Reference: Watchlist paths, inclusions, and exclusions

Add paths to a watchlist to determine the files, directories, and Windows registry paths that are monitored. You can refine the paths in a watchlist by adding path inclusions or path exclusions.

Rely primarily on inclusions, and try to limit the number of exclusions for cleaner watchlists and more predictable monitoring.

For general information about creating and working with watchlists, see Configuring watchlists.

Paths

You can use wildcard characters within a directory, file, registry key, or registry value name in a path. You cannot use wildcard characters to specify path separators, or multiple directories, or multiple key levels. (This usage differs from wildcard character usage in path inclusions or exclusions.) Without inclusions or exclusions defined, all files and directories in a file path or all keys and values in a registry path are monitored for the configured change types.

File path examples

File path example 1

You can add a path with a ? wildcard character for any single character in the path. On Windows, you can use this wildcard character to specify that a specific folder should be watched, regardless of which drive it is on. If you add the path ?:\Program Files, the following directories are watched:

C:\Program Files
D:\Program Files
...

File path example 2

When used in a path, the * wildcard character can be used within a folder or file name, but cannot be used to specify multiple directory levels. For example, if you define the path /a/b*/c, the following files and directories are watched:

/a/b/c
/a/b/c/myfile.txt
/a/bin/c
/a/bin/c/myfile.txt
/a/b/c/d/myfile.txt

With only this path specified, the following files and directories are not watched:

/a/b
/a/b/c.txt
/a/b/d/c

Registry path examples

Considerations for registry paths

Determining watched subkeys and values

All subkeys and values under a key or keys specified by the path are included by default. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then all values of the a key, all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\y, and HKEY_LOCAL_MACHINE\a\z), and all values of those subkeys are also watched, unless you otherwise exclude them.

You cannot monitor an entire subtree, such as HKEY_LOCAL_MACHINE.

Specifying a value

To specify a value under a registry key, use a double-backslash separator (\\). For example, to specify the path to the Start value under the TermService key, enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\\Start. If you specify a value, then only the value is watched, not the key specified in the path or any subkeys.

To specify the default value of a registry key, include only the double-backslash separator (\\), and no value name. For example, to specify the default value of the IEXPLORE.EXE key, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\\.

Also keep in mind that value names can contain backslashes. Any backslashes included in the path after a double-backslash are interpreted as part of the value name. For example, the path HKEY_LOCAL_MACHINE\MyKey\\\My\Value specifies the value name \My\Value under the HKEY_LOCAL_MACHINE\MyKey key.

Using an abbreviation for a subtree

You can use the abbreviation for the subtree in a path. The subtree name is expanded when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.

Subtree nameAbbreviation
HKEY_CLASSES_ROOTHKCR
HKEY_CURRENT_USERHKCU
HKEY_LOCAL_MACHINEHKLM
HKEY_USERSHKU
HKEY_CURRENT_CONFIGHKCC
Using the HKEY_CURRENT_USER subtree in a path

When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, the HKEY_CURRENT_USER subtree in the path is changed to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the end user. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the end user currently logged into Windows.

Using a redirected registry key in a path

For 64-bit Windows, some registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, are redirected to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the parallel key paths under the WOW6432Node keys are not automatically watched. If you want to monitor keys under these paths, you must enter them separately.

Registry path example 1

If you define the path HKEY_LOCAL_MACHINE\a\b*\c, the following keys and values are watched:

HKEY_LOCAL_MACHINE\a\b\c
HKEY_LOCAL_MACHINE\a\b\c\\(Default)
HKEY_LOCAL_MACHINE\a\b\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\\AnotherValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\d
HKEY_LOCAL_MACHINE\a\b\c\d\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\d\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\d\\MyValue

With only this path specified, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\a\
HKEY_LOCAL_MACHINE\a\b\\MyValue
HKEY_LOCAL_MACHINE\a\b\d\c

Registry path example 2

You can include a value in the path, using wildcard characters in the same way, but subkeys are not watched in this case. For example, if you define the path HKEY_LOCAL_MACHINE\a\b*\c\\*Value, the following keys and values are watched:

HKEY_LOCAL_MACHINE\a\b\c\\Value
HKEY_LOCAL_MACHINE\a\b\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\\AnotherValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\AnotherValue

With only this path specified, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\a\
HKEY_LOCAL_MACHINE\a\b\\MyValue
HKEY_LOCAL_MACHINE\a\b\c
HKEY_LOCAL_MACHINE\a\b\d\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\d
HKEY_LOCAL_MACHINE\a\b\c\d\\MyValue


Path inclusions

If you define path inclusions, only directories, files, registry keys, or registry values that match the inclusions are monitored.

