How does %restore%, %cache%, %temp%, %appdata% and ?: translate into real folder names?

  • 23 March 2016
  1 reply

When we are troubleshooting or just being curious, we sometimes want to know where an infected file is/was located.
In the alerts from Webroot, the locations are often described using "percentage-sign named folders", such as
%restore%, %cache%, %temp%, %appdata% and ?: 
In most cases, it's straightforward to translate these names into real folder names (some are even known system variables in Windows), but at other times it's not easy at all to figure out. For example, is %cache% pointing to the 'Temporary Internet Files' folder used by Internet Explorer (or Edge), and/or would the name be any different if the user had been using Firefox or Chrome to download the mailicous file? And which drive is the ?: drive
Is there a complete list of the abbreviated folder names available somewhere?
There isn't, since they can vary from machine to machine. So that our database can abstract them out, to account for different locations and operating system versions.

If you grab the local log off the machine that will have the full path in it - unfortunately no way to see it directly in the console though.