This topic describes how to search for subfolders in paths.
To find any instance where a file exists in a folder or any subfolders, the following search finds all filemods under C:\Temp:
filemod_name:C\:\\Temp\\*
To find files that appear in a specific folder (but only that folder and none of its subfolders), you must use regex.
In the following expression, exclude slashes from the end of the query to make sure that you are not searching in subfolders.
| Works | filemod_name:/c\:\/users\/[^\/]+\/appdata\/local\/[^\/]+/ |
| Does not Work | filemod_name:C\:\\Users\\*\\AppData\\Local\\* AND NOT filemod_name:C\:\\Users\\*\\AppData\\Local\\*\\* |
Regex searches of such tokens are all normalized to lowercase characters only, and all backslashes (\) are converted to forward slashes (/). Never include backslash or upper case characters in regex. Any use of backslashes in regex are valid for escaping only.
To find all processes launched from C:\Windows but exclude those that were launched from any subfolder under C:\Windows\:
process_name:/c\:\/windows\/[^\/]+/
