9
2
I picked up a virus a few hours ago, and have identified one of its files. I know the exact minute that the virus was installed, and would like to search my entire hard drive for files modified in that minute. Is there a utility that can do this? Windows search only searches documents.
I am using Windows 8.
msbg
Posted 2013-01-15T21:14:15.753
Reputation: 1 513
9
Open File Explorer from the Desktop. Navigate to the root of your hard drive (C:\ probably). Tap/Click in the search field and type as follows: System.DateModified:YYYY-MM-DDThh:mm:ss where the date and time are the ones you know the virus appeared and are described in ISO-8601, shown here: http://www.w3.org/TR/NOTE-datetime.
The Windows search terms are called the "Advanced Query Syntax" and contains a number of useful terms, most of which are not exposed to end users through the Windows search UI. This is one example, explained in this MSDN document: http://msdn.microsoft.com/en-us/library/bb266512%28VS.85%29.aspx under section "DateTime properties in Windows 8".
Note that you may have to expand the index to search the entire drive and also that the index will not search certain places (C:\Windows\CSC\ for one example).
K.A.Monica
Posted 2013-01-15T21:14:15.753
Reputation: 5 887
@K.A can you tell me why neither of these work? System.DateModified:>2016-01-04T05:00 and System.DateModified:<2016-01-04T05:00. It is supposed to be January 4, 2016 at 5 AM. I added a > because I thoughts how you after the date and time listed. – cokedude – 2016-01-04T10:14:34.197
Good, but I do not see any option to search by the minute/hour. – msbg – 2013-01-15T21:26:57.210
Revised to explain how to search down to that level. – K.A.Monica – 2013-01-15T21:43:56.650
Great answer. (I was going to suggest PowerShell, but this is easier). – Guy Thomas – 2013-01-15T22:29:55.433
2
There is a bunch of ways of doing this. You could try a program like
http://www.mythicsoft.com/page.aspx?type=filelocatorlite&page=home
I don't use 8 or even 7. BUT I would use CMD. There is a couple ways to do it but the simplest way would be do DIR the entire drive with subfolders filtered for created time then search for a string that matches the date and time format. To Paste into a CMD window just right click and choose paste. (again never used win8)
Its not that complicated the code below would search the C: drive for a file created "01/19/2013 06:38 PM" the Output would be C:\FoundFiles.TXT.
@dir c:\*.* /s /t:c | findstr "01/19/2013 06:38 PM">c:\FoundFiles.TXT
The code below will search for hidden files and output to c:\FoundHiddenFiles.TXT
@dir c:\*.* /s /a:h /t:c | findstr "01/19/2013 06:38 PM">c:\FoundHiddenFiles.TXT
use /t:a for files "last accessed" and /t:w for files last written
To open CMD in windows 8 just search apps for CMD. You may have to adjust the string to match your DIR output put in window 8. Also I have no idea if windows 8 gives you access to the C:. Each search should only take a minute it will only give you the file names not the location and each time you run it it will wipe out the old search result. the "." should be optional just put them in just in case.
hope that helps someone.
ONE last thing. You could just dir the whole darn drive output it to a Text file then search with word or notepad or what ever they give you with windows 8. The codes below will output your entire content of you hard drives sorted for when the files were created.
dir c:\*.* /s /o:d /t:c >C:\AllFiles.TXT
And if you want to search for all Hidden files use
dir c:\*.* /s /o:d /t:c /a:h >C:\AllHiddenFiles.TXT
Michael Mantion
Posted 2013-01-15T21:14:15.753
Reputation: 656
1
I came here in search with the same problem.
in Windows 8.1, the date in ISO 8601 format (YYYY-MM-DDThh:mm:ss) didn't work for me if I added Thh:mm:ss to the date. Date without time was ok. '2014-1-15'
But this did work with time: 15-Jan-14 16:24 You might need to use your regional format e.g. 01/15/14 4:24pm or universal: 2014-1-15 16:24
Instead of searching for the modification time, I would suggest you to look for files CREATED on that date and time. As files has created/modified/accessed dates:
System.DateCreated:15-Jan-14 16:24
It's also working without "System." for me: DateCreated:15-Jan-14 16:24
Also, in our case, it's good idea to make your search broader, like 10 minutes period:
DateCreated:15-Jan-14 16:24..15-Jan-14 16:34
or with date in language independent format:
DateCreated:2014-1-15 16:24..2014-1-15 16:34
you are entering this string in the File Explorer window in root directory on your main drive (c:) to a Search This PC combo box right of the address text box.
