How to search the entire hard drive for files modified on a particular date? [duplicate]
I picked up a virus a few hours ago, and have identified one of its files. I know the exact minute that the virus was installed, and would like to search my entire hard drive for files modified in that minute. Is there a utility that can do this? Windows search only searches documents.
I am using Windows 8.
Open File Explorer from the Desktop. Navigate to the root of your hard drive (C:\ probably). Tap/Click in the search field and type as follows: System.DateModified:YYYY-MM-DDThh:mm:ss where the date and time are the ones you know the virus appeared and are described in ISO-8601, shown here: http://www.w3.org/TR/NOTE-datetime.
The Windows search terms are called the "Advanced Query Syntax" and contains a number of useful terms, most of which are not exposed to end users through the Windows search UI. This is one example, explained in this MSDN document: http://msdn.microsoft.com/en-us/library/bb266512%28VS.85%29.aspx under section "DateTime properties in Windows 8".
Note that you may have to expand the index to search the entire drive and also that the index will not search certain places (C:\Windows\CSC\ for one example).
There is a bunch of ways of doing this. You could try a program like
http://www.mythicsoft.com/page.aspx?type=filelocatorlite&page=home
I don't use 8 or even 7. BUT I would use CMD. There is a couple ways to do it but the simplest way would be do DIR the entire drive with subfolders filtered for created time then search for a string that matches the date and time format. To Paste into a CMD window just right click and choose paste. (again never used win8)
Its not that complicated the code below would search the C: drive for a file created "01/19/2013 06:38 PM" the Output would be C:\FoundFiles.TXT.
@dir c:\*.* /s /t:c | findstr "01/19/2013 06:38 PM">c:\FoundFiles.TXT
The code below will search for hidden files and output to c:\FoundHiddenFiles.TXT
@dir c:\*.* /s /a:h /t:c | findstr "01/19/2013 06:38 PM">c:\FoundHiddenFiles.TXT
use /t:a for files "last accessed" and /t:w for files last written
To open CMD in windows 8 just search apps for CMD. You may have to adjust the string to match your DIR output put in window 8. Also I have no idea if windows 8 gives you access to the C:. Each search should only take a minute it will only give you the file names not the location and each time you run it it will wipe out the old search result. the "." should be optional just put them in just in case.
hope that helps someone.
ONE last thing. You could just dir the whole darn drive output it to a Text file then search with word or notepad or what ever they give you with windows 8. The codes below will output your entire content of you hard drives sorted for when the files were created.
dir c:\*.* /s /o:d /t:c >C:\AllFiles.TXT
And if you want to search for all Hidden files use
dir c:\*.* /s /o:d /t:c /a:h >C:\AllHiddenFiles.TXT
I came here in search with the same problem.
in Windows 8.1, the date in ISO 8601 format (YYYY-MM-DDThh:mm:ss) didn't work for me if I added Thh:mm:ss to the date. Date without time was ok. '2014-1-15'
But this did work with time: 15-Jan-14 16:24 You might need to use your regional format e.g. 01/15/14 4:24pm or universal: 2014-1-15 16:24
Instead of searching for the modification time, I would suggest you to look for files CREATED on that date and time. As files has created/modified/accessed dates:
System.DateCreated:15-Jan-14 16:24
It's also working without "System." for me: DateCreated:15-Jan-14 16:24
Also, in our case, it's good idea to make your search broader, like 10 minutes period:
DateCreated:15-Jan-14 16:24..15-Jan-14 16:34
or with date in language independent format:
DateCreated:2014-1-15 16:24..2014-1-15 16:34
you are entering this string in the File Explorer window in root directory on your main drive (c:) to a Search This PC combo box right of the address text box.
Also you need to include System Files in search because I think AppData folder is outside indexed space and will not be searched otherwise. And that's where viruses like to reside. To do this click on Search in Menu, then Advanced Options and System Files ON
In the result pane, you'll see MODIFICATION dates, some out of range you specified. If you will look at the property of each file, you'll see creation date is in specified range. They have been modified after they were created
(I made a picture but can't post it)
There is a DOS command called forfiles that you could use
forfiles /P C:\ /S /D -1 /M *.*
you can use also more advanced syntax like calling a program (or calling a DOS command with cmd /c ...)
forfiles /P C:\ /S /D -1 /M *.* /C "cmd /c echo @fname @fdate"
see forfiles /? for syntax and parameters like @fname, @fdate etc.
to open command prompt go to Start menu / Search... and type in CMD and press ENTER key to open the DOS window
(P.S. I can't make it to work on my system - seems to return all files, not only those changed one day before, as I specify with /D -1 - probably cause it has bug with Greek dates being DD/MM/YYYY and not MM/DD/YYYY)
CORRECTION: there seems to be a misunderstanding (by me and others too judging from a search on the net) about what /D -dd does, seems it doesn't search for files being dd days old, but being older than dd days
so you need to use the /D +dd/MM/yyyy syntax of FORFILES and pass in yesterday's date there to find all files with date greater than yesterday. To automate this you could use %date% and parse it with %date:~7,2%/%date:~4,2%/%date:~-4% or something like that (may need to reorder the date parts there depending on your locale)