Rule Variables

Used with d7x, KillEmAll, and CryptoPrevent

These Rule Variables are not supported in all ‘rules’ or ‘definition’ files. Currently supported areas include:

d7x – Uninstall/Delete > File System/Registry Deletion tabs.
- (Certain variables are supported in MalwareScan whitelists, these will be clarified at a later time.)
KillEmAll v5+ (stand-alone and d7x integrated) – Allowed Program Rules
CryptoPrevent v8+ – Command line options, FolderWatch, SRP policies

Description:

A ‘variable’ refers to the same thing you might remember from Algebra, however for for these purposes specifically it is a plain text word, that is interpreted by the software and evaluated to determine if it should be replaced with different text for any reason. This evaluation and decision would be performed based on certain conditions that could change the necessity of the textual data to be processed.

For our purposes, these Rule Variables have the following characteristics:

Each variable (or lack thereof) in the ‘Search Path’ table will be evaluated to a certain file system location where files (programs) reside.

Normalizing:

When adding rules to a definition file in KillEmAll v5, you are presented with an automatic conversion to the appropriate matching Rule Variable as defined below. This process is called “Normalizing” and is used by the software when comparing target items to the rules in your definition files.

In our case for example, one may wish to normalize an entry by substituting the word/variable “pf” to mean “Program Files” or “Program Files (x86)” (or both locations) depending on whether the operating system was 64bit or not. (Note that normalizing to short words mean smaller data files, and subsequently faster interpretation by the application should files get very large.)

Normalizing is recommended but not necessary (nor is it desired in all cases) as one may want to intend for a very specific file/path to be interpreted instead of a general one.

Variable Delimiters:

Every variable needs a ‘delimiter’ to separate it from the text to be interpreted literally. The delimiters in this case are < and > which surround the variable.

Note the variable MUST begin with the < sign, and end with the > sign, and does not include a trailing backslash when replaced!

e.g. <var>\path\file.exe

Examples:

<d>\partial path\name.ext
- evaluates to:
  - %systemdrive%\partial path\name.ext
  - (aka C:\ on most systems)

<s>\file name.exe
- evaluates to BOTH:
  - %windir%\system32\file name.exe
  - %windir%\syswow64\file name.exe
  - (aka C:\Windows\syswow64\file name.exe)

<s32>\file name.exe
- on 32bit systems AND/OR 64bit systems, evaluates to ONLY:
  - %windir%\system32\file name.exe
  - (aka C:\Windows\system32\file name.exe)

<s64>\file name.exe
- on 32bit systems, evaluates to ONLY:
  - %windir%\system32\file name.exe
  - (aka C:\Windows\system32\file name.exe)
- on 64bit systems, evaluates to BOTH:
  - %windir%\system32\file name.exe
  - %windir%\syswow64\file name.exe
  - (aka C:\Windows\system32\file name.exe and C:\Windows\syswow64\file name.exe respectively)

32/64bit notes:

(although below is only given with <s> variant examples, the 32/64bit concept applies to similar variable variations e.g. <pf> and <cf>)

use <s64> for 32bit only apps
- (meaning it will be found in system32 on 32bit systems, or syswow64 on 64bit systems)
use <s32> for 64bit only apps
- (meaning it will always be found in system32)
use <s> for unknown or both *bit apps
- (evaluating to either/both system32 and/or syswow64 no matter what system it is on)

Windows Environment Variable notation (note the %variables% in the chart below) is provided as shorthand and for more knowledgable users and is explained below the variable in the first few occurrences, but may not be explained repetitively everywhere.

