filetype: batch detect: filename: "(\\.bat$)" # header: "" rules: # Numbers - constant.number: "\\b[0-9]+\\b" # Brackets and symbols - special: "(\\{|\\}|\\(|\\)|\\;|\\]|\\[|`|\\\\|\\$|<|>|!|=|&|\\|)" # Conditionals and control flow # note (?i) means case insensitive match - type: "\\b(?i)(case|do|done|elif|else|esac|exit|fi|for|function|if|in|local|read|return|select|then|until|while)\\b" - type: "\\b(?i)(equ|neq|lss|leq|gtr|geq|on|off)\\b" - type: "\\b(?i)(goto|for|in|do|call|exit|not|exist|errorlevel|defined)\\b" - type: "\\b(?i)(prn|nul|lpt3|lpt2|lpt1|con|com4|com3|com2|com1|aux)\\b" # keywords - statement: "\\b(?i)(adprep|append|arp|assoc|at|atmadm|attrib|auditpol|autochk|autoconv|autofmt|bcdboot|bcdedit|bdehdcfg|bitsadmin|bootcfg|break|brea)\\b" - statement: "\\b(?i)(cacls|cd|certreq|certutil|chcp|change|choice|cipher|chdir|chkdsk|chkntfs|chglogon|chgport|chgusr|clip|cls|clscluadmin|cluster|cmd|cmdkey|cmstp|color)\\b" - statement: "\\b(?i)(comp|compact|convert|copy|cprofile|cscript|csvde|date|dcdiag|dcgpofix|dcpromo|defra|del|dfscmd|dfsdiag|dfsrmig|diantz|dir|dirquota|diskcomp|diskcopy|diskpart|diskperf|diskraid|diskshadow|dispdiag|doin|dnscmd|doskey|driverquery|dsacls|dsadd|dsamain|dsdbutil|dsget|dsmgmt|dsmod|dsmove|dsquery|dsrm)\\b" - statement: "\\b(?i)(echo|edit|endlocal|erase|esentutl|eventcreate|eventquery|eventtriggers|evntcmd|expand|extract)\\b" - statement: "\\b(?i)(fc|filescrn|find|findstr|finger|flattemp|fonde|forfiles|format|freedisk|fs|fsutil|ftp|ftype|fveupdate|getmac|gettype|gpfixup|gpresult|gpupdate|graftabl)\\b" - statement: "\\b(?i)(hashgen|hep|help|helpctr|hostname|icacls|iisreset|inuse|ipconfig|ipxroute|irftp|ismserv|jetpack|keyb|klist|ksetup|ktmutil|ktpass|label|ldifd|ldp|lodctr|logman|logoff|lpq|lpr|macfile)\\b" - statement: "\\b(?i)(makecab|manage-bde|mapadmin|md|mkdir|mklink|mmc|mode|more|mount|mountvol|move|mqbup|mqsvc|mqtgsvc|msdt|msg|msiexec|msinfo32|mstsc|nbtstat|net computer|net group)\\b" - statement: "\\b(?i)(net localgroup|net print|net session|net share|net start|net stop|net use|net user|net view|net|netcfg|netdiag|netdom|netsh|netstat|nfsadmin|nfsshare|nfsstat|nlb)\\b" - statement: "\\b(?i)(nlbmgr|nltest|nslookup|ntackup|ntcmdprompt|ntdsutil|ntfrsutl|openfiles|pagefileconfig|path|pathping|pause|pbadmin|pentnt|perfmon|ping|pnpunatten|pnputil|popd)\\b" - statement: "\\b(?i)(powercfg|powershell|powershell_ise|print|prncnfg|prndrvr|prnjobs|prnmngr|prnport|prnqctl|prompt|pubprn|pushd|pushprinterconnections|pwlauncher|qappsrv|qprocess)\\b" - statement: "\\b(?i)(query|quser|qwinsta|rasdial|rcp|rd|rdpsign|regentc|recover|redircmp|redirusr|reg|regini|regsvr32|relog|ren|rename|rendom|repadmin|repair-bde|replace|reset|restore)\\b" - statement: "\\b(?i)(rxec|risetup|rmdir|robocopy|route|rpcinfo|rpcping|rsh|runas|rundll32|rwinsta|scp|sc|setlocal|session|schtasks|scwcmd|secedit|serverceipoptin|servrmanagercmd|serverweroptin|set|setspn)\\b" - statement: "\\b(?i)(setx|sfc|shadow|shift|showmount|shutdown|sort|ssh|start|storrept|subst|sxstrace|ysocmgr|systeminfo|takeown|tapicfg|taskkill|tasklist|tcmsetup|telnet|tftp|time)\\b" - statement: "\\b(?i)(timeout|title|tlntadmn|tpmvscmgr|tpmvscmgr|tacerpt|tracert|tree|tscon|tsdiscon|tsecimp|tskill|tsprof|type|typeperf|tzutil|uddiconfig|umount|unlodctr|ver|verify)\\b" - statement: "\\b(?i)(verifier|verif|vol|vssadmin|w32tm|waitfor|wbadmin|wdsutil|wecutil|wevtutil|where|whoami|winnt|winnt32|winpop|winrm|winrs|winsat|wlbs|mic|wscript|xcopy)\\b" # / Flags - constant: "(/\\w+)" # Variables - special: "(%%\\w+)" - special: "(%\\w+%)" # Conditional flags - type: "--[a-z-]+" - type: "\\ -[a-z]+" - identifier: "\\$\\{?[0-9A-Z_!@#$*?-]+\\}?" - identifier: "\\$\\{?[0-9A-Z_!@#$*?-]+\\}?" # "" String - constant.string: start: \" end: \" skip: \. rules: - constant.specialChar: (\\0|\\\\|\\t|\\n|\\r|\\"|\\') - constant.unicode: \\u\{[[:xdigit:]]+} # '' string - constant.string: "(\\'.+\\')" # rem as comment - comment.rem: "(?i)(rem\\s.*)" # :: as comment - comment.rem: "(?i)(\\:\\:\\s.*)"