Reference: Watchlist paths, inclusions, and exclusions

Add paths to a watchlist to determine the files, directories, and Windows registry paths that a monitor watches for changes. You can refine the paths in a watchlist by adding path inclusions and path exclusions. If you define path inclusions, the path matches only subdirectories, files, or registry subkeys that match the inclusions. If you define path exclusions, the path does not match subdirectories, files, or registry subkeys that match the exclusions. Exclusions take precedence over inclusions. If you define both inclusions and exclusions, the path matches all directories, files, or registry keys that match the inclusions, except those that match exclusions.

Rely primarily on inclusions to refine paths, and try to limit the number of exclusions for cleaner watchlists and more predictable monitoring.

For general information about creating and working with watchlists, see Managing watched paths with watchlists.

Paths

A path is an absolute file or Windows registry path that provides the basis for determining directories, files, or registry keys that a watchlist defines. Without inclusions or exclusions defined, the path matches all files and subdirectories in a file path or all subkeys in a registry path. By default, a file path that specifies a directory includes subdirectories recursively, and a registry path that specifies a registry key includes subkeys recursively.

You can use a question mark (?) wildcard character to match any single character or an asterisk (*) wildcard character to match any number of any characters. In a path, you can use wildcard characters within a directory, file, or registry key name, but you cannot use wildcard characters to match path separators or specify multiple directory or subkey levels.

File paths

A file path specifies a directory or file. If you specify a root directory, you must include the slash. For example: D:\.

Example file paths
Example path and explanation Examples of watched directories and files

Path (Windows):
C:\Program Files

A path that specifies a directory without using wildcards matches that directory itself, as well as all files in that directory, and all subdirectories and files recursively.

Examples of watched directories and files (without inclusions or exclusions defined):

C:\Program Files\
C:\Program Files\My Program\
C:\Program Files\My Program\myprogram.exe
C:\Program Files\Another Program\

Examples of directories that are not watched (when only this path is specified):

C:\Program Files (x86)\
D:\Program Files\
D:\Program Files (x86)\

Path (Windows):
?:\Program Files

On Windows, you can use the ? wildcard character to specify the drive letter and watch a specific directory regardless of which drive it is on. In this example the path matches the Program Files directory on any drive.

Examples of watched directories and files (without inclusions or exclusions defined):

C:\Program Files\
C:\Program Files\My Program\
C:\Program Files\My Program\myprogram.exe
D:\Program Files\
D:\Program Files\Another Program\

Examples of directories that are not watched (when only this path is specified):

C:\Program Files (x86)\
D:\Program Files (x86)\

Path (Unix):
/a/b*/c

The * wildcard character represents zero or more characters within the directory name, but it does not match path separators.

Examples of watched directories and files (without inclusions or exclusions defined):

/a/b/c/
/a/b/c/myfile.txt
/a/bin/c/
/a/bin/c/myfile.txt
/a/b/c/d/myfile.txt

Examples of directories and files that are not watched (when only this path is specified):

/a/b/
/a/b/c.txt
/a/b/d/c/

Registry paths

A registry path specifies a Windows registry key.

To specifically record registry rename operations on an endpoint, or to specifically record modifications to individual registry values on an endpoint, you must enable the Collect process and user attribution information setting in the monitor that you deploy to that endpoint. For more information, see Create or edit a monitor.

If you disable this setting, Integrity Monitor does not return modifications to registry values as events. Create and delete operations are still recorded for individual registry values, regardless of this setting.

Determining watched subkeys

A path matches all subkeys recursively under a key or keys that are specified by the path. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then the path matches all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\x\y, and HKEY_LOCAL_MACHINE\a\z), unless you otherwise exclude them. If the Collect process and user attribution information setting is enabled in the monitor that you deploy to that endpoint, all values of matching subkeys are watched.

You cannot monitor an entire subtree, such as HKEY_LOCAL_MACHINE, and you cannot specify individual values within a key.

Using an abbreviation for a subtree

You can use the abbreviation for the subtree in a path. Integrity Monitor expands the subtree name when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.

Subtree name Abbreviation
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
Using the HKEY_CURRENT_USER subtree in a path

When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, Integrity Monitor changes the HKEY_CURRENT_USER subtree in the path to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the user account that is currently signed in to Windows. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the user account that is currently signed in to Windows.

Using a redirected registry key in a path

For 64-bit Windows, the registry redirector maps some keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the watchlist does not automatically include the parallel key paths under the WOW6432Node keys. If you want to monitor keys under these paths, you must enter them separately.

Example registry path
Example path and explanation Examples of watched subkeys

Path (registry):
HKEY_LOCAL_MACHINE\a\b*\c

The * wildcard character represents zero or more characters within a key name, but it does not match path separators.

