Reference: Watchlist paths, inclusions, and exclusions
Add paths to a watchlist to determine the files, directories, and Windows registry paths that a monitor watches for changes. You can refine the paths in a watchlist by adding path inclusions and path exclusions. If you define path inclusions, the path matches only subdirectories, files, or registry subkeys that match the inclusions. If you define path exclusions, the path does not match subdirectories, files, or registry subkeys that match the exclusions. Exclusions take precedence over inclusions. If you define both inclusions and exclusions, the path matches all directories, files, or registry keys that match the inclusions, except those that match exclusions.
Rely primarily on inclusions to refine paths, and try to limit the number of exclusions for cleaner watchlists and more predictable monitoring.
For general information about creating and working with watchlists, see Managing watched paths with watchlists.
Paths
A path is an absolute file or Windows registry path that provides the basis for determining directories, files, or registry keys that a watchlist defines. Without inclusions or exclusions defined, the path matches all files and subdirectories in a file path or all subkeys in a registry path. By default, a file path that specifies a directory includes subdirectories recursively, and a registry path that specifies a registry key includes subkeys recursively.
You can use a question mark (?) wildcard character to match any single character or an asterisk (*) wildcard character to match any number of any characters. In a path, you can use wildcard characters within a directory, file, or registry key name, but you cannot use wildcard characters to match path separators or specify multiple directory or subkey levels.
File paths
A file path specifies a directory or file. If you specify a root directory, you must include the slash. For example: D:\.
Example path and explanation | Examples of watched directories and files |
---|---|
Path (Windows):
A path that specifies a directory without using wildcards matches that directory itself, as well as all files in that directory, and all subdirectories and files recursively. |
Examples of watched directories and files (without inclusions or exclusions defined): C:\Program Files\ Examples of directories that are not watched (when only this path is specified): C:\Program Files (x86)\ |
Path (Windows):
On Windows, you can use the ? wildcard character to specify the drive letter and watch a specific directory regardless of which drive it is on. In this example the path matches the Program Files directory on any drive. |
Examples of watched directories and files (without inclusions or exclusions defined): C:\Program Files\ Examples of directories that are not watched (when only this path is specified): C:\Program Files (x86)\ |
Path (Unix):
The * wildcard character represents zero or more characters within the directory name, but it does not match path separators. |
Examples of watched directories and files (without inclusions or exclusions defined): /a/b/c/ Examples of directories and files that are not watched (when only this path is specified): /a/b/ |
Registry paths
A registry path specifies a Windows registry key.
To specifically record registry rename operations on an endpoint, or to specifically record modifications to individual registry values on an endpoint, you must enable the Collect process and user attribution information setting in the monitor that you deploy to that endpoint. For more information, see Create or edit a monitor.
If you disable this setting, Integrity Monitor does not return modifications to registry values as events. Create and delete operations are still recorded for individual registry values, regardless of this setting.
Determining watched subkeys
A path matches all subkeys recursively under a key or keys that are specified by the path. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then the path matches all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\x\y, and HKEY_LOCAL_MACHINE\a\z), unless you otherwise exclude them. If the Collect process and user attribution information setting is enabled in the monitor that you deploy to that endpoint, all values of matching subkeys are watched.
You cannot monitor an entire subtree, such as HKEY_LOCAL_MACHINE, and you cannot specify individual values within a key.
Using an abbreviation for a subtree
You can use the abbreviation for the subtree in a path. Integrity Monitor expands the subtree name when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.
Subtree name | Abbreviation |
---|---|
HKEY_LOCAL_MACHINE | HKLM |
HKEY_USERS | HKU |
Using the HKEY_CURRENT_USER subtree in a path
When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, Integrity Monitor changes the HKEY_CURRENT_USER subtree in the path to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the user account that is currently signed in to Windows. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the user account that is currently signed in to Windows.
Using a redirected registry key in a path
For 64-bit Windows, the registry redirector maps some keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the watchlist does not automatically include the parallel key paths under the WOW6432Node keys. If you want to monitor keys under these paths, you must enter them separately.
Example path and explanation | Examples of watched subkeys |
---|---|
Path (registry):
The * wildcard character represents zero or more characters within a key name, but it does not match path separators. |
Examples of watched subkeys (without inclusions or exclusions defined): HKEY_LOCAL_MACHINE\a\b\c\ Examples of subkeys that are not watched (when only this path is specified): HKEY_LOCAL_MACHINE\a\ |
Path inclusions
If you define path inclusions, the path matches only subdirectories, files, or registry subkeys that match the inclusions. When you specify an inclusion with no wildcards, it limits the path to a specific subdirectory, file, or registry subkey that matches the path together with the inclusion. In an inclusion, you can use an asterisk wildcard character (*) to match a string of characters within a directory, file, or registry key name, or you can use two asterisks together (**) to include path separators (and therefore multiple directory or subkey levels) in the match.
