forfiles
Execute a command for each file matching a wildcard mask. The /m flag accepts glob patterns, and @file expands to the matched filename — enabling indirect execution of binaries.
Binary Paths
C:\Windows\System32\forfiles.exe
Glob Patterns
| Pattern | Notes |
|---|---|
forfiles /p C:\Windows\System32 /m *.exe /c "cmd /c @file /?"
|
* mask matches all .exe files; @file expands to each filename |
forfiles /m *.bat /c "cmd /c @file"
|
Execute each .bat file in current directory via cmd |
for /f %i in ('where for*.exe') do %i /m *.bat /c "cmd /c @file"
|
where glob resolves forfiles.exe path; nested * mask in /m for batch files |
for /f %i in ('where forf?les.exe') do %i /m *.txt /c "cmd /c @file"
|
? wildcard in where query for forfiles itself |
C:\Windows\System32\FORFIL~1.EXE /m *.bat /c "cmd /c @file"
|
8.3 SFN — FORFIL~1 auto-generated for forfiles.exe; requires NtfsDisable8dot3NameCreation=0 |
for %i in (C:\Windows\System32\forf*.exe) do @%i /m *.bat /c "cmd /c @file"
|
Native CMD for loop with filesystem glob — resolves forfiles.exe via forf* expansion; /m *.bat then globs within the current directory |
for /f %i in ('where /r C:\Windows\System32 forf*.exe') do %i /m *.bat /c "cmd /c @file"
|
Recursive where search locates forfiles.exe; nested /m *.bat glob inside forfiles adds a second layer of wildcard resolution |
Pattern Tester
$
Try typing forfiles or a full path like C:\Windows\System32\forfiles.exe
YARA Rule
Auto-generated detection rule for forfiles
Platform Notes
forfiles is a native CMD utility. Its /m flag accepts standard Windows glob wildcards (*, ?). The special variable @file expands to the matched filename (quoted), @path to the full path, and @ext to the extension. This makes forfiles a unique execution primitive that keeps the binary name out of the command line.