Examples of watched subkeys (without inclusions or exclusions defined):

HKEY_LOCAL_MACHINE\a\b\c\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\
HKEY_LOCAL_MACHINE\a\b\c\d\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\d\

Examples of subkeys that are not watched (when only this path is specified):

HKEY_LOCAL_MACHINE\a\
HKEY_LOCAL_MACHINE\a\b\d\c

Path inclusions

If you define path inclusions, the path matches only subdirectories, files, or registry subkeys that match the inclusions. When you specify an inclusion with no wildcards, it limits the path to a specific subdirectory, file, or registry subkey that matches the path together with the inclusion. In an inclusion, you can use an asterisk wildcard character (*) to match a string of characters within a directory, file, or registry key name, or you can use two asterisks together (**) to include path separators (and therefore multiple directory or subkey levels) in the match.

File path inclusions

File path inclusions refine a file path to match a subset of the subdirectories and files that match the file path itself.

Example file path inclusions
Example path, inclusion, and explanation Examples of watched directories and files

Path (Unix):
/mypath

Inclusion:
test

Because this example does not use wildcard characters in the inclusion, the path matches only the single subdirectory, non-recursively.

Watched directory (without exclusions defined):

/mypath/test/

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/test.txt
/mypath/test1/
/mypath/test/myfile.txt
/mypath/mydir/test/
/myotherpath/test/

Path (Unix):
/mypath

Inclusion:
test*

Because this example uses a single * wildcard character at the end of the inclusion, the path matches any combination of valid path characters at the end of /mypath/test, but not directory separators.

Examples of watched directories and files (without exclusions defined):

/mypath/test/
/mypath/test.txt
/mypath/test1/

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/test/mydir/myfile.txt
/mypath/test/myfile.txt
/mypath/mydir1/test/
/mypath/myfile.txt
/mypath/Xtest/

Path (Unix):
/mypath

Inclusion:
test**

Because this example uses two * wildcard characters at the end of the inclusion, the path matches any combination of directory separators and valid path characters at the end of /mypath/test.

Examples of watched directories and files (without exclusions defined):

/mypath/test/
/mypath/test.txt
/mypath/test1/
/mypath/test/myfile.txt
/mypath/test/mydir/myfile.txt

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/mydir1/test/
/mypath/myfile.txt
/mypath/Xtest/

Path (Unix):
/mypath

Inclusion:
*test

Because this example uses a single * wildcard character at the beginning of the inclusion, the path matches any combination of valid path characters after /mypath that end with test, but not directory separators.

Examples of watched directories and files (without exclusions defined):

/mypath/test/
/mypath/Xtest/
/mypath/myfile.test

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/mydir1/mydir2/test/
/mypath/mydir1/mydir2/Xtest/
/mypath/myfile.txt
/mypaty/test1/
/mypath/test/mydir1/
/mypath/test/myfile.txt
/mypath/test.txt/

Path (Unix):
/mypath

Inclusion:
**test

Because this example uses two * wildcard characters at the beginning of the inclusion, the path matches any combination of directory separators and valid path characters after /mypath that end with test.

Examples of watched directories and files (without exclusions defined):

/mypath/test/
/mypath/mydir1/mydir2/test/
/mypath/Xtest/
/mypath/mydir1/mydir2/Xtest/
/mypath/myfile.test

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/myfile.txt
/mypaty/test1/
/mypath/test/mydir1/
/mypath/test/myfile.txt
/mypath/test.txt/

Path (Unix):
/mypath

Inclusion:
test?

Because this example uses a ? wildcard character at the end of the inclusion, the path matches any directories and files after /mypath that match test plus one additional character.

Examples of watched directories (without exclusions defined):

/mypath/test1/
/mypath/testX/

Though a trailing path separator (/) is shown here to denote a directory, it is not included as part of the match for the ? wildcard character in the inclusion.

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/test/
/mypath/Xtest/
/mypath/test.txt

Path (Unix):
/mypath

Inclusion:
**/**.log

This example uses an inclusion with a path separator to specify that a matching file or directory must be in a directory that is at least one directory level below the path. The file or directory must end with .log but can otherwise include any combination of characters.

Examples of watched directories (without exclusions defined):

/mypath/mydir1/mylog.log
/mypath/mydir2/anotherlog.log
/mypath/mydir1/mysubdir/mylog.log

Examples of directories and files that are not watched (when only this path and inclusion are specified):

/mypath/mylog.log
/mypath/mydir/mylog.txt

Registry path inclusions

Registry path inclusions refine a registry path to match a subset of the subkeys that match the registry path itself. Inclusions do not restrict value names; all values of matching keys are still watched.