Search Path:	Search Path: 64bit OS (multiple lines mean multiple paths/actions for the one def entry; the *%userprofile% Search Path* is always evaluated to *EACH AND EVERY directory* in the user profile root (e.g. c:\documents and settings or c:\users)	Search Path: 32bit OS (multiple lines and %userprofile% mean the same)
X:\	X:\ (NOT a variable, you will literally specify X or Y or C or D or G or whatever with a colon and backslash, and this is interpreted by the software to expect this specific drive letter, if found to be valid on the system.)	(no change from 64bit behavior)
(unspecified)	(any valid drive letter, path, and/or filename relating to the operation being performed)	(no change from 64bit behavior)
d	%systemdrive% (the root ‘partition’ or ‘drive’ where Windows is installed, e.g. C:\ on most systems)	%systemdrive%
w	%windir% (C:\Windows on most systems)	%windir%
s	%windir%\system32 %windir%\syswow64	%windir%\system32
s32	%windir%\syswow64	%windir%\system32
s64	%windir%\system32	N/A (abort any action with this def)
pf	%programfiles% (C:\Program Files on most systems) %programfiles(x86)% (C:\Program Files (x86) on most systems)	%programfiles%
p32	%programfiles(x86)%	%programfiles%
p64	%programfiles%	N/A (abort any action with this def)
cf	%commonprogramfiles% (C:\Program Files\Common Program Files on most systems) %commonprogramfiles(x86)% (C:\Program Files\Common Program Files (x86) on most systems)	%commonprogramfiles%
c32	%commonprogramfiles(x86)%	%commonprogramfiles%
c64	%commonprogramfiles%	N/A (abort any action with this def)
u	%systemdrive%\Users or %systemdrive%\Documents and Settings	%systemdrive%\Users or %systemdrive%\Documents and Settings
up	%userprofileroot%\all users (XP only) (C:\Documents and Settings\All Users on most XP systems) %userprofileroot%\public (Vista+ only) (C:\Users\Public on most Vista and above systems) %userprofile%\%username% (C:\Documents and Settings\Bob or C:\Users\Bob -for a user named ‘Bob’ on most systems)	(no change from 64bit behavior)
uf	all common user data folders found inside a user profile directory, (e.g. where most of your data is stored by default) such as: Documents, Pictures, Videos, Downloads, Desktop, etc. including any ‘My ‘ variants	(no change from 64bit behavior)
dt	%userprofile%\desktop\	(no change from 64bit behavior)
sm	%userprofileroot%\all users\start menu\ (XP only) %userprofile%\start menu\ (XP only) %programdata%\Microsoft\Windows\Start Menu\ (Vista+ only) (C:\ProgramData\Microsoft\Windows\Start Menu\ on most Vista and above systems) %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\ (Vista+ only)	(no change from 64bit behavior)
sf	%userprofileroot%\all users\start menu\programs\startup\ (XP only) %userprofile%\start menu\programs\startup\ (XP only) %programdata%\Microsoft\Windows\Start Menu\programs\startup\ (Vista+ only) %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\ (Vista+ only)	(no change from 64bit behavior)
ad	%userprofile%\appdata\roaming\ (Vista+ only, note this IS %appdata% so not necessary to do that too) %userprofile%\application data\ (XP only, note this IS %appdata% so not necessary to do that too) %userprofile%\appdata\local\ (Vista+ only, note this IS %localappdata% so not necessary to do that too) %userprofile%\local settings\application data\ (XP only, note %localappdata% env var does not exist on XP) %userprofile%\appdata\locallow\ (Vista+ only) %userprofileroot%\all users\application data\ (XP only – and note same as %a% for this particular path) %programdata%\ (Vista+ only)	(no change from 64bit behavior)
ar	%userprofile%\appdata\roaming\ (Vista+ only, note this IS %appdata% so not necessary to do that too) %userprofile%\application data\ (XP only, note this IS %appdata% so not necessary to do that too)	(no change from 64bit behavior)
al	%userprofile%\appdata\local\ (Vista+ only, note this IS %localappdata% so not necessary to do that too) %userprofile%\local settings\application data\ (XP only, note %localappdata% env var does not exist on XP)	(no change from 64bit behavior)
alw	%userprofile%\appdata\locallow\ (Vista+ only)	(no change from 64bit behavior)
pd	%userprofileroot%\all users\application data\ (XP only – and note same as %a% for this particular path) %programdata%\ (Vista+ only)	(no change from 64bit behavior)

Registry Variables

Additional registry variables can be used in the “Delete Rules (Registry Keys)” and “Delete Rules (Registry Values)” areas of the “File System/Registry Deletions” tab in d7x and in KillEmAll.

Variable:	Registry Path: (multiple lines mean multiple paths/actions for the one def entry)
hka	HKLM HKCU HKU\[user guid]
hku	HKCU HKU\[user guid]
sw	HKLM\Software HKCU\Software HKU\[user guid]\Software
cs	HKLM\System\CurrentControlSet HKLM\System\ControlSet00x (where x = any number found)
rk	ALL startup/run keys for HKLM, HKCU, and HKU e.g. HKLM\Software\Microsoft\Windows\CurrentVersion\Run (and RunOnce)

Examples:

<sw>\some company name
- evaluates to:
  - HKLM\Software\some company name
  - and HKCU\Software\some company name
  - and HKU\[user GUID]\Software\some company name

You are not required to use Registry Rule Variables with d7x.

The rules defined here aren’t necessary, just a convenience factor for targeting multiple locations with a single entry.

Registry key/value rules support an absolute path, and the registry key/value rules on the Uninstall/Delete > File System/Registry Deletion tabs support both “HKLM” and “HKEY_LOCAL_MACHINE” syntax, so both forms are perfectly valid. Valid examples include:

HKLM\Software\some company name
HKEY_LOCAL_MACHINE\Software\some company name

Latest News

CryptoPrevent v23.5.5.0 just released! v23.5.3.0 Fixed an issue sending email with Office 365 SMTP...
Read More
d7x v23.1.12 Release Notes Resolved an issue where DataGrab would backup everything except your...
Read More
d7x v22.8.10 Release Notes Resolved an issue with the “Reset Networking” and “Repair Winsock”...
Read More
d7x v22.8.9 Release Notes Resolved an issue with the “Set Time Zone” feature on...
Read More
d7x and Tweaky – Set Time Zone issue with Windows 11 (UPDATED Aug 9th 2022) UPDATE: this issue has been resolved in d7x v22.8.9 and...
Read More
d7x v22.2.23 Release Notes It appears that d7x was not applying hidden file and...
Read More
d7x v22.1.16 and v22.1.17 Release Notes Added Microsoft OneDrive integration for d7x Reports storage (see the...
Read More
d7x v22.1.15 Release Notes Added a user requested option to change the Info Report...
Read More
d7x v22.1.14 Release Notes A new ‘d7x Release Notes (RSS)‘ window will display the...
Read More
d7x v22.1.7 Release Notes Added new d7x feature to show system info on the...
Read More

Rule Variables

Used with d7x, KillEmAll, and CryptoPrevent

Description:

Normalizing:

Variable Delimiters:

Examples:

32/64bit notes:

Registry Variables

Examples:

You are not required to use Registry Rule Variables with d7x.

Latest News

Subscribe to Blog via Email

Douglas Bradshaw, December 12th 2016 (d7II Subscriber since Q1 2015)

Stevo

Cody Cooper

Joseph E. Pint (NYS Licensed Private Investigator, Digital Forensics Division: UID #: 11000192051, Sr. Data Recovery Technician, Sr. Digital Forensics Examiner)

Mike Schueler