# Specifying File Paths¶

Providing file names to flows is a core part of GRR, and many flows have been consolidated into the File Finder flow, which uses a glob+interpolation syntax.

## File Path Examples¶

%%users.homedir%%\Downloads\*.{exe,dll}


All .evtx files found up to three directories under “C:\Windows\System32\winevt”:

%%environ_systemroot%%\System32\winevt\**.evtx


“findme.txt” files in user homedirs, up to 10 directories deep:

%%users.homedir%%/**10/findme.txt


## File Paths: backslash or forward slash?¶

Either forward “/home/me” or backslash “C:\Users\me” path specifications are allowed for any target OS. They will be converted to a common format internally. We recommend using whatever is normal for the target OS: (backslash for Windows, fwdslash for OS X and Linux).

## File Path Interpolation¶

GRR supports path interpolation from values in the artifact Knowledge Base. Interpolated values are enclosed with %%, and may expand to multiple elements. e.g.

%%users.homedir%%


Might expand to the following paths on Windows:

C:\Users\alice
C:\Users\bob
C:\Users\eve


and on OS X:

/Users/alice
/Users/bob
/Users/eve


and on Linux:

/home/alice
/usr/local/home/bob
/home/local/eve


A full list of possible interpolation values can be found by typing %% in the gui. The canonical reference is the proto/knowledge_base.proto file, which also contains docstrings for each type.

## Path Globbing¶

Curly braces work similarly to bash, e.g:

{one,two}.{txt,doc}


Will match:

one.txt
two.txt
one.doc
two.doc


Recursive searching of a directory is performed with **. The default search depth is 3 directories. So:

/root/**.doc


Will match:

/root/blah.doc
/root/1/something.doc
/root/1/2/other.doc
/root/1/2/3/another.doc


More depth can be specified by adding a number to the **, e.g. this performs the same search 10 levels deep:

/root/**10.doc

IMPORTANT Note that the FileFinder transfers all data to the server and does the matching server side. This might lead to terrible performance when used with deep recursive directory searches. For a faster alternative that has the drawback of leaking the path you are searching for to the potentially compromised client, use the ClientFileFinder flow which does the matching right on the client.