Example registry path inclusions
Example path, inclusions, and explanation Examples of watched subkeys

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
test

Because this example does not use wildcard characters in the inclusion, the path matches only the single subkey, non-recursively.

Watched subkey (without exclusions defined):

HKEY_LOCAL_MACHINE\MyKey\test\

Examples of subkeys that are not watched (when only this path and inclusion are specified):

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
test*

Because this example uses a single * wildcard character at the end of the subkey inclusion, the path matches any combination of valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey, but not path separators.

Examples of watched subkeys (without exclusions defined):

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\test1\

Examples of subkeys that are not watched (when only this path and inclusion are specified):

HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\
HKEY_LOCAL_MACHINE\MyKey\xtest\test\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
test**

Because this example uses two * wildcard characters at the end of the subkey inclusion, the path matches any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey.

Examples of watched subkeys (without exclusions defined):

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\
HKEY_LOCAL_MACHINE\MyKey\test1\

Examples of subkeys that are not watched (when only this path and inclusion are specified):

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\
HKEY_LOCAL_MACHINE\MyKey\xtest\test\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
*test

Because this example uses a * wildcard character at the beginning of the inclusion, the path matches any combination of valid path characters after /mypath that end with test, but not path separators.

Examples of watched subkeys (without exclusions defined):

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\xtest\

Examples of subkeys that are not watched (when only this path and inclusion are specified):

HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\
HKEY_LOCAL_MACHINE\MyKey\test1\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
**test

Because this example uses two * wildcard characters at the beginning of the inclusion, the path matches any combination of path separators and valid path characters after /mypath that end with test.

Examples of watched subkeys (without exclusions defined):

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\

Examples of subkeys that are not watched (when only this path and inclusion are specified):

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\
HKEY_LOCAL_MACHINE\MyKey\test1\

Path exclusions

If you define path exclusions, the path does not match subdirectories, files, or registry subkeys that match the exclusions. When you specify an exclusion with no wildcards, it excludes a specific subdirectory, file, or registry subkey that matches the path together with the exclusion. In an exclusion, you can use an asterisk wildcard character (*) to match a string of characters within a directory, file, or registry key name, or you can use two asterisks together (**) to include path separators (and therefore multiple directory or subkey levels) in the match. Keep in mind that when you exclude a particular directory using a single asterisk (*), the subdirectories of that directory are still watched.

File path exclusions

File path exclusions define subdirectories or files within a path that are excluded from matching the path.

Example file path exclusions
Example path, exclusion, and explanation Examples of excluded directories and files

Path (Unix):
/mypath

Exclusion:
test

This example does not use wildcard characters, so it excludes only a single directory.

Example excluded directory:

/mypath/test/

Examples of directories that are still watched:

/mypath/test.txt
/mypath/test1/
/mypath/test1/myfile.txt
/mypath/mydir/test/

Path (Windows):
C:\Windows\System32

Exclusion:
*\logs

Because this exclusion begins with the characters *\, it excludes directories with the name logs that are exactly two levels below the System32 directory.

Example excluded directories:

C:\Windows\System32\script\Logs\
C:\Windows\System32\winevt\Logs\
C:\Windows\System32\winevt\Logs\Application.evtx

Examples of directories that are still watched:

C:\Windows\System32\
C:\Windows\System32\cmd.exe
C:\Windows\System32\GroupPolicy\
C:\Windows\System32\Logs\

Path (Windows):
C:\Windows\System32

Exclusion:
**\logs

Because this exclusion begins with the characters **\, it excludes directories with the name logs that are at least two levels below the System32 directory.

Example excluded directories:

C:\Windows\System32\script\Logs\
C:\Windows\System32\winevt\Logs\
C:\Windows\System32\winevt\Logs\Application.evtx

Examples of directories that are still watched:

C:\Windows\System32\
C:\Windows\System32\cmd.exe
C:\Windows\System32\GroupPolicy\
C:\Windows\System32\Logs\

Path (Unix):
/mypath

Exclusion:
*

When you specify a single * wildcard as the entire exclusion, it excludes subdirectories at the first level but still watches subdirectories at lower levels.

Example excluded directories:

/mypath/test/
/mypath/mydir/

Watched directories:

/mypath/
/mypath/test/subdirectory/
/mypath/mydir/mydir2/
/mypath/mydir/mydir2/mydir3/

Path (Unix):
/mypath

Exclusion:
**

When you specify two * wildcard characters as the entire exclusion, it restricts the path to only the exact directory that you specify.

