1

Running dir /a on a given directory on one of our servers produces a list of unexpected files that look like malware:

C:\Users\<username>dir /a c:\Users\Public\Downloads\
 Volume in drive C has no label.
 Volume Serial Number is 9999-9999

 Directory of c:\Users\Public\Downloads

09/15/2018  12:19 AM    <DIR>          .
09/15/2018  12:19 AM    <DIR>          ..
07/09/2023  09:28 PM            20,000 ZZZZZ2852017353.doc
07/21/2023  10:10 PM            50,240 !!!!!2729304900.doc
07/21/2023  09:34 PM         3,000,000 XORXOR2654977376.doc
07/21/2023  09:53 PM             1,024 smTlX4069337007.txt
07/09/2023  09:22 PM             2,024 ZZZZZ2452917832.docx
07/17/2023  08:59 PM             4,048 !!!!!910538317.pem
06/27/2023  08:58 PM            10,000 XORXOR2801197100.jpg
07/21/2023  08:27 PM            20,000 smTlX1631532574.png
07/21/2023  08:42 PM            25,000 ZZZZZ2426080075.bmp
07/21/2023  08:44 PM            30,000 !!!!!503919568.eml
07/09/2023  08:58 PM           100,000 XORXOR2564426092.xls
06/27/2023  08:53 PM           150,000 smTlX2350243133.xlsx
07/17/2023  09:41 PM           175,000 ZZZZZ3070700973.mdb
07/21/2023  09:53 PM           200,000 !!!!!533403438.ppt
07/21/2023  09:04 PM           225,000 XORXOR395504056.pps
07/09/2023  08:50 PM           250,000 smTlX634944309.pptx
07/09/2023  09:13 PM           275,000 ZZZZZ2775334046.pdf
06/27/2023  08:26 PM           300,000 !!!!!3608986092.avi
06/27/2023  08:56 PM           350,000 XORXOR189161240.db
06/27/2023  09:53 PM           350,000 smTlX416169661.pst
06/27/2023  09:54 PM           400,000 ZZZZZ2740091908.sql
07/21/2023  10:12 PM    <DIR>          !!!!!1300245113
09/15/2018  12:16 AM               174 desktop.ini
07/09/2023  09:28 PM            20,000 ZZZZZ3219714798.doc
07/21/2023  10:10 PM            50,240 !!!!!4004685157.doc
07/21/2023  09:34 PM         3,000,000 XORXOR3352709303.doc
07/21/2023  09:53 PM             1,024 smTlX3205606753.txt
07/09/2023  09:22 PM             2,024 ZZZZZ331100468.docx
07/17/2023  08:59 PM             4,048 !!!!!1274788081.pem
06/27/2023  08:58 PM            10,000 XORXOR647044953.jpg
07/21/2023  08:27 PM            20,000 smTlX1871256990.png
07/21/2023  08:42 PM            25,000 ZZZZZ638203430.bmp
07/21/2023  08:44 PM            30,000 !!!!!4241961912.eml
07/09/2023  08:58 PM           100,000 XORXOR1411632423.xls
06/27/2023  08:53 PM           150,000 smTlX743786790.xlsx
07/17/2023  09:41 PM           175,000 ZZZZZ4216568629.mdb
07/21/2023  09:53 PM           200,000 !!!!!2025383911.ppt
07/21/2023  09:04 PM           225,000 XORXOR1743807666.pps
07/09/2023  08:50 PM           250,000 smTlX229377095.pptx
07/09/2023  09:13 PM           275,000 ZZZZZ191670683.pdf
06/27/2023  08:26 PM           300,000 !!!!!1941248879.avi
06/27/2023  08:56 PM           350,000 XORXOR1946193784.db
06/27/2023  09:53 PM           350,000 smTlX2089358877.pst
06/27/2023  09:54 PM           400,000 ZZZZZ249794861.sql
07/21/2023  10:12 PM    <DIR>          !!!!!157789779
              43 File(s)     11,874,846 bytes
               4 Dir(s)  82,072,215,552 bytes free

Whether I run Command Prompt "as administrator" or not - does not matter, the result is the same.

