find.exe

  • File Path: C:\WINDOWS\SysWOW64\find.exe
  • Description: Find String (grep) Utility

Hashes

Type Hash
MD5 8C3D07175803C1103096B5BD77142F1A
SHA1 1BF28CF91990C4801BE5A37FB15E4D32E6058324
SHA256 A70A969194935F4FBA39B99F88E5891EBF94D293156715CADB6633D2D230C806
SHA384 8C649DECD539D4B532640BF16689E14CAC6E1DF842EFDA2C967C5CC8BF22D13B51C8948B1B079C821FC5181A4C426216
SHA512 9FD9EE7E86B60C933884D97629B2EB3F088B1BEE56813B5708A98468E95450DFC29C1FEB5A9C81E415964C516F12E7EE0EB2563FB91947A43121DF3EDEB2C03A
SSDEEP 192:adxNEcUMIAYdETm3eRrpSXRSQOm9r/u/+S6L03Vusdg9kahYvkzWdIW:Q6eRUXRSQOm9je/6L08D9rzWdIW
IMP 7F4B8A6E664FCCDE400A695352EE2A16
PESHA1 C6EAED7755D4D6D76F4A46E827537D38666C40C7
PE256 18507A891F5A16B92EC078DDBD49562704891CF5A33E9F51A08D60541B906F47

Runtime Data

Usage (stdout):

Searches for a text string in a file or files.

FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]

  /V         Displays all lines NOT containing the specified string.
  /C         Displays only the count of lines containing the string.
  /N         Displays line numbers with the displayed lines.
  /I         Ignores the case of characters when searching for the string.
  /OFF[LINE] Do not skip files with offline attribute set.
  "string"   Specifies the text string to find.
  [drive:][path]filename
             Specifies a file or files to search.

If a path is not specified, FIND searches the text typed at the prompt
or piped from another command.

Usage (stderr):

FIND: Parameter format not correct

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\find.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: FIND.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a70a969194935f4fba39b99f88e5891ebf94d293156715cadb6633d2d230c806/detection

Possible Misuse

The following table contains possible examples of find.exe being misused. While find.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\find.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


find

Searches for a string of text in a file or files, and displays lines of text that contain the specified string.

Syntax

find [/v] [/c] [/n] [/i] [/off[line]] <"string"> [[<drive>:][<path>]<filename>[...]]

Parameters

Parameter Description
/v Displays all lines that don’t contain the specified <string>.
/c Counts the lines that contain the specified <string> and displays the total.
/n Precedes each line with the file’s line number.
/i Specifies that the search is not case-sensitive.
[/off[line]] Doesn’t skip files that have the offline attribute set.
<"string"> Required. Specifies the group of characters (enclosed in quotation marks) that you want to search for.
[<drive>:][<path>]<filename> Specifies the location and name of the file in which to search for the specified string.
/? Displays help at the command prompt.

Exit codes

Exit code Description
0 The searched string was found
1 Searched string not found
2 Searched file not found or invalid command line switch was given
Remarks
  • If you don’t use /i, this command searches for exactly what you specify for string. For example, this command treats the characters a and A differently. If you use /i, however, the search becomes case insensitive, and it treats a and A as the same character.

  • If the string you want to search for contains quotation marks, you must use double quotation marks for each quotation mark contained within the string (for example, “"”This string contains quotation marks”””).

  • If you omit a file name, this command acts as a filter, taking input from the standard input source (usually the keyboard, a pipe ( ), or a redirected file) and then displays any lines that contain string.
  • To exit the console search use CTRL-X or CTRL-z.

  • You can type parameters and command-line options for the find command in any order.

  • You can’t use wildcards (* and ?) in the searched string. To search for a string with wild cards and regex patterns, you can use the FINDSTR command.

  • If you use /c and /v in the same command line, this command displays a count of the lines that don’t contain the specified string. If you specify /c and /n in the same command line, find ignores /n.

  • This command doesn’t recognize carriage returns. When you use this command to search for text in a file that includes carriage returns, you must limit the search string to text that can be found between carriage returns (that is, a string that is not likely to be interrupted by a carriage return). For example, this command doesn’t report a match for the string tax file if a carriage return occurs between the words tax and file.

  • The command accepts wildcards for file names. When searching in file (or files) it will print the file of the processed file predeceased by ten dashes.

  • Find command cannot read alternate data streams. For searching in alternate data streams use findstr, more or for /f commands.

Examples

To display all lines from pencil.md that contain the string pencil sharpener, type:

find "pencil sharpener" pencil.md

To find the text, “The scientists labeled their paper for discussion only. It is not a final report.” (including the quotes) in the report.txt file, type:

find """The scientists labeled their paper for discussion only. It is not a final report.""" < report.txt

To search for a set of files, you can use wildcards. To search the current directory for files that have the extension .bat and that contain the string PROMPT ignoring the case, type:

find /i "PROMPT" *.bat
To find files names in a directory that contain the string CPU, use the pipe ( ) to direct the output of the dir command to the find command as follows:
dir c:\temp /s /b | find "CPU"

Find all running processes that do NOT contain agent:

tasklist | find /v /i "agent"

Check if a service is running:

sc query  Winmgmt | find "RUNNING" >nul 2>&1 && (echo service is started) || (echo service is stopped)

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.