Example excluded directories:

/mypath/test/
/mypath/mydir/

Watched directory:

/mypath/

Registry path exclusions

Registry path exclusions define subkeys within a path that are excluded from matching the path. Exclusions do not apply to value names; all values of matching keys that are not excluded are still watched.

Example registry path exclusions
Example path, exclusion, and explanation Examples of excluded directories and files

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Exclusion:
test

This example does not use wildcard characters, so it excludes only a single directory, non-recursively.

Excluded subkey:

HKEY_LOCAL_MACHINE\MyKey\test\

Examples of subkeys that are not excluded:

HKEY_LOCAL_MACHINE\MyKey\
HKEY_LOCAL_MACHINE\MyKey\test1\
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\test\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Exclusion:
test*

This example uses a single * wildcard character at the end of the exclusion. It excludes any combination of valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey\test, but it does not match path separators.

Examples of excluded subkeys:

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\test1\

Examples of subkeys that are not excluded:

HKEY_LOCAL_MACHINE\MyKey\test\AnySubkey\
HKEY_LOCAL_MACHINE\MyKey\test1\AnySubkey\
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\
KEY_LOCAL_MACHINE\MyKey\SomeSubkey\test\
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Exclusion:
test**

This example uses two * wildcard characters at the end of the exclusion. It excludes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey\test.

Examples of excluded subkeys:

HKEY_LOCAL_MACHINE\MyKey\test\
HKEY_LOCAL_MACHINE\MyKey\test\AnySubkey\
HKEY_LOCAL_MACHINE\MyKey\test1\
HKEY_LOCAL_MACHINE\MyKey\test1\AnySubkey\

Examples of subkeys that are not excluded:

HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\
KEY_LOCAL_MACHINE\MyKey\SomeSubkey\test\
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel\

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Exclusion:
**\**

This example demonstrates the pattern you can use to limit the number of levels watched. This example limits the path to matching one subkey level. You can use another \** character combination in the exclusion for each level you want to exclude. For example, to monitor two levels of subkeys under the specified path, add the exclusion **\**\** instead.

Examples of excluded subkeys:

HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel\

Examples of subkeys that are not excluded:

HKEY_LOCAL_MACHINE\MyKey\
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\

Path inclusions and exclusions used together

Exclusions take precedence over inclusions. If you define both inclusions and exclusions, the path matches all directories, files, or registry keys that match the inclusions, except those that match exclusions.

Example file paths with inclusions and exclusions
Example path, inclusion, exclusion, and explanation Examples of watched directories and files

Path (Unix):
/mypath

Inclusion:
mydir/**

Exclusion:
**.log

The inclusion specifies files and directories within the /mypath/mydir subdirectory, and the exclusion keeps any files with the log extension within this directory structure from being watched.

Example watched directories and files:

/mypath/mydir/myfile.txt
/mypath/mydir/mysubdir/
/mypath/mydir/mysubdir/myscript.sh

Examples of directories and files that are not watched:

/mypath/someotherdir/
/mypath/someotherdir/anyfile.txt
/mypath/mydir/myprogram.log
/mypath/mydir/mysubdir/anotherprogram.log

Path (Windows):
C:\Windows

Inclusion:
System32\**

Exclusion:
System32\**\**

The inclusion with a trailing wildcard character is paired with a matching exclusion ending in **\** to end the recursion at a specified depth. If you want to monitor files in subdirectories with depth n, add n+1 pairs of asterisks (**) separated by path separators (\ or /, depending on the target endpoint operating system).

Example watched files:

C:\Windows\System32\ARP.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\wwapi.dll

Examples of files that are not watched:

C:\Windows\System32\drivers\acpi.sys
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\WinMetadata\Windows.Data.winmd
Example registry path with inclusions and exclusions
Example path, inclusion, exclusion, and explanation Examples of watched subkeys

Path (registry):
HKEY_LOCAL_MACHINE\MyKey

Inclusion:
Test**

Exclusion:
TestTwo**

The inclusion specifies any subkey that begins with Test within the MyKey key, but the exclusion keeps any subkey that begins with TestTwo from being watched.

Example watched subkeys:

HKEY_LOCAL_MACHINE\MyKey\Test\
HKEY_LOCAL_MACHINE\MyKey\Test\AnySubkey\
HKEY_LOCAL_MACHINE\MyKey\TestOne\
HKEY_LOCAL_MACHINE\MyKey\TestOne\AnySubkey\

Examples of subkeys that are not watched:

HKEY_LOCAL_MACHINE\MyKey\TestTwo\
HKEY_LOCAL_MACHINE\MyKey\TestTwo\AnySubkey\
HKEY_LOCAL_MACHINE\MyKey\TestTwoThree\