The search for files – Part 3

This is the third part of this series and this part is dedicated to the two functions that handle file signatures. They are almost identical but I decided not to modularize them futher, as they are called for different purposes. But you could argue the code duplication and break it down even further.

I want to start by saying that these functions are by no means “The Definitive File Signature” functions. I’ve also decided to limit the file signature check to one signature.
Just to show the method rather than trying to solve every scenario I could think of.

It’s also worth mentioning that the “world” of file signatures are not that consistent.
Or maybe I should really say that there are sometimes many variants of the same type of files.
A prime example are plain text files.

If you save a .txt file from notepad in the default ANSI format you will get one signature.
If you save the file in the UTF-8 format you will get another signature.
So be aware that unless a file type always get the same signature the results may not be what you expect.

I would recommend looking at the following sites if you want to the review the file types you’re looking for.


Test-FileSignature is the helper function that will return true or false if the signature matches the supplied file path. Again we are using QuickIO.Net to get the file signature because we can’t rely on Get-Content, due to the 260 character limitation.
The function need the path to the file and the signature to check against.
The signature need to be in hexadecimal if you are using this function by itself.
The reason is that all the sites that list file signatures are presenting them in hex.


This function was really added so that it would be possible to use an existing file as a file signature example. Rather than having to look the extension up on one of the sites above.

The main difference from an option perspective is that you can chose a signature length.
As default it will check the first 4 bytes of a file but if the files you’re looking for have a longer or shorter signature, then you can change the amount of bytes to collect from the file.

Get-FileSignature -FilePath C:\tmp\textfile.txt -SignatureLength 3

In the above example we will collect the signature using the first 3 bytes rather than the default.
This is actually a little tip and example of the signature variants of text files.
If you’re searching for UTF8 encoded textfiles they all seem to share the first 3 bytes.

I’ll stop here with the explanations and leave it up to you to try out.


Due to a bit of confusion in the first post about downloading QuickIO.Net, here are the methods I’ve used to download the library:

  • From within Visual Studio using the Nuget-package manager.
  • By downloading the Nuget command line tool and use that to download the library.


Installation instructions are probably the wrong term as it’s a powershell module and manifest.
While using the module I’ve used the standard powershell path and the QuickIO library in a subfolder:

Module/Manifest: C:\Program Files\WindowsPowershell\Modules\GetFilteredFileList
QuickIO DLL:     C:\Program Files\WindowsPowershell\Modules\GetFilteredFileList\QuickIO

If e.g. you put the DLL somewhere else then use the QuickIOPath parameter.

The code/functions in this post and site is supplied AS IS, without any warranties or support. I assume no responsibility or liability for the use of the code/functions.

GetFilteredFileList Module and Manifest
QuickIO.Net Home Page

The search for files – Part 2

It would be quite a lot to go through if I would go through the code itself.
So I’ve decided to provide some explanations and thoughts around the usage rather than the code. However if there are questions or suggestions on the code, please feel free to leave a comment. Again the link to the code can be found in part 3.


As I mentioned at the end of Part 1, Get-FilteredFileList is the function that you will start with. From a modularization point of view this is the main function that then calls the other functions as needed.

If you check with Get-Help on this function you’ll notice that there is a default path for the QuickIO.Net library. You can use the QuickIOPath parameter to use a different path, otherwise the functions will assume the default path.

Lets start with a simple example.

Get-FilteredFileList -FilePath 'c:\temp' -RandomExtension 6 -Recursive

This will search recursively through the path ‘c:\temp’ and look for any file with an extension of 6 characters. The result is essentially what I started with in the original QuickIO.Net post.

Get-FilteredFileList -FilePath 'c:\temp' -SpecificExtension "aaa","ccc" -Recursive

Kind of the same type of search except we know which extensions to search for.
The SpecificExtension parameter accept a string array of extensions.

Lets look at a more complex example.

Get-FilteredFileList -FilePath 'c:\temp' -RandomExtension 3 -ExcludeExtension "txt","csv" -FileSignature "25504446"

In this example:

  • We are looking for files with an extension of 3 characters.
  • We exclude any files with an extension of “txt” or “csv”.
  • We will check each file that matches if they have the signature “25504446”.

If you want to search for any file with a specific file signature then just skip the Random/SpecificExtension paramters.

Get-FilteredFileList -FilePath 'c:\temp' -ExcludeExtension "txt","csv" -FileSignature "25504446"

I will go into more detail in regard to the file signatures in the next part.
But basically it’s the first 4 bytes of the file which most files (not all) use for storing the signature.
25 50 44 46 is the signature in HEX of a PDF file.

As you may have noticed the ExcludeExtension paramter also accepts a string array of extensions that you want to exclude. It’s worth mentioning that if you use the exclude option, those files will not be checked against the signature. E.g. if someone renames a PDF file to TXT, it will be skipped and not found in the list (using the example above of course).


This function is a helper function that will accept the initial file list that get generated by Get-FilteredFileList.
Get-FilteredFileList will call Get-FilesQuickIO to get the files under the supplied path.
Search-FileExtension will process that list and filter it further.
As this is a helper function you don’t really call it manually as you would use Get-FilteredFileList.
You can of course review the code and examples but I won’t go into them in this post.

The purpose of the function is really to see if the extension matches the selected criterias.
Originally this was part of the Search-FileExtension function.
But I decided to pull that code out to a seperate function to modularize the code further.

This conclude the second part of this topic.
In the third part we will look at the last two functions.

See you there.

The search for files – Part 1

This time I will go back to the topic of using the QuickIO.Net library.
You may have read my earlier post but for those who haven’t you can find it here:

Using QuickIO.Net with Powershell

I’ve decided to make this a multipart post as it would be quite large for one single post.
But lets begin with a little background.

The original post was really in regard to using QuickIO.Net for generic file searches.
But without some limitations of the built-in cmdlets in Windows/Powershell.
The main one is the limit of 260 charcters in the path.
A lot of Windows/Powershell programs and cmdlets can’t deal with paths of more than 260 characters.

In the original post I mentioned the background for me to use QuickIO.Net.
Which was that a client of mine had a crypto locker type event but the paths had more than 260 charcters. So I had to come up with another solution to check the file shares for a random 6 character extension.

After that post I mentioned it to people in forums and in facebook groups with similar events. But the original post didn’t really include any handling of the results except what I had to use. Which were the check for files with a 6 character extension.

As a result there were discussions and comments around using it for other/extended scenarios.
In the comments section of the original post you can find an example of how Svein Erik solved his scenario. Including automation of restoring files that was found.

To expand on the original post I’ve created some new functions with some ideas around the processing part of the file search result. In the beginning the idea was to base this around the crypto locker type searches.
But I soon came to the conclusion, why limit this to just that particular use case?
The same functions could be used for any type of file search that you want to filter on the extension and/or signature. You can find the link to the powershell module and manifest in the third part of this series.

Anyway, the new functions that I’ve added are:

Will create the list of the files that you want, this is the “orchestrator” of generating the result.
Is a helper function to filter the contents during the list generation, based on the used settings.
Is a helper function just to determine if the extension is a match or not.
Will see if the signature of the file is correct depending on the signature you’ve entered in the call to Get-FilteredFileList.
Will give you the signature from an example file that you provide the path to.

I’ll explain in more detail what these functions do in the next couple of posts.
With that I’ll end this post here, as it’s time to start looking at the functions.

See you in the next part.