Reference: Watchlist paths, inclusions, and exclusions

When you add paths to a watchlist, you can use wildcards and define path inclusions and exclusions to refine the list of files, directories, and/or registry values to watch.

Paths

When you define a path, you can use wildcards within a directory, file, registry key, or registry value name, but you cannot use them to specify multiple directory or key levels. This usage is different from wildcard usage in path inclusions or exclusions.

File path examples

File path example 1

You can add a path with a ? wildcard for any character in the path. On Windows, you can use this wildcard to specify that a specific folder should be watched, regardless of which drive it is on. If you add the path ?:\Program Files, the following directories are watched:

C:\Program Files
D:\Program Files
...

File path example 2

When used in a path, the * wildcard can be used within a folder or file name, but cannot be used to specify multiple directory levels. For example, if you define the path /a/b*/c, the following files and directories are watched:

/a/b/c
/a/b/c/myfile.txt
/a/bin/c
/a/bin/c/myfile.txt
/a/b/c/d/myfile.txt

With only this path specified, the following files and directories are not watched:

/a/b
/a/b/c.txt
/a/b/d/c

Special considerations for registry paths

All subkeys and values under a key or keys specified by the path are included by default. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then all values of the a key, all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\y, and HKEY_LOCAL_MACHINE\a\z), and all values of those subkeys are also watched, unless you otherwise exclude them.

To specify a value under a registry key, use a double-backslash separator (\\). For example, to specify the path to the Start value under the TermService key, enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\\Start. If you specify a value, then only the value is watched, not the key specified in the path or any subkeys.

To specify the default value of a registry key, include only the double-backslash separator (\\), and no value name. For example, to specify the default value of the IEXPLORE.EXE key, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\\.

Also keep in mind that value names can contain backslashes. Any backslashes included in the path after a double-backslash are interpreted as part of the value name. For example, the path HKEY_LOCAL_MACHINE\MyKey\\\My\Value specifies the value name \My\Value under the HKEY_LOCAL_MACHINE\MyKey key.

You can use the abbreviation for the subtree in a path. The subtree name is expanded when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.

Subtree nameAbbreviation
HKEY_CLASSES_ROOTHKCR
HKEY_CURRENT_USERHKCU
HKEY_LOCAL_MACHINEHKLM
HKEY_USERSHKU
HKEY_CURRENT_CONFIGHKCC

When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, the HKEY_CURRENT_USER subtree in the path is changed to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the end user. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the end user currently logged into Windows.

For 64-bit Windows, some registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, are redirected to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the parallel key paths under the WOW6432Node keys are not automatically watched. If you want to watch keys under these paths, you must enter them separately.

You cannot watch an entire subtree, such as HKEY_LOCAL_MACHINE.

Registry path examples

Registry path example 1

If you define the path HKEY_LOCAL_MACHINE\a\b*\c, the following keys and values are watched:

HKEY_LOCAL_MACHINE\a\b\c
HKEY_LOCAL_MACHINE\a\b\c\\(Default)
HKEY_LOCAL_MACHINE\a\b\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\\AnotherValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\d
HKEY_LOCAL_MACHINE\a\b\c\d\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\d\
HKEY_LOCAL_MACHINE\a\BCD00000000\c\d\\MyValue

With only this path specified, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\a\
HKEY_LOCAL_MACHINE\a\b\\MyValue
HKEY_LOCAL_MACHINE\a\b\d\c

Registry path example 2

You can include a value in the path, using wildcards in the same way, but subkeys are not watched in this case. For example, if you define the path HKEY_LOCAL_MACHINE\a\b*\c\\*Value, the following keys and values are watched:

HKEY_LOCAL_MACHINE\a\b\c\\Value
HKEY_LOCAL_MACHINE\a\b\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\\AnotherValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\MyValue
HKEY_LOCAL_MACHINE\a\BCD00000000\c\\AnotherValue

With only this path specified, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\a\
HKEY_LOCAL_MACHINE\a\b\\MyValue
HKEY_LOCAL_MACHINE\a\b\c
HKEY_LOCAL_MACHINE\a\b\d\c\\MyValue
HKEY_LOCAL_MACHINE\a\b\c\d
HKEY_LOCAL_MACHINE\a\b\c\d\\MyValue


Path inclusions

If you define path inclusions, only files and directories the file path or keys and values in the registry path that match the inclusion are monitored for the configured change types (create, write, delete, rename, or—for file paths only—permission). If you do not define any path inclusions, all files and directories in a file path or all keys and values in a registry path are watched for the configured change types.

