Sign in Subscribe

Fun with Everything and ES client for reporting

Fun with Everything and ES client for reporting
Voidtools Everything icon

Introduction

I have been a fan of this utility for quite some time now. Voidtools' Everything indexes your files amazingly quickly and it is a worthy replacement for the built-in Windows search bar. It is a free tool and can be used in enterprise environments. If you like it too, please consider donating 👍

WARNING: with default settings Everything indexes the whole hard drive and it runs with system privileges. It can however be setup to be the standard search tool in a corporate environment, but it's best to limit it to the folders accessible by the users - or downright to the users' own folders only.

I build loads of dashboards with Log Analytics. One of them is about free space, list of certain folders with their sizes, or perhaps a list of certain file type for various use cases. While there are ways to calculate folder sizes and traverse the file system with powershell or robocopy, nothing beats Everything.exe combined with es.exe when it comes to speed! The longest in the whole process is either displaying the results on the screen - or exporting it to a file.

Prerequisites

Everything can be installed, but it is also available as a portable app. For my purpose I need Everything.exe and the command line interface it comes with, yet another executable: es.exe.

NOTE: es.exe only works if either there is an Everything service running which it can connect to or, if you do not have the tool installed, Everything.exe has to be launched as a named instance. See below.

I have created a package that copies these two files into a designated location on every Windows client - by the way: it works on servers too.

It's a simple PSADT v4 package, with the executables sitting in the Files folder. So let's create a new package template.

New-ADTTemplate -Destination c:\temp\esCLI

... and download the files we need

Copy the files to the PSADT template's Files folder:

Finally, we need to add the installation part to our script. Just copy them out and change as you deem fit.

  • I added Silent install as default to Line 77 - (PSADT 4.0.6)
  • I fill the headers, cos I am nice 😊
  • The main part of the install is just a file copy... and
  • I also remove the users group from being able to access this folder
  • Finally add some detection rule for Intune
    [System.String]$DeployMode = 'Silent',

##================================================
## MARK: Variables
##================================================

$adtSession = @{
    # App variables.
    AppVendor = 'I am a hacker'
    AppName = 'esCLI'
    AppVersion = '1.0'
    AppArch = 'x64'
    AppLang = 'EN'
    AppRevision = '01'
    AppSuccessExitCodes = @(0)
    AppRebootExitCodes = @(1641, 3010)
    AppScriptVersion = '1.0.0'
    AppScriptDate = '2025-07-19'
    AppScriptAuthor = 'DanZi'

    ##================================================
    ## MARK: Install
    ##================================================
    $adtSession.InstallPhase = $adtSession.DeploymentType

    if (-not (test-path 'C:\Program Files\DanZi\esCLI')){
		new-item -Path 'C:\Program Files\DanZi\' -Name 'esCLI' -ItemType Directory
		}    
	Copy-ADTFile -Path "$($adtSession.DirFiles)\*" -Destination 'C:\Program Files\DanZi\esCLI'
	icacls "C:\Program Files\DanZi\esCLI" /inheritance:r
	icacls "C:\Program Files\DanZi\esCLI" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
	icacls "C:\Program Files\DanZi\esCLI" /remove:g "Users"


    ##================================================
    ## MARK: Post-Install
    ##================================================
    $adtSession.InstallPhase = "Post-$($adtSession.DeploymentType)"

    Set-ADTRegistryKey -Key "HKLM\SOFTWARE\InstalledApps\DanZi_esCLI_1.0"

Cool, let's test this!

I ran Invoke-AppDeployTookit.exe from an admin command prompt. The folder is created and the contents are there, but as a user, I get a UAC prompt! Exactly how it should be. 👍

Log Analytics collector snippet

The below is a part (region) of the main log analytics collector I use. Yours might be different. I use the $folderArrayList variable to store the data, and this is what then converted to JSON and uploaded to Log Analytics. You will most likely need to adjust it to your needs.

  • The script checks if esCLI is present. If not, it just skips the whole section
  • It traverses into the esCLI folder and launches Everything.exe as a named intance (DNZ)
  • It exports all the exe files on the device and places it to the Intune Management Extension's log folder - this way it can be retrieved by Intune with the 'Collect Diagnostics' button.
  • I have an array of folders to collect - actually probably the list of the folders could sit in a text file on Azure Storage, so it could be extended if some other folder becomes necessary to check! (note to myself!)
  • It checks for each user folder and the list of folders in the array and puts it into an object.

The result is then converted into json and uploaded to log analytics as I mentioned before:

#region FOLDERS
if (Test-Path 'C:\Program Files\DanZi\esCLI'){

    Push-Location 'C:\Program Files\DanZi\esCLI'
    & .\everything.exe -startup -minimized -instance DNZ

    Start-Sleep -Seconds 2

    & .\es.exe -instance DNZ ext:exe -export-csv C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\$env:computername-exe-list-log

    $ufolders = @(
        'c:\windows\ccmcache',
        'c:\windows\temp',
        'C:\Windows\WinSxS',
        'c:\windows\softwaredistribution\download'
        )
    $ufolders += (Get-ChildItem -Path c:\users -Directory).FullName
    $ufarray = @()
    foreach ($folder in $ufolders){
        $frn = new-object -TypeName PSObject
        $frn | Add-Member -MemberType NoteProperty -Name "Folder" -Value $folder -Force
            
        if(test-path 'C:\Program Files\DanZi\esCLI'){
            $size = [math]::Round($(& 'C:\Program Files\DanZi\esCLI\es.exe' $folder -instance DNZ -get-total-size)/1GB, 2)
            $frn | Add-Member -MemberType NoteProperty -Name "Size" -Value $size -Force
            }
        else{
            $frn | Add-Member -MemberType NoteProperty -Name "Size" -Value $(Get-RoboSize $folder).TotalGB -Force
            }
        $ufarray += $frn
    }
    [System.Collections.ArrayList]$folderArrayList = $ufArray
       
    & .\everything.exe -instance DNZ -quit
}
#endregion FOLDERS

With this data available, I can check the size of each critical folder as well as notify users of potential space wasters, or just prepare for a cleanup of old user folders, etc. You can collect other types of files, check all kinds of folders, and it's super quick.

I now have a nice log in the IME folder of all the exe files from the device, so no more hiding of portable apps! 😎

Happy reporting!