everything.exeEXECUTABLEEverything Search - Fast File Search Utility [2026]
Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery and reconnaissance to locate sensitive data on compromised systems.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Medium | | Prevalence | Common | | Risk Score | 30/100 | Everything is a legitimate file search tool that can be abused for rapid reconnaissance and sensitive file discovery.
Overview
What is everything.exe?
Everything is a lightweight, fast file search utility developed by Voidtools. It indexes NTFS volumes and provides instant search results.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | Everything.exe, Everything64.exe |
| Developer | Voidtools |
| Digital Signature | David Carpenter |
| Typical Size | 1-2 MB |
| Type | File search utility |
Technical Details
| Property | Description |
|---|---|
| Process Type | User Application/Service |
| Indexing | NTFS Master File Table (MFT) |
| Search Speed | Near-instant results |
| Service | Everything Service for background indexing |
Everything provides extremely fast file search by reading the NTFS MFT directly.
Normal Behavior
Normal Behavior
Legitimate Usage Patterns
Everything.exe (GUI application)
Everything64.exe (64-bit version)
Everything.exe -search "pattern"
es.exe (Command-line interface)
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | explorer.exe, services.exe |
| User Context | User or SYSTEM (service) |
| Disk Activity | Initial indexing spike |
| Memory | Depends on indexed files |
Command-Line Options
| Parameter | Purpose |
|---|---|
| -search | Search query |
| -exit | Exit after search |
| -instance | Run separate instance |
| -config | Config file path |
Common Locations
C:\Program Files\Everything\Everything.exeC:\Users\<user>\Downloads\Everything.exeC:\Tools\Everything64.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Searching for credentials | High | Queries for password files |
| Searching for financials | High | Looking for financial docs |
| Remote deployment | Medium | Deployed via remote access |
| Export to file | Medium | Results saved for exfiltration |
Suspicious Search Patterns
# Credential hunting
es.exe *password* *credential* *secret*
es.exe *.kdb *.kdbx *.key *.pem
# Financial discovery
es.exe *.xls *.xlsx *financial* *budget*
# Sensitive document search
es.exe *.doc *.pdf *confidential* *proprietary*
Reconnaissance Indicators
| Search Pattern | Concern |
|---|---|
| Password/credential files | Credential theft |
| Database files | Data theft |
| Key/certificate files | Crypto material |
| Configuration files | System access |
Abuse Techniques
Abuse Techniques
Rapid File Discovery
Reconnaissance Scenario:
1. Deploy Everything to compromised system
2. Let it index the filesystem
3. Search for sensitive file patterns
4. Export results list
5. Stage files for exfiltration
Credential Hunting
:: Find credential files
es.exe "*.kdbx|*.pem|*.key|*.pfx|*password*" > cred_files.txt
:: Find configuration files
es.exe "*.config|*.ini|*.xml|web.config" > configs.txt
:: Find documents
es.exe "*.doc*|*.xls*|*.pdf" path:C:\Users > documents.txt
Data Discovery
| File Type | Search Pattern |
|---|---|
| KeePass | *.kdb, *.kdbx |
| SSH Keys | *.pem, *.ppk, id_rsa |
| Certificates | *.pfx, *.p12, *.cer |
| Databases | *.mdb, *.sqlite, *.db |
| Documents | .doc, *.pdf, .xls |
HTTP/FTP Server Abuse
Everything includes HTTP/FTP server capabilities:
- Enable HTTP server
- Remote file browsing
- Download files remotely
- Potential data exfiltration path
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="Everything Search Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">Everything</Image>
<CommandLine condition="contains">es.exe</CommandLine>
</ProcessCreate>
<NetworkConnect onmatch="include">
<Image condition="contains">Everything</Image>
<DestinationPort condition="is">80</DestinationPort>
</NetworkConnect>
</RuleGroup>
Sigma Rule
title: Everything Search Tool Execution
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|contains: 'Everything'
- Image|endswith: 'es.exe'
suspicious_args:
CommandLine|contains:
- 'password'
- 'credential'
- '.kdb'
- '.pem'
- '.key'
condition: selection and suspicious_args
falsepositives:
- Legitimate file searching
level: medium
KQL Query
DeviceProcessEvents
