How to properly place an asterik (*) or wildcard in a 'regexp' or 'Regular Expression' for a Recorder Rule "8015 - ETW Activity"


Article ID: 222148


Updated On:


Endpoint Detection and Response


In the documentation for the "Creating a Recorder policy ", an additional asterisk (*) or wildcard may be required to properly create a working rule.

See note 8, 9 and footnote 1 about regexp.



The syntax of the asterisk (*) if not placed correctly may cause the matching engine not to match the entire string, which is necessary to trigger the rule.


All versions of EDR that support recorder rule.


Add a ".*"  (dot asterisk) to the beginning and end of the 'Actor Command Line'.

Example: "Do not record" the "ETW 8015 Activity" that uses the cscript command to run another program that inventories users information.

Note 1:   Selected option to stop recording trusted Events

Note 2:  Select only the 8015 - ETW Event

Note 3:  Enter full path of the cscript actor

Note 4:  "event_actor.cmd_line" field in Event Log Details

Note 5

/.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/

Note 6 Comment: 

/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match





Additional Information

  • Additional PCRE syntax rules are available online
  • Online PCRE regex rule debuggers can help testing syntax