App Control: How To Use Windows Path Macros in a Custom Rule
search cancel

App Control: How To Use Windows Path Macros in a Custom Rule


Article ID: 286573


Updated On:


Carbon Black App Control (formerly Cb Protection)


How to properly match a Windows Path Macro in App Control against the Windows operating system.


  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions


The Windows Path Macros in App Control will be expanded by the Agent according to either the CSIDL or KNOWNFOLDERID depending on the version of Windows the Agent is installed on. It is important to verify the Macro being used will expand correctly based on the operating system in use on the endpoint, as the Known Folder ID could expand differently than the CSIDL would. As an example:
Example: <CommonAppData>\Acme Accounting\*.dll
• FOLDERID_ProgramData: C:\ProgramData\Acme Accounting\*.dll
• CSIDL_COMMON_APPDATA: C:\Documents and Settings\All Users\Application Data\Acme Accounting\*.dll

Example: <LocalAppData>\Acme Accounting\temp\*.log
• FOLDERID_LocalAppData: C:\Users\<UserName>\AppData\Local\Acme Accounting\temp\*.log
• CSIDL_LOCAL_APPDATA: C:\Documents and Settings\<UserName>\Local Settings\Application Data\Acme Account\temp\*.log

Additional Information

  • Currently the use of Wildcards inside a Path Macro is not supported.
  • Path Macros can only be used at the beginning of the specified Path (no other text before it).
  • OnlyIf and Registry Macros can be used anywhere in the specified Path.
  • The full list of Windows Path Macros can be found on VMware Docs > Server Documentation > relevant version > Custom Software Rules > Specifying Paths and Processes > Using Macros in Rules.
  • Path Macros represent a directory and a delimiter (slash or backslash) will be added automatically if it is not added in the Path.
  • If a Custom Rule is expected to be effective as soon as possible after a user logs on, do not use any of the Per User Macros, and do not specify a User Group in the Custom Rule. Rules that specify a username or SID are always active and won't be affected by this delay.