File path inclusions
File path inclusions refine a file path to match a subset of the subdirectories and files that match the file path itself.
Example path, inclusion, and explanation | Examples of watched directories and files |
---|---|
Path (Unix):
Inclusion:
Because this example does not use wildcard characters in the inclusion, the path matches only the single subdirectory, non-recursively. |
Watched directory (without exclusions defined): /mypath/test/ Examples of directories and files that are not watched (when only this path and inclusion are specified):
/mypath/test.txt |
Path (Unix):
Inclusion:
Because this example uses a single * wildcard character at the end of the inclusion, the path matches any combination of valid path characters at the end of /mypath/test, but not directory separators. |
Examples of watched directories and files (without exclusions defined):
/mypath/test/ Examples of directories and files that are not watched (when only this path and inclusion are specified): /mypath/test/mydir/myfile.txt |
Path (Unix):
Inclusion:
Because this example uses two * wildcard characters at the end of the inclusion, the path matches any combination of directory separators and valid path characters at the end of /mypath/test. |
Examples of watched directories and files (without exclusions defined):
/mypath/test/ Examples of directories and files that are not watched (when only this path and inclusion are specified): /mypath/mydir1/test/ |
Path (Unix):
Inclusion:
Because this example uses a single * wildcard character at the beginning of the inclusion, the path matches any combination of valid path characters after /mypath that end with test, but not directory separators. |
Examples of watched directories and files (without exclusions defined):
/mypath/test/ Examples of directories and files that are not watched (when only this path and inclusion are specified): /mypath/mydir1/mydir2/test/ |
Path (Unix):
Inclusion:
Because this example uses two * wildcard characters at the beginning of the inclusion, the path matches any combination of directory separators and valid path characters after /mypath that end with test. |
Examples of watched directories and files (without exclusions defined):
/mypath/test/ Examples of directories and files that are not watched (when only this path and inclusion are specified): /mypath/myfile.txt |
Path (Unix):
Inclusion:
Because this example uses a ? wildcard character at the end of the inclusion, the path matches any directories and files after /mypath that match test plus one additional character. |
Examples of watched directories (without exclusions defined):
/mypath/test1/ Though a trailing path separator (/) is shown here to denote a directory, it is not included as part of the match for the ? wildcard character in the inclusion. Examples of directories and files that are not watched (when only this path and inclusion are specified):
/mypath/test/ |
Path (Unix):
Inclusion:
This example uses an inclusion with a path separator to specify that a matching file or directory must be in a directory that is at least one directory level below the path. The file or directory must end with .log but can otherwise include any combination of characters. |
Examples of watched directories (without exclusions defined):
/mypath/mydir1/mylog.log Examples of directories and files that are not watched (when only this path and inclusion are specified):
/mypath/mylog.log |
Registry path inclusions
Registry path inclusions refine a registry path to match a subset of the subkeys that match the registry path itself. Inclusions do not restrict value names; all values of matching keys are still watched.
Example path, inclusions, and explanation | Examples of watched subkeys |
---|---|
Path (registry):
Inclusion:
Because this example does not use wildcard characters in the inclusion, the path matches only the single subkey, non-recursively. |
Watched subkey (without exclusions defined): HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not watched (when only this path and inclusion are specified): HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\ |
Path (registry):
Inclusion:
Because this example uses a single * wildcard character at the end of the subkey inclusion, the path matches any combination of valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey, but not path separators. |
Examples of watched subkeys (without exclusions defined): HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not watched (when only this path and inclusion are specified): HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\ |
Path (registry):
Inclusion:
Because this example uses two * wildcard characters at the end of the subkey inclusion, the path matches any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey. |
Examples of watched subkeys (without exclusions defined): HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not watched (when only this path and inclusion are specified): HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\ |
Path (registry):
Inclusion:
Because this example uses a * wildcard character at the beginning of the inclusion, the path matches any combination of valid path characters after /mypath that end with test, but not path separators. |
Examples of watched subkeys (without exclusions defined): HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not watched (when only this path and inclusion are specified): HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\ |
Path (registry):
Inclusion:
Because this example uses two * wildcard characters at the beginning of the inclusion, the path matches any combination of path separators and valid path characters after /mypath that end with test. |
Examples of watched subkeys (without exclusions defined): HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not watched (when only this path and inclusion are specified): HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\ |
Path exclusions
If you define path exclusions, the path does not match subdirectories, files, or registry subkeys that match the exclusions. When you specify an exclusion with no wildcards, it excludes a specific subdirectory, file, or registry subkey that matches the path together with the exclusion. In an exclusion, you can use an asterisk wildcard character (*) to match a string of characters within a directory, file, or registry key name, or you can use two asterisks together (**) to include path separators (and therefore multiple directory or subkey levels) in the match. Keep in mind that when you exclude a particular directory using a single asterisk (*), the subdirectories of that directory are still watched.
