Usage in ScreenSharing

Search Everything is a versatile tool used throughout a screenshare for various investigative tasks:

  • Locating Specific Files: Quickly find files by exact name (e.g., known cheat filenames like vape.exe, kurium.dll) or partial name using wildcards (e.g., *clicker*.exe, raven?.jar).

  • Identifying Recent Activity (Sorting & Filtering):

    • Sort by Date Modified: This is arguably the most crucial function. Sorting the entire filesystem view by "Date Modified" (descending) instantly brings the most recently changed or created files to the top, allowing quick identification of items potentially related to the current session (e.g., downloaded cheats, extracted archives, newly created logs or configs). This is often the default view ScreenSharers use.

    • Filter by Date: Combine sorting with date filters like dm:today, dm:yesterday, dm:last7days to narrow down results to specific timeframes.

    • Filter by Size: Locate files within specific size ranges known to be common for certain types of cheats (e.g., size:1mb..20mb).

    • Filter by Extension: Include or exclude specific file types (e.g., ext:exe, ext:dll, ext:jar, !ext:log to exclude log files).

    • Combine Filters: Create powerful queries like dm:today !ext:pf !ext:log size:>1mb path:downloads (find files modified today, not prefetch or log files, larger than 1MB, within the Downloads path).

  • Detecting Hidden or Unusual Files:

    • Unicode/Obfuscated Names: Use regex searches to find filenames containing non-standard or potentially problematic Unicode characters: regex:[^\x00-\x7F] (finds non-ASCII characters).

    • Extensionless Files: Search specifically for files lacking any extension, which can sometimes be used to disguise executables launched via methods like WMIC or specific scripts. Use the filter ext: (note the space is important) potentially combined with size filters: size:1mb..25mb ext:.

    • Hidden/System Files: Use attribute filters like attrib:h (hidden), attrib:s (system), or attrib:hs (both).

  • Content Searching (Use Sparingly):

    • Search inside files for specific text strings. This is very powerful but significantly slower than filename searching as it requires reading file contents.

    • Example: content:"cheat_feature_flag" ext:cfg searches configuration files for a specific cheat setting.

    • Example (Detecting Renamed Exes): dm:today size:1mb..20mb !ext:exe !ext:dll content:"This program cannot be run in DOS mode." searches recent, reasonably sized non-exe/dll files for the standard PE header string, potentially revealing executables disguised with fake extensions.

  • File Previews: Pressing ALT+P toggles a preview pane, allowing quick inspection of the contents of common file types (text, images, sometimes PDFs) without needing to open them in their default application, saving time and reducing the risk of accidentally executing something.

  • Live File System Monitoring: Because Search Everything monitors the USN Journal in real-time (if the service is running), it effectively acts as a live feed of file system changes (creations, deletions, renames) occurring while it is running. This can sometimes catch a user attempting to delete files mid-screenshare.

Mastery of Search Everything's filtering and sorting capabilities significantly speeds up file location and anomaly detection during screenshares.

PreviousCore FeaturesNextJournal Analysis (JournalTrace / Echo Easy Journal Viewer)

Last updated