Also you need to include System Files in search because I think AppData folder is outside indexed space and will not be searched otherwise. And that's where viruses like to reside. To do this click on Search in Menu, then Advanced Options and System Files ON
In the result pane, you'll see MODIFICATION dates, some out of range you specified. If you will look at the property of each file, you'll see creation date is in specified range. They have been modified after they were created
(I made a picture but can't post it)
papo
Posted 2013-01-15T21:14:15.753
Reputation: 351
1
There is a DOS command called forfiles that you could use
forfiles /P C:\ /S /D -1 /M *.*
you can use also more advanced syntax like calling a program (or calling a DOS command with cmd /c ...)
forfiles /P C:\ /S /D -1 /M *.* /C "cmd /c echo @fname @fdate"
see forfiles /? for syntax and parameters like @fname, @fdate etc.
to open command prompt go to Start menu / Search... and type in CMD and press ENTER key to open the DOS window
(P.S. I can't make it to work on my system - seems to return all files, not only those changed one day before, as I specify with /D -1 - probably cause it has bug with Greek dates being DD/MM/YYYY and not MM/DD/YYYY)
CORRECTION: there seems to be a misunderstanding (by me and others too judging from a search on the net) about what /D -dd does, seems it doesn't search for files being dd days old, but being older than dd days
so you need to use the /D +dd/MM/yyyy syntax of FORFILES and pass in yesterday's date there to find all files with date greater than yesterday. To automate this you could use %date% and parse it with %date:~7,2%/%date:~4,2%/%date:~-4% or something like that (may need to reorder the date parts there depending on your locale)
George Birbilis
Posted 2013-01-15T21:14:15.753
Reputation: 123
Note that in batch files you have to use %%, not single % – George Birbilis – 2014-07-16T11:11:51.130
btw, to find files changed today one can use /D +0 as it seems and to find files older than today can use /D -0 – George Birbilis – 2014-07-16T11:24:39.657
2You could use an antivirus... – BenjiWiebe – 2013-01-15T21:14:57.493
I am using Windows Defender (Security Essentials in Windows 8) + Malwarebytes. MalwareBytes only identified one file, and neither has an option to search. – msbg – 2013-01-15T21:16:58.400
Maybe that is all there is that is infected. It is possible that the virus was one file that had not done anything yet. Maybe was waiting for commands from a hacker. ;) – BenjiWiebe – 2013-01-15T21:17:58.380
1True, but I'd rather be certain. There could well be another file ready to reinstall the virus in a few weeks. – msbg – 2013-01-15T21:19:53.247
1A program such as the one I described could also come in handy in other circumstances – msbg – 2013-01-15T21:20:34.760
If it tries to install another one, Windows Defender should stop it. Not sure why it didn't stop the first one. Maybe you should install avast! Free Antivirus. – BenjiWiebe – 2013-01-15T21:21:54.697
Avast is mediocre in my opinion. I uploaded the file to VirusTotal.com and avast failed to detect anything, although Kaspersky, MalwareBytes, and Fortinet did. https://www.virustotal.com/file/6832d8e501179ca68ef929a6e600d34b87f3ff9508a3a0d001f5e8e5c2b2c94d/analysis/1358284056/
– msbg – 2013-01-15T21:25:54.717Avast does really well on our computers. It stops viruses on our computers before they run. – BenjiWiebe – 2013-01-15T21:40:09.617