This topic describes how to search on a SID in a path field.
Scenario: You have observed a regmod at the following path and want to broaden the search to see how widespread this kind of activity is.
HKU\S-1-5-21-2026673255-220522396-2254535319-29544\AppEvents\Schemes\Apps\devenv
| Works | regmod_name:HKU\\S-1-5-21-2026673255-220522396-2254535319-29544\\AppEvents\\Schemes\\Apps\\devenv |
| Works | regmod_name:HKU/S-1-5-21-2026673255-220522396-2254535319-29544/AppEvents/Schemes/Apps/devenv |
| Works | regmod_name:HKU*/AppEvents/Schemes/Apps/devenv |
| Works | regmod_name:HKU/*/AppEvents/Schemes/Apps/devenv AND regmod_name:S-1-5-21-2026673255-220522396-2254535319-* |
| Works | regmod_name:HKU/S-1-5-21-2026673255-220522396-2254535319-*/AppEvents/Schemes/Apps/devenv |
| Works | regmod_name:HKU/S-1-5-21-* AND regmod_name:AppEvents/Schemes/Apps/devenv |
| Does not Work | regmod_name:HKU/S-1-5-21-2026673255-220522396-2254535319-29544 |
Note:
- Platform Search strips off leading backslashes. Do not include that in the query value.
- For path fields, Platform Search normalizes all backslashes in paths into forward slashes (Windows and POSIX operating systems take different approaches so we normalize for efficiency). If you include the backslashes, they must be escaped.
