⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

forfiles.exe

forfiles.exe enumerates files and can invoke commands via /c. It’s a classic LOLBIN that can be used to run arbitrary commands without launching a visible shell.

windows cli CLI File Explorer

Scan and fix files

Try Example
CLI

The helper asks you to “scan and repair” with a one-liner.

  1. Press Win-R

  2. Type: forfiles /p C:\ /m *.log /c "cmd /c echo @path"

  3. Press Enter

References:

Mitigations:

  • Block or audit forfiles usage via AppLocker/WDAC

Contributor: ClickGrab (2025-09-16)

Enumerate and run (command exec demo)

Try Example
CLI File Explorer

Demonstrates forfiles /c invoking a command for each match. Use benign commands in testing.

  1. Press Win-R

  2. Type: forfiles /p C:\Windows\System32 /m notepad.exe /c "cmd /c ""@path"""

  3. Press Enter (opens Notepad from System32)

Mitigations:

  • Alert on forfiles spawning shell interpreters (cmd.exe, powershell.exe)

Contributor: ClickGrab (2025-09-16)

Open Explorer to SMB share

Try Example
CLI File Explorer

Uses forfiles to invoke Explorer on an SMB UNC path. Helpful for lures that steer users into a network share.

  1. Press Win-R

  2. Type: forfiles /p C:\Windows\System32 /m notepad.exe /c 'cmd /c explorer \server\share'

  3. Press Enter

References:

Contributor: ClickGrab (2025-09-16)

Open Explorer to WebDAV (DavWWWRoot)

Try Example
CLI File Explorer

Opens Explorer to a WebDAV path. Requires the Windows WebClient service.

  1. Ensure 'WebClient' service is running (WebDAV client)

  2. Press Win-R

  3. Type: forfiles /p C:\Windows\System32 /m notepad.exe /c 'cmd /c explorer \server@SSL\DavWWWRoot\site\folder'

  4. Press Enter

References:

Contributor: ClickGrab (2025-09-16)