"Poison" characters like & | > < etc can cause problems if they are exposed to the early phases of the parser. If the they are quoted, then there is no problem, but if not quoted (or escaped) then they are interpreted as operators with special meaning.
Expanding environment variables with percent signs exposes the risks.
When reading a file with unknown (unconstrained) content, there are basically two possible methods to safely work with the values
1) Work strictly with FOR /F variables like %%A if possible. But note that delayed expansion must be off if the value may contain ! characters. If delayed expansion is on when %%A is expanded, then strings with ! will be corrupted.
2) Use delayed expansion whenever you expand a variable that may contain poison characters. SetLocal EnableDelayedExpansion to enable the delayed expansion, and !varName! to safely expand the value.
There may be a third option if you know that the value will never contain quotes. Just make sure that the value is always quoted. But that assumes you don't care if you introduce quotes in the value when you ECHO it.
It looks like all you are trying to do is capture the full file paths of all files in a log file that resulted from processing by CERTUTIL.
That is easily done by using FINDSTR to filter out all the "MD5 hash o"f lines, and FOR /F to capture the remainder of the line after the 3rd space delimited token (text after "of ")
Code: Select all
(for /f "tokens=3*" %%A in ('findstr /c:"MD5 hash of" _HashList.tmp') do echo %%B) >z:\utilities\_HashDatabase.tmp
But I don't understand the need for the code. It seems obvious that your _HashList.tmp is a log of various CERTUTIL runs. This implies that you must have known the paths of the files when you ran CERTUTIL. So I don't understand why you need to parse out the file paths after the fact. You should have captured the values as part of the CERTUTIL processing.
And I would think you would want to capture the actual hash values.
It would be helpful if you provided the big picture of your overall intended process. What is your overall goal, and what are all the steps you are taking to get there, not just the code you have shown. I suspect there is a much better way of accomplishing your goals.