MDIR

PURPOSE OPERATION OPTIONS COMMAND LINES RELATED PROGRAMS

Author: Dan Mares, dmares @ maresware . com
Portions Copyright © 1998-2023 by Dan Mares
Phone: 678-427-3275
Last Update: 2023-06-04
MD5: 7CDA6E68BD93FBB43832D230C461C757

THIS IS A COMMAND LINE PROGRAM

One liner: Alternative to dir command. More verbose.

Sample Maresware Batches an executable with data that demonstrates various Maresware software. Download and run the appropriate _02A_xx batch for mdir demo.

top

PURPOSE

MDIR is a more useful directory listing program than DIR.

MDIR is designed to give the user the look and feel of the DIR program but with enhanced functionality for forensic work.

MDIR is designed to provide by default more information than DIR. It is designed to allow the user some flexibility in “programming” its operation and output display.

The current version can also indicate the presence of NTFS Alternate Data Streams (ADS) Which could be a significant issue when dealing with hidden data. ADSs can be researched on the web in many locations, including Microsofts home page.

When using the 16 bit version of MDIR under a DOS boot (even with WIN9X DOS boot) and you are accessing a drive greater than 8 gig, the free space amount is not properly calculated, and in most cases will not be displayed on the screen.

top

OPERATION

The program is designed to be used instead of the standard DOS DIR command.

It operates similar to the DIR command except it gives more information.

Default command line is identicle to DIR except its options take a UNIX style using the minus (-) instead of slash.

C:>mdir   c:\work\*.c    -P
C:>mdir   *.c

Some advantages over the DIR command is: (the DIR options are shown in paranthesis)

It shows all files by default. No need to use specific options to include hidden or other special files. (/AHR)
It sorts the output by default. Options are avaialable to resort on any field. (/OGN)
It pauses every screen by default. (/P)
Can show all 3 file times (/T)
With appropriate options the user can also obtain information from more than one directory at a time. Although it does not recurse. (Use HASH or CRCKIT for that). It can pick specific files from multiple directories.
Its command line structure is identical to DIR except that when asking for options you use the standard “C” option calls with a minus (-), not the slash ‘/’ as in DOS.

The default directory listing provides the following information for all files in the directory (hidden files are included by default): Here is a sample directory listing.

  Filesystem if NTFS
  Volume NTFS_4G
  Volume Serial No. 68B6-61DC
  Directory of C:\WORK

.                       <DIR>  12/01/1998 11:36w EST ....DE 
..                      <DIR>  12/01/1998 11:36w EST ....D. 
600MEG                  <DIR>  11/13/1998 17:12w EST ....D. 
C2_PROJS                <DIR>  11/13/1998 17:11w EST A...D. 
CLASS                   <DIR>  11/13/1998 17:11w EST A...D. 
COMMON_C                <DIR>  08/15/1998 09:51w EST ....D. 
AT_GO.BAT                 452  06/03/1997 12:44w EST A....E 
AT_SETUP.ASC              811  06/02/1997 13:53w EST A....E 
AT_SETUP.BAT              578  12/13/1994 07:45w EST AH.… 
boot.ini                  305  05/12/1997 12:52w EST A.R.. 
CONTROL                    27  10/10/1997 10:10w EST A..S. 
CRD_FILE.C             17,800  12/31/1996 08:13w EST A.... 
DATER.C                10,706  01/28/1997 06:21w EST A.... 
wide.c:part1.txt:          31  ALTERNATE  DATA   EST ADATA. 
wide.c:part2.txt:          76  ALTERNATE  DATA   EST ADATA.

or, with the --MILLI option
chrome_image.jpg 103,230 07/23/2020 07:47:832w EST A..... CRD_FILE.C 17,800 12/31/1996 08:13:123w EST A.... DATER.C 10,706 01/28/1997 06:21:000w EST A.... wide.c 31 01/28/1997 06:21:456w EST ADATA. wide.c:part1.txt: 31 01/28/1997 06:21:456w EST ADATA. wide.c:part2.txt: 76 01/28/1997 06:21:456w EST ADATA.
or, with the --GMT --milli option (notice 4 hour GMT difference from the chrome_image.jpg above)
chrome_image.jpg 103,230 07/23/2020 11:47:46:832w GMT A..... chrome_image.jpg:Zone.Identifier 26 07/23/2020 11:47:46:832w GMT .adata opera_image.jpg 103,230 07/23/2020 11:48:16:932w GMT A..... opera_image.jpg:Zone.Identifier 26 07/23/2020 11:48:16:932w GMT .adata