File path inclusion examples

File path example 1

If you add the path /mypath and you add a path inclusion, test, the following directory is watched:

/mypath/test

With only this path and inclusion combination specified, these files and directories are not watched:

/mypath/test.txt
/mypath/test1
/mypath/test/myfile.txt
/mypath/mydir/test
/myotherpath/test

This example does not use wildcards in the inclusion, so only the single included directory is watched, non-recursively.

File path example 2

If you add the path /mypath and you add a path inclusion, test*, the following directories and files are watched:

/mypath/test
/mypath/test.txt
/mypath/test1
/mypath/test/myfile.txt
/mypath/test/mydir/myfile.txt

With only this path and inclusion combination specified, this file is not watched:

/mypath/myfile.txt

This example uses a wildcard (*) at the end of the inclusion. The watchlist includes any combination of directory separators and valid path characters at the end of /mypath/test.

File path example 3

If you add the path /mypath and you add a path inclusion, *test, the following directories and files are watched:

/mypath/test
/mypath/mydir1/mydir2/test
/mypath/Xtest
/mypath/mydir1/mydir2/Xtest
/mypath/myfile.test

This example uses a wildcard (*) at the beginning of the inclusion. The watchlist includes any combination of directory separators and valid path characters after /mypath that end with test.

File path example 4

If you add the path /mypath and you add a path inclusion, test?, the following directory is watched:

/mypath/test1

With only this path and inclusion combination specified, these files and directories are not watched:

/mypath/test
/mypath/test.txt

This example uses a one-character wildcard (?) at the end of the inclusion. The watchlist includes any combination of directories and paths after /mypath that end with test plus one additional character.

File path example 5

If you add the path /mypath and you add a path inclusion, */*.log, the following files are watched:

/mypath/mydir/mylog.log
/mypath/mydir/mysubdir/mylog.log

With only this path and inclusion combination specified, this file is not watched:

/mypath/mylog.log

This example defines an inclusion in which the matching file or directory must be in a directory that is at least one directory level below the path.

Special considerations for registry paths

For registry paths, you can use both subkeys and values in inclusions.

If you specify a key name with no wildcard, then values of that key are included, but subkeys are not. If you specify a * wildcard at the end of the key name, then subkeys and their values are also included.

You must specify inclusions for value names using the double-backslash separator (\\). Any inclusions you specify without a double-backslash (including those with wildcards) are only applied to the key portion of the path.

Registry path inclusion examples

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, test, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\SomeValue
HKEY_LOCAL_MACHINE\MyKey\test\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnyValue

This example does not use wildcards in the inclusion, so only the single included key and its values are watched, non-recursively.

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusions, \\MyValue and test, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnotherValue

This example uses both a key and a value as inclusions. The watchlist includes the test subkey and all its values but only the MyValue value for the MyKey key.

Registry path example 3

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, test\\*Value, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\test\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\\MyName
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\\MyValue

This example uses both a key and a value in the same inclusion. The watchlist includes values that match *Value under the test subkey.

Registry path example 4

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add path inclusion, \\MyValue and test*, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\MyValue
HKEY_LOCAL_MACHINE\MyKey\test\AnotherKey\\AnotherValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test
HKEY_LOCAL_MACHINE\MyKey\AnotherKey\test\\AnyValue

This example uses a wildcard (*) at the end of the inclusion. The watchlist includes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey.

Registry path example 5

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path inclusion, *test, the following keys are watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\x\y\test
HKEY_LOCAL_MACHINE\MyKey\mytest
HKEY_LOCAL_MACHINE\MyKey\x\y\mytest

With only this path and inclusion combination specified, this value is not watched:

HKEY_LOCAL_MACHINE\MyKey\x\y\\valuetest

This example uses a wildcard (*) at the beginning of the inclusion. The watchlist includes any combination of key separators and valid path characters after /mypath that end with test, but the inclusion is not applied to value names.

Path exclusions

If you define path exclusions, files and directories in the file path or keys and values in the registry path that match the exclusion are not watched.

File path exclusion examples

File path example 1

If you add the path /mypath and you add a path exclusion, test, the following directory is not watched:

/mypath/test

With only this path and exclusion specified, these files and directories are watched because they are not excluded:

/mypath/test.txt
/mypath/test1
/mypath/test1/myfile.txt
/mypath/mydir/test

This example does not use wildcards, so only a single directory is excluded, non-recursively.