File path exclusions
File path exclusions define subdirectories or files within a path that are excluded from matching the path.
Example path, exclusion, and explanation | Examples of excluded directories and files |
---|---|
Path (Unix):
Exclusion:
This example does not use wildcard characters, so it excludes only a single directory. |
Example excluded directory: /mypath/test/ Examples of directories that are still watched: /mypath/test.txt |
Path (Windows):
Exclusion:
Because this exclusion begins with the characters *\, it excludes directories with the name logs that are exactly two levels below the System32 directory. |
Example excluded directories: C:\Windows\System32\script\Logs\ Examples of directories that are still watched: C:\Windows\System32\ |
Path (Windows):
Exclusion:
Because this exclusion begins with the characters **\, it excludes directories with the name logs that are at least two levels below the System32 directory. |
Example excluded directories: C:\Windows\System32\script\Logs\ Examples of directories that are still watched: C:\Windows\System32\ |
Path (Unix):
Exclusion:
When you specify a single * wildcard as the entire exclusion, it excludes subdirectories at the first level but still watches subdirectories at lower levels. |
Example excluded directories: /mypath/test/ Watched directories: /mypath/ |
Path (Unix):
Exclusion:
When you specify two * wildcard characters as the entire exclusion, it restricts the path to only the exact directory that you specify. |
Example excluded directories: /mypath/test/ Watched directory: /mypath/ |
Registry path exclusions
Registry path exclusions define subkeys within a path that are excluded from matching the path. Exclusions do not apply to value names; all values of matching keys that are not excluded are still watched.
Example path, exclusion, and explanation | Examples of excluded directories and files |
---|---|
Path (registry):
Exclusion:
This example does not use wildcard characters, so it excludes only a single directory, non-recursively. |
Excluded subkey: HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not excluded: HKEY_LOCAL_MACHINE\MyKey\ |
Path (registry):
Exclusion:
This example uses a single * wildcard character at the end of the exclusion. It excludes any combination of valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey\test, but it does not match path separators. |
Examples of excluded subkeys: HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not excluded: HKEY_LOCAL_MACHINE\MyKey\test\AnySubkey\ |
Path (registry):
Exclusion:
This example uses two * wildcard characters at the end of the exclusion. It excludes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey\test. |
Examples of excluded subkeys: HKEY_LOCAL_MACHINE\MyKey\test\ Examples of subkeys that are not excluded: HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\ |
Path (registry):
Exclusion:
This example demonstrates the pattern you can use to limit the number of levels watched. This example limits the path to matching one subkey level. You can use another \** character combination in the exclusion for each level you want to exclude. For example, to monitor two levels of subkeys under the specified path, add the exclusion **\**\** instead. |
Examples of excluded subkeys: HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\ Examples of subkeys that are not excluded: HKEY_LOCAL_MACHINE\MyKey\ |
Path inclusions and exclusions used together
Exclusions take precedence over inclusions. If you define both inclusions and exclusions, the path matches all directories, files, or registry keys that match the inclusions, except those that match exclusions.
Example path, inclusion, exclusion, and explanation | Examples of watched directories and files |
---|---|
Path (Unix):
Inclusion:
Exclusion:
The inclusion specifies files and directories within the /mypath/mydir subdirectory, and the exclusion keeps any files with the log extension within this directory structure from being watched. |
Example watched directories and files: /mypath/mydir/myfile.txt Examples of directories and files that are not watched: /mypath/someotherdir/ |
Path (Windows):
Inclusion:
Exclusion:
The inclusion with a trailing wildcard character is paired with a matching exclusion ending in **\** to end the recursion at a specified depth. If you want to monitor files in subdirectories with depth n, add n+1 pairs of asterisks (**) separated by path separators (\ or /, depending on the target endpoint operating system). |
Example watched files: C:\Windows\System32\ARP.exe Examples of files that are not watched: C:\Windows\System32\drivers\acpi.sys |
Example path, inclusion, exclusion, and explanation | Examples of watched subkeys |
---|---|
Path (registry):
Inclusion:
Exclusion:
The inclusion specifies any subkey that begins with Test within the MyKey key, but the exclusion keeps any subkey that begins with TestTwo from being watched. |
Example watched subkeys: HKEY_LOCAL_MACHINE\MyKey\Test\ Examples of subkeys that are not watched: HKEY_LOCAL_MACHINE\MyKey\TestTwo\ |
Last updated: 8/30/2023 1:20 PM | Feedback