File path inclusion examples

File path example 1

If you add the path /mypath and you add a path inclusion, test, the following directory is watched:

/mypath/test

With only this path and inclusion combination specified, these files and directories are not watched:

/mypath/test.txt
/mypath/test1
/mypath/test/myfile.txt
/mypath/mydir/test
/myotherpath/test

This example does not use wildcard characters in the inclusion, so only the single included directory is watched, non-recursively.

File path example 2

If you add the path /mypath and you add a path inclusion, test*, the following directories and files are watched:

/mypath/test
/mypath/test.txt
/mypath/test1
/mypath/test/myfile.txt
/mypath/test/mydir/myfile.txt

With only this path and inclusion combination specified, this file is not watched:

/mypath/myfile.txt

This example uses a * wildcard character at the end of the inclusion. The watchlist includes any combination of directory separators and valid path characters at the end of /mypath/test.

File path example 3

If you add the path /mypath and you add a path inclusion, *test, the following directories and files are watched:

/mypath/test
/mypath/mydir1/mydir2/test
/mypath/Xtest
/mypath/mydir1/mydir2/Xtest
/mypath/myfile.test

This example uses a wildcard character (*) at the beginning of the inclusion. The watchlist includes any combination of directory separators and valid path characters after /mypath that end with test.

File path example 4

If you add the path /mypath and you add a path inclusion, test?, the following directory is watched:

/mypath/test1

With only this path and inclusion combination specified, these files and directories are not watched:

/mypath/test
/mypath/test.txt

This example uses a ? wildcard character at the end of the inclusion. The watchlist includes any combination of directories and paths after /mypath that end with test plus one additional character.

File path example 5

If you add the path /mypath and you add a path inclusion, */*.log, the following files are watched:

/mypath/mydir/mylog.log
/mypath/mydir/mysubdir/mylog.log

With only this path and inclusion combination specified, this file is not watched:

/mypath/mylog.log

This example defines an inclusion in which the matching file or directory must be in a directory that is at least one directory level below the path.

Registry path inclusion examples

Considerations for registry paths

For registry paths, you can use both subkeys and values in inclusions.

If you specify a key name with no wildcard character, then values of that key are included, but subkeys are not. If you specify a * wildcard character at the end of the key name, then subkeys and their values are also included.

You must specify inclusions for value names using the double-backslash separator (\\). Any inclusions you specify without a double-backslash (including those with wildcard characters) are only applied to the key portion of the path.

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, test, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\SomeValue
HKEY_LOCAL_MACHINE\MyKey\test\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnyValue

This example does not use wildcard characters in the inclusion, so only the single included key and its values are watched, non-recursively.

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusions, \\MyValue and test, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnotherValue

This example uses both a key and a value as inclusions. The watchlist includes the test subkey and all its values but only the MyValue value for the MyKey key.

Registry path example 3

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, test\\*Value, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\test\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\\MyName
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\\MyValue

This example uses both a key and a value in the same inclusion. The watchlist includes values that match *Value under the test subkey.

Registry path example 4

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, \\MyValue and test*, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\\AnyValue

This example uses a * wildcard character at the end of the inclusion. The watchlist includes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey.

Registry path example 5

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path inclusion, *test, the following keys are watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\x\y\test
HKEY_LOCAL_MACHINE\MyKey\mytest
HKEY_LOCAL_MACHINE\MyKey\x\y\mytest

With only this path and inclusion combination specified, this value is not watched:

HKEY_LOCAL_MACHINE\MyKey\x\y\\valuetest

This example uses a * wildcard character at the beginning of the inclusion. The watchlist includes any combination of key separators and valid path characters after /mypath that end with test, but the inclusion is not applied to value names.