| where FileName contains "Everything" or FileName =~ "es.exe"
| where ProcessCommandLine has_any ("password", "credential", "secret", ".kdb", ".pem")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
Remediation Steps
Remediation Steps
Usage Assessment
# Find Everything installations
Get-ChildItem -Path C:\ -Recurse -Filter "Everything*.exe" -ErrorAction SilentlyContinue
# Check if Everything service is running
Get-Service | Where-Object { $_.Name -like "*Everything*" }
# Check for Everything HTTP server
Get-NetTCPConnection | Where-Object {
$_.OwningProcess -in (Get-Process -Name "Everything*" -ErrorAction SilentlyContinue).Id
}
Policy Considerations
| Context | Response |
|---|---|
| Approved tool | Monitor for suspicious searches |
| Unapproved | Consider blocking |
| HTTP server enabled | Security concern |
| Remote deployment | Investigate source |
Enterprise Controls
| Control | Implementation |
|---|---|
| Search Monitoring | Log command-line arguments |
| HTTP Server Block | Disable or block Everything HTTP |
| Application Control | Whitelist if approved |
Investigation Checklist
Investigation Checklist
Deployment Analysis
- How was Everything installed?
- Is it an approved application?
- When was it first executed?
- Who deployed it?
Search Activity
- What search patterns were used?
- Were sensitive file types searched?
- Were results exported?
- Where were results saved?
Network Activity
- Is HTTP/[FTP](/glossary/ftp "GLOSSARY:FTP:## What is FTP?
File Transfer Protocol (FTP) is a standard network protocol designed to upload, download, and manage files between a client and a server. It operates over TCP and has historically been used for website hosting, file distribution, and administrative transfers.
FTP is one of the oldest protocols still encountered in IT environments.
Why FTP matters
FTP matters because it:
- Established early standards for file transfer
- Is still present in legacy systems and workflows
- Is widely supported by tools and platforms
- Helps explain modern secure alternatives
Understanding FTP is essential for assessing legacy risk.
How FTP works (simplified)
FTP uses two separate connections:
- Control channel -- for commands and responses
- Data channel -- for file transfers
Depending on the mode, the server or client initiates the data connection.
Active vs passive mode
FTP supports two connection modes:
| Mode | Description |
|---|---|
| Active FTP | Server initiates data connection to client |
| Passive FTP | Client initiates both control and data connections |
Passive mode is more firewall-friendly and commonly used today.
Authentication in FTP
FTP typically supports:
- Username and password authentication
- Anonymous access (public downloads)
By default, credentials are sent in clear text, which poses security risks.
Security issues with FTP
FTP is considered insecure by default because:
- Credentials are transmitted unencrypted
- Data is sent in clear text
- Sessions can be intercepted
- Susceptible to credential theft and sniffing
- Often targeted in brute-force attacks
FTP should not be exposed on untrusted networks.
Secure alternatives to FTP
Modern secure alternatives include:
- FTPS -- FTP over TLS encryption
- SFTP -- File transfer over SSH
- HTTPS -- Web-based secure transfers
- Cloud storage and managed file services
Most organizations are migrating away from plain FTP.
FTP in enterprise environments
FTP is still encountered in:
- Legacy applications and integrations
- Automated batch file transfers
- Industrial or embedded systems
- Older hosting platforms
Such usage typically requires isolation and compensating controls.
FTP vs SFTP
| Aspect | FTP | SFTP |
|---|---|---|
| Encryption | No | Yes |
| Authentication | Basic | SSH-based |
| Firewall handling | Complex | Simple |
| Security | Weak | Strong |
SFTP is generally preferred for secure environments.
Common misconceptions
- 'FTP is encrypted by default'
- 'FTP and SFTP are the same'
- 'FTP is obsolete everywhere'
- 'FTP is safe on internal networks without controls' :") server enabled?
- What ports are being used?
- Are there remote connections?
- Is data being served externally?
Data Access
- What files were accessed after searches?
- Were files copied or staged?
- Is there evidence of exfiltration?
- What sensitive data was found?