The Process field on the Add Registry Rule and Edit Registry Rule pages allows you to fine-tune the rule according to the process – that is, the running file – attempting to modify the registry.
You can make the rule effective for all processes, certain types of processes, specific processes, or all processes except the one(s) you name. The following table shows the Process options.
Applies the rule to any process that attempts to write to the registry.
Any Promoted Process
Applies the rule to any process that is promoted at the time the rule is evaluated. A promoted process is any approved process that is marked as an installer, or has been promoted as a consequence of a custom rule, or is an approved process launched by a promoted process.
Any System Process
Applies the rule to every process that is running under the security context of the Local System user. This choice has the same effect as choosing Local System in the User or Group menu, but may be more efficient.
Opens a text box below the menu; you can enter the names of processes you want controlled by this rule.
Any Process Except...
Opens a text box below the menu, in which you can enter processes you do not want controlled by this rule.
If you specify a User or Group and also choose Any Process Except from the process menu, the rule is enforced unlessthe exception process is being executed by the user or group.
Options for defining paths
When you choose a Process option that requires entry of a path (either Specific Process... or Any Process Except ...), you have several options for defining paths:
|Specify a specific process or a directory
|You can enter a process specification that exactly identifies a process by path and name so that only that file matches the rule. You also can enter a specification that identifies a directory, which matches all processes in that directory and its subdirectories.
|Specify a local drive or UNC path
|You can identify a local process by using a local drive name, such as C:\folder1\subfolder\application.exe. You also can enter a remote process by using a UNC path, such as \\computername\dir\application.exe. Mapped drives in a path or process specification are not recognized.
|You can use wildcards (‘?’ for any one character and ‘*’ for zero or more characters) to expand the scope of a process specification or help you match a file or folder whose exact location you don’t know. Wildcards may be used at the beginning, end or middle of a path.
|You can use special Carbon Black App Control macros to identify certain well-known folders in the Microsoft Windows environment, even if you don’t know their exact location on all agent computers.
|Specify multiple process paths
|You can add more than one process definition per rule.
Specifying Processes or Directories
You can choose to enter a directory or a specific file as your process path. When you specify a directory, you are instructing the rule to apply when any process in that directory or in any of its subdirectories attempts to write to the registry location specified (unless there are higher-ranked rules that match the current process).
To indicate that a Process definition is a directory, you must end it with a backslash (\) or a backslash and asterisk (\*). If you do not include the backslash, the rule will attempt to match a file by the name you provided, not a directory.
However, c:\folder1\subfolder2 is not recognized as a directory.
If you use path macros in a process definition, the expanded macro is treated as a directory, even if you don’t follow it with a backslash. For information on macros, see Using Macros.
You can use wildcard characters in the Process field. Asterisk (*) indicates zero or more characters and question mark (?) indicates one character. You can also use them to specify processes that appear in different locations on different computers (although macros might be a more effective way to accomplish this).
The number of wildcards in a process specification is not restricted. For example, you can define a path as *\Win*\folder?\
Automatic Process Path Conversions
The Process field undergoes automatic path conversions if it contains certain symbols:
- A process path that ends with a slash has the ‘*’ wildcard added at the end of the path.
- A process path with no slash or drive letter has "*\" added at the beginning of the path.
- Drive letters may be used in a path as long as they are for local fixed volumes. Mapped drive letters should not be used because there is no guarantee that the mapping exists on all computers.
- The string "*:\" applies to all attached storage volumes except for floppy disks and CD-ROMs.
Specifying Devices in Process Path
- \device\*\ specifies all devices.
- \device\harddisk*\ specifies attached storage volumes except for floppy disks and CD-ROMs.
- \device\cdrom*\ specifies CD-ROM devices.