File path example 2

If you add the path /mypath and you add a path exclusion, *, only the exact path is watched. The following directories are not watched:

/mypath/test
/mypath/mydir

Special considerations for registry paths

For registry paths, you can use both subkeys and values in exclusions.

You must specify exclusions for value names using the double-backslash separator (\\). Any exclusions you specify without a double-backslash (including those with wildcards) are only applied to the key portion of the path.

Registry path exclusion examples

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, test, the following key and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue

With only this path and exclusion specified, these keys and values are watched because they are not excluded:

HKEY_LOCAL_MACHINE\MyKey
HKEY_LOCAL_MACHINE\MyKey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test1
HKEY_LOCAL_MACHINE\MyKey\test1\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\test

This example does not use wildcards, so only a single directory is excluded, non-recursively.

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, test*, the following key and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\test
HKEY_LOCAL_MACHINE\MyKey\test\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\test1
HKEY_LOCAL_MACHINE\MyKey\test1\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\test1\\AnyValue

This example uses a wildcard (*) at the end of the exclusion. The watchlist excludes any combination of path separators and valid path characters at the end of HKEY_LOCAL_MACHINE\MyKey.

Registry path example 3

If you add the path HKEY_LOCAL_MACHINE\MyKey and you add a path exclusion, *\*, the following keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\AnotherLevel\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\AnotherLevel\\AnyValue

With only this path and exclusion specified, these keys and values are watched because they are not excluded:

HKEY_LOCAL_MACHINE\MyKey
HKEY_LOCAL_MACHINE\MyKey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey
HKEY_LOCAL_MACHINE\MyKey\SomeSubkey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey
HKEY_LOCAL_MACHINE\MyKey\AnotherSubkey\\AnyValue

This example demonstrates the pattern you can use to limit the number of levels watched. You can use another \* in the exclusion for each level you want to exclude. For example, to watch two levels of subkeys under the specified path, add the exclusion *\*\* instead.

Path inclusions used with path exclusions

If you define both, all files and directories in the file path or keys and values in the registry path are watched if they fall within one of the inclusion definitions for the path, unless they also fall within one of its exclusion definitions.

File path examples

File path example 1

If you add the path /mypath and you add a path inclusion, mydir/*, and a path exclusion, *.log, the following files and directories are watched:

/mypath/mydir/myfile.txt
/mypath/mydir/mysubdir/myscript.sh

With only these inclusions and exclusions specified, the following file is not watched:

/mypath/mydir/myprogram.log

File path example 2

You can use this pairing to define a path inclusion, but limit its depth. This configuration is useful for directories that have many nested directories and files, such as the C:\Windows\System32 folder.

If you add the path C:\Windows and you add a path inclusion, System32\*, and a path exclusion, System32\*\*, the following directory is watched:

C:\Windows\System32\wwapi.dll

With only these inclusions and exclusions specified, these directories are not watched:

C:\Windows\System32\WinMetadata\Windows.Data.winmd

This inclusion with a wildcard is paired with an exclusion ending in *\* to end the recursion at a specified depth. If you want to watch files in directories with depth n, add n+1 wildcards (*) separated by slashes (\ or /, depending on the target endpoint operating system).

Registry path examples

Registry path example 1

If you add the path HKEY_LOCAL_MACHINE\MyKey, and you add a path inclusion, Test*, and a path exclusion, TestTwo*, the following keys and values are watched:

HKEY_LOCAL_MACHINE\MyKey\Test
HKEY_LOCAL_MACHINE\MyKey\Test\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\Test\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\Test\AnySubkey\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestOne
HKEY_LOCAL_MACHINE\MyKey\TestOne\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestOne\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\TestOne\AnySubkey\\AnyValue

With only this path and inclusion combination specified, these keys and values are not watched:

HKEY_LOCAL_MACHINE\MyKey\TestTwo
HKEY_LOCAL_MACHINE\MyKey\TestTwo\\AnyValue
HKEY_LOCAL_MACHINE\MyKey\TestTwo\AnySubkey
HKEY_LOCAL_MACHINE\MyKey\TestTwoThree

Registry path example 2

If you add the path HKEY_LOCAL_MACHINE\MyKey, and you add a path inclusion, Test\\MyValue*, and a path exclusion, Test\\MyValueName, the following values are watched:

HKEY_LOCAL_MACHINE\MyKey\Test\\MyValue
HKEY_LOCAL_MACHINE\MyKey\Test\\MyValueTest

With only this path and inclusion combination specified, this value is not watched:

HKEY_LOCAL_MACHINE\MyKey\Test\\MyValueName