Using a batch file to create a newline for each instance of a keyword

Question

I found what used to be a 0-day Java exploit on a system and it gave me the idea of looking through the Java .idx files in each users profile for suspicious URL's that might point to active 0-day threats.

I started with this:

for /d %%A in ("C:\Documents and Settings\*") do (
findstr /S "http://" "%%A\Application Data\Sun\Java\Deployment\cache\6.0\*" >> C:\temp\javaurls.txt)

This produces a file full of the URL's but they're quite mixed up with lots of control info and other uninteresting stuff. What I'd like to do is have a newline created for every lower case instance of "http://" that is found. Anyone have an idea of how I can do this using command lines in a batch file?

Answer 1

I know that "Just use some other tool!" answers can be annoying. However, Windows batch files/command line utilities are so bad that I think it is worth looking into other options if you have to do this kind of stuff a lot. Unless you enjoy figuring out undocumented, non-standard, broken regular expressions and needing hacky solutions for even the most basic functionality, that is.

Some options:

• Perl
• Grep for Windows (a much better equivalent to findstr)
• Cygwin (an entire Linux-like shell environment for Windows; includes grep).

Here is a single line of Perl that you could add to your batch file to add a newline before each http://:

perl -pi.bak -e "s|(http://)|\n$1|g" C:\temp\javaurls.txt

However, if I were starting from scratch I would do the whole thing in Perl rather than using a batch file.

Answer 2

I generally agree with the sentiment expressed by others - batch is lousy at processing text. Using another language or tool is a good idea for your task.

But it can be done with batch :-)

Simply inserting a linefeed before each html:// is not so hard

@echo off
setlocal disableDelayedExpansion
:: The first FOR loop loads a quoted linefeed into %%L
:: The blank line within the IN() clause is critical. Do not remove.
for %%L in (^"^

^") do (
  for /d %%A in ("C:\Documents and Settings\*") do (
    for /f "eol=: delims=" %%B in (
      'findstr /S "http://" "%%A\Application Data\Sun\Java\Deployment\cache\6.0\*"'
    ) do (
      set "line=%%B"
      setlocal enableDelayedExpansion
      echo(!line:http://=%%~Lhttp://!
      endlocal
    )
  )
) >c:\temp\javaurls.txt

But preserving only resulting lines that begin with http:// and also preserving the name of each file before the address becomes a real pain.

@echo off
setlocal disableDelayedExpansion
:: The first FOR loop loads a quoted linefeed into %%L
:: The blank line within the IN() clause is critical. Do not remove.
for %%L in (^"^

^") do (
  for /d %%A in ("C:\Documents and Settings\*") do (
    for /f "tokens=1* delims=:" %%B in (
      'findstr /S "http://" "%%A\Application Data\Sun\Java\Deployment\cache\6.0\*"'
    ) do (
      set "line=%%C"
      setlocal enableDelayedExpansion
      set "line=!line:http://=%%~Lhttp://!"
      for /f "delims=" %%D in (
        '"cmd /v:on /c echo(^!line^!|findstr http://"'
      ) do (
        if "!!" equ "" endlocal
        echo %%B: %%D
      )
    )
  )
) >c:\temp\javaurls.txt
exit /b