As part of a quick false pos test, I copied svchost.exe from the system32 folder to the desktop, rename it to vmchost.exe and copied it back to the system32 folder…
I then , in q&A entered.
exists file “C”\windows\System32\svchost.exe"
and the answer came back true.
Soo… I then did exactly the same for vmchost.exe and it came back false.
I also did a files of folder “c:\windows\system32” and svchost.exe was there but vmchost.exe wasnt…
Also I noticed another file called VSSVC.exe and plugged that in, again, it returned False as did w32time.dll
Am I missing something really simple here?.. I tied upper and lowercase etc… I even used the client relevance builder to make sure I wasnt seeing things,
I wish… Yes it is Win 10 64 bit
I tried
exists file “svchost.exe” of system folder and got true
I then tried "exists file “vmchost.exe” of system folder and got false…
to check, i then tried
system folder in q&A and got back C:\WINDOWS\system32
Thanks… That works but…
(sha1 of it) of ( files of descendant folders of folder “C:\Windows”) whose (name of it = “vmchost.exe”)
would need some tweaking .
Aha… i think I found it… jgStew’s page is of great help.
The Final answer is…
q:(sha1 of it) of ( files of descendant folders of folder “C:\Windows”; files of descendant folders of x64 folder “C:\Windows” ) whose (name of it = “vmchost.exe”)