Path fields are special text fields. They are tokenized by path hierarchy.

path:c:\windows .

For a given path, all subpaths are tokenized. For example:

c:\windows\system32\boot\winload.exe

is tokenized as:

c:\windows\system32\boot\winload.exe

windows\system32\boot\winload.exe

system32\boot\winload.exe

boot\winload.exe

winload.exe

Wildcard Searches

For queries involving path segments that are not tokenized, wildcard searches can be submitted.

For example, you can enter:

path:system*

for any path that has system as sub-path in it.

Modload Path Searches

When performing a loadable module filename (modload) search, leading forward and back slashes are tokenized.

You do not have to remove the leading slash for modload path searches, although it is recommended.

For example:

\boot\winload.exe

should be entered as:

boot\winload.exe

Regmod Path Searches

When performing a Windows registry (regmod) search, a few important search caveats exist.

  • If a regmod search term contains controlset001 or controlset002 , the search term is normalized and tokenized as currentcontrolset . As a result, you should search by replacing controlsetXXX with currentcontrolset .

    For example:

    registry\machine\system\controlset001\services\xkzc

    should be entered as:

    regmod:registry\machine\system\currentcontrolset\services\xkzc

  • The leading backslash on regmod search terms are not tokenized. For regmod searches, be sure to omit this character when submitting search terms.

    For example:

    \registry\machine\system\controlset001\services\xkzc

    should become:

    regmod:registry\machine\system\currentcontrolset\services\xkzc