The items contained in the listing are:

1:  Filename, up to 35 characters under WIN9x and NTFS, (notice directories are indented 1 space)
2:  Filesize
3:  Date
4:  Time, timetype [acw], and the timezone or GMT shows up.)
5:  Attributes (Archive, Hidden, Readonly, System, Directory, Encrypted NTFS)

Also shown, not depicted in the sample are:

6:  Total bytes taken up by the listed files
7:  Total no. of files listed
8:  Total bytes remaining on disk
9:  Total no. of directories listed

NOTE: Be aware that if using the command line DIR command and the time offset (ie: DST, EST, -4, or -5) is not the same as it was when the file was created: (ie: current month: june, month of creation january), the Daylight savings time offset would be one hour different now than it was then (january). The DOS - DIR command DOES NOT take into consiferation this 1 hour difference. So a DIR time display in january of say 08:50 is actually 07:50 if you are using Eastern Time Zone. The one hour difference would be seen if you checked the time using explorer which would show the 07:50 time. The current version of MDIR does the proper correction of time offset if the file time being shown is in the alternative DST/EDT etc. time.

When using combinations of the options for size, file time and file spec (*.bat etc.) the user can effectively program MDIR to provide only those files meeting very restrictive needs.

Because MDIR does its sorting in memory, there is a limit to how many files it can process in a directory. This limit is 15,000. (If you have more than 15,000 files in a directory, you should consider doing some housekeeping). AND: I've found that WIN10, for some reason slows it down considerably on large folders. You might consider using diskcat -R on large directories.

top

OPTIONS

This program is INI capable. INI keywords in [BOLD]

All options should be preceded by a (-) minus sign. Some can be grouped together, and others where specified MUST be grouped without a space. The options are grouped where approriate.

Some options because they deal with specific 32 bit items like MDS or file times are only active in the 32 bit version running on an appropriate file system.

-p + path(s): If more than one directory is needed to be looked at, then add the paths here as appropriate. (-p c:\windows d:\work) [PATH]=path

-f + filespec: If more than one file type is needed, add them here. (-f *.c *.obj *.dll) [FILES]=filetype

If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:>mdir c:\work\*.c -f *.dll -p d:\windows)

-x + filespec: e(x)clude these file types from listing. (same format as -f option) (-x thesefiles.txt) [EXCLUDE]=filetype

-oO + filename: Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is appended to. [OUTPUT]=filename

-a: append output to filename provided in -o option. Serves same purpose as using an upper case O. (-a) [APPEND]=[ON|OFF]

-s: Do Not list Alternate Data Streams (ADS). (NTFS only). [STREAM]=[ON|OFF]

-g + #: Where the # is replaced by a number indicating, list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER]=50

-1 + #: Where the # is replaced by a number indicating, list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER]=10

-g + # Where the # is replaced by a number indicating: list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER]=50

-l + # (ell, not one) Where the # is replaced by a number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER]=10

-g + mm-dd-yyyy[acw]
Process only those files (g)reater (older) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -g option of mm-dd-yyyy. For this reason, the day provided is NOT included in the calculation. Ie. if you entered -g 01-01-2006 you would only process dates PRIOR to 1/1/2006. This means all of 2005 and before. See below for the [acw] meanings.

-l + mm-dd-yyyy[acw]: (that's and ell, not a one). Process only those files (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -l option of mm-dd-yyyy. For this reason, the day provided IS included in the calculation. Ie. if you entered -l 01-01-2006 you would process all of 2006 to the current date.

Special note for the [acw] modifier part of the option.

If no 'acw' modifier is used, the default time used to check the age is the current write or last modification time.