Path exclusions

If you define path exclusions, directories, files, registry keys, and registry values that match the exclusions are not monitored.

File path exclusion examples

File path example 1

If you add the path /mypath and you add a path exclusion, test, the following directory is not watched:

/mypath/test

With only this path and exclusion specified, these files and directories are watched because they are not excluded:

/mypath/test.txt
/mypath/test1
/mypath/test1/myfile.txt
/mypath/mydir/test

This example does not use wildcard characters, so only a single directory is excluded, non-recursively.

File path example 2

If you add the path /mypath and you add a path exclusion, *, only the exact path is watched. The following directories are not watched:

/mypath/test
/mypath/mydir

Registry path exclusion examples

Considerations for registry paths

For registry paths, you can use both subkeys and values in exclusions.

You must specify exclusions for value names using the double-backslash separator (\\). Any exclusions you specify without a double-backslash (including those with wildcard characters) are only applied to the key portion of the path.

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, test, the following key and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue

With only this path and exclusion specified, these keys and values are watched because they are not excluded:

HKEY_LOCAL_MACHINE\MyKey
HKEY_LOCAL_MACHINE\MyKey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test1
HKEY_LOCAL_MACHINE\MyKey\test1\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\test

This example does not use wildcard characters, so only a single directory is excluded, non-recursively.

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, test*, the following key and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test1
HKEY_LOCAL_MACHINE\MyKey\test1\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\test1\\AnyValue

This example uses a * wildcard character at the end of the exclusion. The watchlist excludes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey.

Registry path example 3

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, *\*, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel\\AnyValue

With only this path and exclusion specified, these keys and values are watched because they are not excluded:

HKEY_LOCAL_MACHINE\MyKey
HKEY_LOCAL_MACHINE\MyKey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\\AnyValue

This example demonstrates the pattern you can use to limit the number of levels watched. You can use another \* in the exclusion for each level you want to exclude. For example, to monitor two levels of subkeys under the specified path, add the exclusion *\*\* instead.

Path inclusions used with path exclusions

Exclusions take precedence over inclusions. If you define both inclusions and exclusions, all directories, files, registry keys, or registry values that match the inclusions are monitored, except those that match exclusions.

File path examples

File path example 1

If you add the path /mypath and you add a path inclusion, mydir/*, and a path exclusion, *.log, the following files and directories are watched:

/mypath/mydir/myfile.txt
/mypath/mydir/mysubdir/myscript.sh

With only these inclusions and exclusions specified, the following file is not watched:

/mypath/mydir/myprogram.log

File path example 2

You can use this pairing to define a path inclusion, but limit its depth. This configuration is useful for directories that have many nested directories and files, such as the C:\Windows\System32 folder.

If you add the path C:\Windows and you add a path inclusion, System32\*, and a path exclusion, System32\*\*, the following directory is watched:

C:\Windows\System32\wwapi.dll

With only these inclusions and exclusions specified, these directories are not watched:

C:\Windows\System32\WinMetadata\Windows.Data.winmd

This inclusion with a wildcard character is paired with an exclusion ending in *\* to end the recursion at a specified depth. If you want to monitor files in directories with depth n, add n+1 wildcard characters (*) separated by slashes (\ or /, depending on the target endpoint operating system).

Registry path examples

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey, and you add a path inclusion, Test*, and a path exclusion, TestTwo*, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\Test
HKEY_LOCAL_MACHINE\MyKey\Test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\Test\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\Test\AnySubkey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestOne
HKEY_LOCAL_MACHINE\MyKey\TestOne\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestOne\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\TestOne\AnySubkey\\AnyValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\TestTwo
HKEY_LOCAL_MACHINE\MyKey\TestTwo\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestTwo\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\TestTwoThree

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey, and you add a path inclusion, Test\\MyValue*, and a path exclusion, Test\\MyValueName, the following values are watched:

HKEY_LOCAL_MACHINE\MyKey\Test\\MyValue
HKEY_LOCAL_MACHINE\MyKey\Test\\MyValueTest

With only this path and inclusion combination specified, this value is not watched:

HKEY_LOCAL_MACHINE\MyKey\Test\\MyValueName