where.exe

File Path: C:\windows\system32\where.exe
Description: Where - Lists location of files

Hashes

Type	Hash
MD5	`126667322403F8EDBD911EE706506D56`
SHA1	`E620FDA76D2437227AEC4F2D2645C1D768C8453D`
SHA256	`7BD13C1348F438E3EF20A69D46316EBBF2AF2E73DA23F643E38CF0290785560E`
SHA384	`D52139649D01BF12EC8A55DE0F1AC28A26AB058B2BF738B4F7ED2E09CC5B3441A0597E0552707D206B27454495F5A3F3`
SHA512	`3262FE0CB7DBADE3E996BCD4EDD25354FC3ECF08C126EF9F9778B2C2F41A7FCD79B5AD3C20CE1CE1FA63BC317BCCEE3260E68BFB42760984A9DE5483D927C54B`
SSDEEP	`768:U3/ZgmxhIU80dLLmbmiuNFon/EMqzPiHDOgcU9DaxxTo:U3/ZhXNdubmZNdiCgTexpo`

Signature

Status: The file C:\windows\system32\where.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: where.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of where.exe being misused. While where.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_where_execution.yml	`where_exe:`	DRL 1.0
sigma	proc_creation_win_susp_where_execution.yml	`Image\\|endswith: '\where.exe'`	DRL 1.0
atomic-red-team	T1562.001.md	if ((cmd.exe /c “where.exe Sysmon.exe 2> nul \| findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if(cmd.exe /c “where.exe Sysmon.exe 2> nul \| findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

where

Displays the location of files that match the given search pattern.

Syntax

where [/r <Dir>] [/q] [/f] [/t] [$<ENV>:|<Path>:]<Pattern>[ ...]

Parameters

Parameter	Description
/r <Dir>	Indicates a recursive search, starting with the specified directory.
/q	Returns an exit code (0 for success, 1 for failure) without displaying the list of matched files.
/f	Displays the results of the where command in quotation marks.
/t	Displays the file size and the last modified date and time of each matched file.
[$<ENV>:\|<Path>:]<Pattern>[ …]	Specifies the search pattern for the files to match. At least one pattern is required, and the pattern can include wildcard characters (* and ?). By default, where searches the current directory and the paths that are specified in the PATH environment variable. You can specify a different path to search by using the format $ENV:Pattern (where ENV is an existing environment variable containing one or more paths) or by using the format Path:Pattern (where Path is the directory path you want to search). These optional formats should not be used with the /r command-line option.
/?	Displays help at the command prompt.

Remarks

If you do not specify a file name extension, the extensions listed in the PATHEXT environment variable are appended to the pattern by default.
Where can run recursive searches, display file information such as date or size, and accept environment variables in place of paths on local computers.

Examples

To find all files named Test in drive C of the current computer and its subdirectories, type:

where /r c:\ test

To list all files in the Public directory, type:

where $public:*.*

To find all files named Notepad in drive C of the remote computer, Computer1, and its subdirectories, type:

where /r \\computer1\c notepad.*

Additional References

Command-Line Syntax Key