where.exe

  • File Path: C:\windows\SysWOW64\where.exe
  • Description: Where - Lists location of files

Hashes

Type Hash
MD5 6990615C65E7465D37CC488F4F80334E
SHA1 39782671DC173C8713F07FE4C10470C4B9F87E65
SHA256 9323D73E1129EEBDA48815D13B944098BF4FBA87713A086C49DD53BF2ED70103
SHA384 951C86D66191C7E92809915EDB3253709488442C7DCD0742B82B482F0972AF7DFC216C322F4142217FE34A5AAC6E0C69
SHA512 1C48C0B212FFC9EC48B77BF4029704B844DDF779B879629D35D2106D9FDA4C509D59AC73365EC7B947AEF9D5C48B2C9C6C25EEA3C58919CBB891D8B57CE788FE
SSDEEP 768:7BBXPb5lTv/ji71ZJqxQVH2LXtgePpzvAT0A5xYx1MA:7BBXPbPvOpzMMWLXtpOHxYxCA

Signature

  • Status: The file C:\windows\SysWOW64\where.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: where.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of where.exe being misused. While where.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_where_execution.yml where_exe: DRL 1.0
sigma proc_creation_win_susp_where_execution.yml Image\|endswith: '\where.exe' DRL 1.0
atomic-red-team T1562.001.md if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


where

Displays the location of files that match the given search pattern.

Syntax

where [/r <Dir>] [/q] [/f] [/t] [$<ENV>:|<Path>:]<Pattern>[ ...]

Parameters

Parameter Description
/r <Dir> Indicates a recursive search, starting with the specified directory.
/q Returns an exit code (0 for success, 1 for failure) without displaying the list of matched files.
/f Displays the results of the where command in quotation marks.
/t Displays the file size and the last modified date and time of each matched file.
[$<ENV>:|<Path>:]<Pattern>[ …] Specifies the search pattern for the files to match. At least one pattern is required, and the pattern can include wildcard characters (* and ?). By default, where searches the current directory and the paths that are specified in the PATH environment variable. You can specify a different path to search by using the format $ENV:Pattern (where ENV is an existing environment variable containing one or more paths) or by using the format Path:Pattern (where Path is the directory path you want to search). These optional formats should not be used with the /r command-line option.
/? Displays help at the command prompt.

Remarks

  • If you do not specify a file name extension, the extensions listed in the PATHEXT environment variable are appended to the pattern by default.
  • Where can run recursive searches, display file information such as date or size, and accept environment variables in place of paths on local computers.

Examples

To find all files named Test in drive C of the current computer and its subdirectories, type:

where /r c:\ test

To list all files in the Public directory, type:

where $public:*.*

To find all files named Notepad in drive C of the remote computer, Computer1, and its subdirectories, type:

where /r \\computer1\c notepad.*

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.