control Panel > All Control Panel Items > User Accounts). What is the default level of Notification?

Always Notify

How many standard accounts are created in the VM?



0 is the answer THM wants.

— — Task 4 — -

Open Windows Firewall and click on Monitoring in the left pane — which of the following profiles is active? Domain, Private, Public?

Get-NetFirewallSetting -PolicyStore ActiveStore | Select-Object -ExpandProperty ActiveProfile


Find the IP address resolved for the website in the Virtual Machine as per the local hosts file.

Get-Content C:\Windows\System32\drivers\etc\hosts | Select-String “”

The answer THM is looking for is of course

Open the command prompt and enter arp -a. What is the Physical address for the IP address

arp -a | Select-String “” ff-ff-ff-ff-ff-ff static


Get-NetNeighbor | Where-Object {$_.IPAddress -eq “”}

The answer THM wants is FF-FF-FF-FF-FF-FF, which of course is always the broadcast address.

— — Task 5 — -

Windows Defender Antivirus is configured to exclude a particular extension from scanning. What is the extension?



A Word document is received from an unknown email address. It is best practice to open it immediately on your personal computer (yay/nay).


What is the flag you received after executing the Office Hardening Batch file?

Get-Content C:\Users\Harden\Desktop\office.bat | Select-String “Flag”

echo "Microsoft Office Hardened Successfully - Here is your Flag {THM_1101110}"


— — Task 6 — -

A security engineer has misconfigured the attached VM and stored a BitLocker recovery key in the same computer. Can you read the last six digits of the recovery key?

Get-ChildItem -Path “C:\Users” -Include “*BitLocker Recovery Key*” -Recurse -ErrorAction SilentlyContinue | Get-Content


How many characters does the BitLocker recovery key have in the attached VM?

$MyKey = "132858–327525–689172–680790–354607–080454–642268–377564"





The answer THM is looking for is 48. They aren’t counting the dashes.

A backup file is placed on the Desktop of the attached VM. What is the extension of that file?

Get-ChildItem C:\Users\Harden\Desktop

Directory: C:\Users\Harden\Desktop

Mode LastWriteTime Length Name
- - - - - - - - - - - - - -
-a---- 6/28/2022 8:00 AM 22 MyWindowsBackup.bkf
-a---- 6/27/2022 4:09 AM 10446 office.bat

— — Task 7 — -

What is the CVE score for the vulnerability CVE ID CVE-2022–32230?

THM wants 7.8

— — Task 8 — -

I have completed the room.

No answer needed


TryHackMe has a habit of being a bit wonky and odd when it comes to questions regarding the name of the administrator account or the number of administrator accounts. They often don’t count the builtin Administrator, as seen in this room, so just FYSA if you’re every having trouble getting THM to accept your answer.

I have seen TryHackMe mix up the Administrator, aka SID 500 in every AD by default, and call it “the DC’s local admin”.

Overall though this is a small gripe and just something to be aware of. TryHackMe is always good for cheap, hands on training. This room was no different.


UAC slider is a combination of these registry keys:


Get Windows FW profile:




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.