where.exe

  • File Path: C:\windows\system32\where.exe
  • Description: Where - Lists location of files

Hashes

Type Hash
MD5 126667322403F8EDBD911EE706506D56
SHA1 E620FDA76D2437227AEC4F2D2645C1D768C8453D
SHA256 7BD13C1348F438E3EF20A69D46316EBBF2AF2E73DA23F643E38CF0290785560E
SHA384 D52139649D01BF12EC8A55DE0F1AC28A26AB058B2BF738B4F7ED2E09CC5B3441A0597E0552707D206B27454495F5A3F3
SHA512 3262FE0CB7DBADE3E996BCD4EDD25354FC3ECF08C126EF9F9778B2C2F41A7FCD79B5AD3C20CE1CE1FA63BC317BCCEE3260E68BFB42760984A9DE5483D927C54B
SSDEEP 768:U3/ZgmxhIU80dLLmbmiuNFon/EMqzPiHDOgcU9DaxxTo:U3/ZhXNdubmZNdiCgTexpo

Signature

  • Status: The file C:\windows\system32\where.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: where.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of where.exe being misused. While where.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_where_execution.yml where_exe: DRL 1.0
sigma proc_creation_win_susp_where_execution.yml Image\|endswith: '\where.exe' DRL 1.0
atomic-red-team T1562.001.md if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


where

Displays the location of files that match the given search pattern.

Syntax

where [/r <Dir>] [/q] [/f] [/t] [$<ENV>:|<Path>:]<Pattern>[ ...]

Parameters

Parameter Description
/r <Dir> Indicates a recursive search, starting with the specified directory.
/q Returns an exit code (0 for success, 1 for failure) without displaying the list of matched files.
/f Displays the results of the where command in quotation marks.
/t Displays the file size and the last modified date and time of each matched file.
[$<ENV>:|<Path>:]<Pattern>[ …] Specifies the search pattern for the files to match. At least one pattern is required, and the pattern can include wildcard characters (* and ?). By default, where searches the current directory and the paths that are specified in the PATH environment variable. You can specify a different path to search by using the format $ENV:Pattern (where ENV is an existing environment variable containing one or more paths) or by using the format Path:Pattern (where Path is the directory path you want to search). These optional formats should not be used with the /r command-line option.
/? Displays help at the command prompt.

Remarks

  • If you do not specify a file name extension, the extensions listed in the PATHEXT environment variable are appended to the pattern by default.
  • Where can run recursive searches, display file information such as date or size, and accept environment variables in place of paths on local computers.

Examples

To find all files named Test in drive C of the current computer and its subdirectories, type:

where /r c:\ test

To list all files in the Public directory, type:

where $public:*.*

To find all files named Notepad in drive C of the remote computer, Computer1, and its subdirectories, type:

where /r \\computer1\c notepad.*

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.