strings — Extract printable strings from binary files for triage across all 5 shells
Equivalents in every shell
strings file.binDefault: emits every run of ≥ 4 printable ASCII characters from the file's loadable text sections. `-n N` changes the minimum length; `-a` scans ALL sections (not just text — important for finding strings in data segments / resource forks).
strings file.binmacOS ships `strings` as part of Xcode Command Line Tools (`xcode-select --install`). The system tool is GNU-binutils-derived — flag set matches Linux exactly. Without Xcode CLT, run `brew install binutils` (provides `gstrings`) or via Docker.
strings file.binSame external. Fish's `string match` builtin pairs well with strings output — `strings file.bin | string match -r "https?://[^[:space:]]+"` extracts URLs from a binary cleanly.
Select-String -Path file.bin -Pattern "[\x20-\x7e]{4,}" -AllMatches | ForEach-Object { $_.Matches.Value }No native `strings` cmdlet. The Select-String regex approximates `strings -n 4` for ASCII. For real binary triage, use the SysInternals `strings.exe` (Microsoft, free): `strings.exe file.bin`. It supports `-n N`, `-u` (Unicode-only), `-a` (Unicode + ASCII).
strings.exe file.bincmd.exe has no native string-extractor. SysInternals `strings.exe` from `https://learn.microsoft.com/sysinternals/downloads/strings` is the canonical Windows answer — same flags as Unix `strings` plus `-u` for UTF-16-LE. Required for malware triage; bundled in PowerToys repo for licensed redistribution.
Worked examples
Find embedded URLs in an unknown binary
strings -n 8 file.bin | grep -E "https?://"Select-String -Path file.bin -Pattern "https?://[\x21-\x7e]+" -AllMatches | ForEach-Object { $_.Matches.Value }strings.exe file.bin | findstr "http"Extract UTF-16-LE strings (Windows binaries, MS Office docs)
strings -e l file.docx# SysInternals: strings.exe -u file.docxList every string ≥ 12 chars (filter noise)
strings -n 12 file.binSelect-String -Path file.bin -Pattern "[\x20-\x7e]{12,}" -AllMatches | ForEach-Object { $_.Matches.Value }strings.exe -n 12 file.binGotchas
- Default `-n 4` produces enormous noise on real binaries (every 4-byte ASCII run, including random byte sequences that happen to be printable). Start with `-n 8` or `-n 12` to filter; raise / lower based on what you're hunting.
- Default mode scans ONLY the file's `text` sections (loadable code) — not data, rsrc, .rodata, or appended payloads. Pass `-a` (--all) to scan the entire file. For zip / Office / image containers (which embed metadata across sections), `-a` is essential — the default misses most embedded strings.
- GNU `strings` `-e` (encoding) flag: `s` = 7-bit ASCII (default), `S` = 8-bit, `l` = 16-bit LE (UTF-16-LE, Windows binaries), `L` = 32-bit LE, `b`/`B` = big-endian variants. macOS `strings` from binutils supports `-e`; Apple's default `strings` (from Xcode CLT cctools) does NOT — install GNU `binutils` via `brew install binutils` and use `gstrings -e l` on macOS.
- On macOS, the Apple `strings` (from cctools) gives only ASCII — for UTF-16 extraction (essential when inspecting Office / Windows binaries), use `brew install binutils` to get GNU `gstrings` with `-e l`. Confusion source: same tool name, different feature sets across macOS-native vs GNU binutils.
- For obfuscated / packed binaries (UPX-packed Windows malware, encrypted resource bundles), `strings` returns mostly garbage — the strings are decrypted at runtime, not stored on disk. Run the binary in a sandbox and inspect memory (volatility, gdb dump) instead of relying on `strings` for static analysis.