expand
Expands compressed CAB archive files. Can extract payloads from CAB containers to disk.
Binary Paths
C:\Windows\System32\expand.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where exp?nd.exe') do %i payload.cab -F:* C:\out\
|
Single char wildcard replaces 'a' — uniquely matches expand.exe without hitting expr.exe |
for /f %i in ('where e*nd.exe') do %i payload.cab -F:* C:\out\
|
Star matches 'xpa' — resolves to expand.exe (both System32 and Git paths if present) |
for /f %i in ('dir /b C:\Windows\System32\exp?nd.exe') do %i payload.cab -F:* C:\out\
|
dir /b in System32 with exp?nd.exe — avoids ambiguity with expr.exe or explorer.exe that exp*.exe would match |
forfiles /p C:\Windows\System32 /m exp?nd.exe /c "@file payload.cab -F:* C:\out\"
|
forfiles ? mask finds expand.exe — @file expands to matched filename |
C:\Windows\System32\expand.exe payload.cab -F:* C:\out\
|
Direct invocation — -F:* extracts all files from the CAB |
for %i in (C:\Windows\System32\exp?nd.exe) do @%i payload.cab -F:* C:\out\
|
Native CMD for loop with filesystem glob — exp?nd uniquely matches expand.exe without hitting explorer.exe |
for /f %i in ('where /r C:\Windows\System32 exp?nd.exe') do %i payload.cab -F:* C:\out\
|
Recursive where search — ? wildcard avoids matching explorer.exe or other exp*.exe files |
Pattern Tester
$
Try typing expand or a full path like C:\Windows\System32\expand.exe
YARA Rule
Auto-generated detection rule for expand
Platform Notes
expand.exe is a built-in Windows utility for extracting CAB files. The -F:* flag extracts all files. It is less monitored than certutil for file staging. In batch scripts use %%i instead of %i.