While the malware itself is a separate issue, I'd like to produce a similar list in Powershell so I could try to to automate scanning for these and similar files across multiple machines.

Yet when I run Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force on the same server (as suggested elsewhere on SO e.g. in "How to list all files in a folder (do cmd's dir /A) in PowerShell?"), I get this:

PS C:\Users\<username>> Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force


    Directory: C:\Users\Public\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-        9/15/2018  12:16 AM            174 desktop.ini

Running the above "as administrator" - same result.

... which begs the title question:

What is the Powershell equivalent of "dir /a"?

P.S.

  • I can't get the files in question to display in File Explorer - even after I enable hidden and system files
  • It's Windows Server 2019. Its C:\ drive is growing linearly at about ~95GB a month. The total disk space used (320GB) doesn't seem to add up when checking all root directories' sizes individually (100-150GB). I have a feeling these files may be the culprit.
Improve this question
9
  • Are you allowed to download and compile from source code GNU findutils and GNU coreutils? They probably have been ported to Windows
    – Basile Starynkevitch
    Commented Aug 3, 2023 at 19:31
  • probably not - and then there's a question of whether compiled tools would expose information that built-in ones (Powershell) would not. The question is specific to Powershell.
    – kindzmarauli
    Commented Aug 3, 2023 at 19:41
  • 2
    This is better asked on Super User or Server Fault.
    – Jeff Zeitlin
    Commented Aug 3, 2023 at 19:51
  • You'd be right if the question was about malware... it's not. The title question is really about Powershell. Similar questions where allowed to stay on SO.
    – kindzmarauli
    Commented Aug 3, 2023 at 19:54
  • Pragmatically speaking, you can run cmd /c dir /a from PowerShell.
    – mklement0
    Commented Aug 3, 2023 at 21:02

2 Answers 2

Reset to default
2

I'm not entirely sure if dir /A outputs all files as documentation specifies, but if it does, you can do the same this way in PowerShell:

Get-ChildItem -Attributes ([System.IO.FileAttributes].GetEnumValues() -Join ",") -Force

Explantation:

  • System.IO.FileAttributes is an Enum that contains all possible values for file/directory attributes
  • we get an array of the values with GetEnumValues() and join them as strings with , character, which means OR in the -Attributes parameter value
  • then also -Force is used just in case, but it might be not needed

To optimize a script, you could of course also get the attributes value in PowerShell shell and paste it as a long string instead.

Improve this answer
3
  • 1
    It does. Dir /a will list all files that have at least one attribute set, so if you do attrib -a +h on a file, get-childitem will not find it, but dir /a does. If a file does not have the hidden attribute set, get-childitem will return it too. I bet get-childitem -hidden is already enough here
    – LPChip
    Commented Aug 4, 2023 at 6:40
  • Thank you! Can't yet test as the files are gone as of this morning - likely Palo Alto support cleaning them up. Not yet sure how to reproduce this (the files were not just "hidden" or "system" - they appeared to be links pointing to actual hidden files in a different (hidden, as well) directory, and I haven't gotten to trying to reproducing this scenario.)
    – kindzmarauli
    Commented Aug 4, 2023 at 19:28
  • I'm, pretty sure GCI -Hidden wouldn't show system files at the very least, which might not be necessary here, but the question asks about equivalent.
    – Destroy666
    Commented Aug 8, 2023 at 5:57
1 
Get-ChildItem -Attributes Directory,Hidden,System,ReparsePoint,ReadOnly,Archive,NotContentIndexed,Offline
Improve this answer
3
  • 1
    As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Aug 3, 2023 at 23:27
  • thanks, will test it tomorrow (hopefully)
    – kindzmarauli
    Commented Aug 3, 2023 at 23:46
  • Can't yet test as the files are gone as of this morning - likely Palo Alto support cleaning them up. Not yet sure how to reproduce this (the files were not just "hidden" or "system" - they appeared to be links pointing to actual hidden files in a different (hidden, as well) directory, and I haven't gotten to trying to reproducing this scenario.)
    – kindzmarauli
    Commented Aug 4, 2023 at 19:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .