where.exe

  • File Path: C:\WINDOWS\SysWOW64\where.exe
  • Description: Where - Lists location of files

Hashes

Type Hash
MD5 112CDE97FA4A751168B10C74CEF8C5DE
SHA1 28446FDC94729214A017F3BEF2D1980E57B5F700
SHA256 5C6E1B1AA94BAB489EF1E42D9DA921602A34C690BE99EB77FD167BECD9D4B6B6
SHA384 7A8CE9750C67E54CF989B279E2E4E768C3E700D0A02DAD84B81A080184E02F272E4A61998755C680DD50B7DC20641C12
SHA512 6A0D2E105329A91BD441CDA0214E05C97EC6490EDB5B92603F3D10589ECD1AE27C215AC1DF574D61BFA6BE4651128C6635391903851DDE8CFECED8AA58F8F16C
SSDEEP 768:doXPzuaTARy2yLu5AnYDZJ6lJleMIzyH3I1rVXBvn7MD4vVu:aXPzugAV/5ZDQ2z3RxjM0vVu
IMP 4E0F7694D67FCB95A9345253EE15F9DA
PESHA1 65C02C772BF92A4EE2FEB18062067D0BD18ED738
PE256 5CA78BA479DC86B4F713B13E393CF4562D02FE0A07C7FBA02046E28F4F219D95

Runtime Data

Usage (stdout):


WHERE [/R dir] [/Q] [/F] [/T] pattern...

Description:
    Displays the location of files that match the search pattern.
    By default, the search is done along the current directory and
    in the paths specified by the PATH environment variable.

Parameter List:
    /R       Recursively searches and displays the files that match the
             given pattern starting from the specified directory.

    /Q       Returns only the exit code, without displaying the list
             of matched files. (Quiet mode)

    /F       Displays the matched filename in double quotes.

    /T       Displays the file size, last modified date and time for all
             matched files.

    pattern  Specifies the search pattern for the files to match.
             Wildcards * and ? can be used in the pattern. The
             "$env:pattern" and "path:pattern" formats can also be
             specified, where "env" is an environment variable and
             the search is done in the specified paths of the "env"
             environment variable. These formats should not be used
             with /R. The search is also done by appending the
             extensions of the PATHEXT variable to the pattern.

     /?      Displays this help message.

  NOTE: The tool returns an error level of 0 if the search is
        successful, of 1 if the search is unsuccessful and
        of 2 for failures or errors.

Examples:
    WHERE /?
    WHERE myfilename1 myfile????.*
    WHERE $windir:*.* 
    WHERE /R c:\windows *.exe *.dll *.bat  
    WHERE /Q ??.??? 
    WHERE "c:\windows;c:\windows\system32:*.dll"
    WHERE /F /T *.dll

Usage (stderr):

ERROR: Invalid argument or option - '/h'.
Type "WHERE /?" for usage help.

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\where.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: where.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/5c6e1b1aa94bab489ef1e42d9da921602a34c690be99eb77fd167becd9d4b6b6/detection

Possible Misuse

The following table contains possible examples of where.exe being misused. While where.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_where_execution.yml where_exe: DRL 1.0
sigma proc_creation_win_susp_where_execution.yml Image\|endswith: '\where.exe' DRL 1.0
atomic-red-team T1562.001.md if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

where

Displays the location of files that match the given search pattern.

Syntax

where [/r <Dir>] [/q] [/f] [/t] [$<ENV>:|<Path>:]<Pattern>[ ...]

Parameters

Parameter Description
/r <Dir> Indicates a recursive search, starting with the specified directory.
/q Returns an exit code (0 for success, 1 for failure) without displaying the list of matched files.
/f Displays the results of the where command in quotation marks.
/t Displays the file size and the last modified date and time of each matched file.
[$<ENV>:|<Path>:]<Pattern>[ …] Specifies the search pattern for the files to match. At least one pattern is required, and the pattern can include wildcard characters (* and ?). By default, where searches the current directory and the paths that are specified in the PATH environment variable. You can specify a different path to search by using the format $ENV:Pattern (where ENV is an existing environment variable containing one or more paths) or by using the format Path:Pattern (where Path is the directory path you want to search). These optional formats should not be used with the /r command-line option.
/? Displays help at the command prompt.

Remarks

  • If you do not specify a file name extension, the extensions listed in the PATHEXT environment variable are appended to the pattern by default.
  • Where can run recursive searches, display file information such as date or size, and accept environment variables in place of paths on local computers.

Examples

To find all files named Test in drive C of the current computer and its subdirectories, type:

where /r c:\ test

To list all files in the Public directory, type:

where $public:*.*

To find all files named Notepad in drive C of the remote computer, Computer1, and its subdirectories, type:

where /r \\computer1\c notepad.*

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.