You can however, alter which time is used in the age calculation. To do this, add any or all of the acw indicators. For instance, if you wanted the date checking to respond to the access date, you would add an 'a'. ie: -l 10-10-2005a would show all files accessed on or after 10-10-2005.

If you added more letters, to the date, ie: -g 10-10-2005cw you would get all files with EITHER an access or a last modified date older than 10-10-2005. The added [acw] times are logically OR'd. So any date meeting the criteria will cause it to be selected for processing.

The use of all three -g 10-10-2005acw allow the program to simultaneously check and evaluate all three dates.

Caution should be exercised in using all three dates, as in most cases, almost every file may fit the criteria.

-L + # Where the # is replaced by a number indicating, list all files less than # bytes in size. (-L 100000) [LESSTHAN]=100000

-G + #: Where the # is replaced by a number indicating, list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (-G 10000) (-G 10000 -L 100000) [GREATER]=10000

-P: “DO NOT” pause after every 20 lines. (default is a pause after every screen.) [PAUSE]=ON

-d + “delimeter”: replace “delimeter” with a delimeter (typically a pipe ‘ |’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (-d “|”) [DELIMETER]=|

-w + #: Change the default width of the filename from 35 to whatever value you wish. If you have long filenames, this may be necessary to accomodate the entire name. If a filename longer than 35 is used, the output tends to be more than one line long. (-w 50) [WIDTH]=50

-[tT][aAcCwW30]: Show the file time as last ‘a’ccessed, last ‘w’ritten/modified, ‘c’reated, or show all ‘3’. No spaces between the -t and the modifier. ( -tc or -t3 ) Default is the ‘w’rite, which is identicle to what DIR or Explorer displays. Note: The 3 file time capability is only available under 32 bit operating systems using the 32 bit version of the program.

If the time type -t[ACW] is an upper case letter, then the seconds are added to the printout. Otherwise seconds are not included. With the -t3, seconds are ALWAYS included. [TIME]=[A|C|W|3|0], [ALLTIMES]=]ON|OFF]

If the -t option is upper case -T, then the date is displayed in YYYY/MM/DD format for easier sorting.

--MILLI: For Milliseconds. Add the millisecond field to time: 12:45:55:123

-z:
--ZULU:
--GMT:   Display time in ‘Z’ULU GMT format.
               The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. (-z) [ZULU]=[ON|OFF]
--ZULU=OFF  If .ini ZULU=ON and wish to turn off from command line: --ZULU=OFF

-m Do Not show any file dates or times. This significantly reduces the size of the output record. (-m) [MILITARY]=[ON|OFF]

-A[ehrsmd]: Show only files with the following attributes: e=Encrypted EFS files, h=Hidden files, r=Readonly, s=system, d=directories only, m=modified. The [hrsdm] must be right after the -A withou any spaces. The -A is case sensitive. [HIDDEN|READONLY|SYSTEM|ARCHIVE|DIR_ONLY]=[ON|OFF]

-Y[nsydm]: Sort output on ‘n’ame (default), file ‘s’ize, file ‘y’ear, file ‘m’onth, file ‘d’ay. If month sort is chosen day is secondary sort by default. Only one sort field can be specified with certainty. Some combinations are possible, but not guaranteed. If the nysdm is upper case, then the order is reversed. [SORT]=[n|s|m|d|y[-]]

top

COMMAND LINES

mdir -?
/* gets the help file */

mdir
/*show all files in current directory, default */

mdir filespec.ext filespec.ext etc.
/*show files matching filespec name, wildcards allowed, notice more than 1 filetype at a time can be used */

The following options can be used with or without a filespec.ext and can be grouped together or not. But must follow filespec.ext if one is present

mdir -Ah
/* show only hidden files */

mdir -w 50
/* make filename 50 characters wide */

mdir -ta -z
/*show last access time using GMT time. Only on 32 bit versions */

mdir *.* -x *.exe
/* show all files e(X)cept *.exe )

top

RELATED PROGRAMS

DISKCAT
HASH
MD5
CRCKIT

top