Rule Variables for d7x, KillEmAll, and CryptoPrevent
Rule Variables are not supported in all ‘rules’ or ‘definition’ files used by d7x or KillEmAll. Currently supported areas include:
- KillEmAll v5+ (stand-alone and d7x integrated) – Allowed Program Rules
- CryptoPrevent v8+ – Command line options, FolderWatch, SRP policies
Description:
A ‘variable’ refers to the same thing you might remember from Algebra, however for for these purposes specifically it is a plain text word, that is interpreted by the software and evaluated to determine if it should be replaced with different text for any reason. This evaluation and decision would be performed based on certain conditions that could change the necessity of the textual data to be processed.
For our purposes, these Rule Variables have the following characteristics:
- Each variable (or lack thereof) in the ‘Search Path’ table will be evaluated to a certain file system location where files (programs) reside.
Normalizing:
When adding rules to a definition file in KillEmAll v5, you are presented with an automatic conversion to the appropriate matching Rule Variable as defined below. This process is called “Normalizing” and is used by the software when comparing target items to the rules in your definition files.
In our case for example, one may wish to normalize an entry by substituting the word/variable “pf” to mean “Program Files” or “Program Files (x86)” (or both locations) depending on whether the operating system was 64bit or not. (Note that normalizing to short words mean smaller data files, and subsequently faster interpretation by the application should files get very large.)
Normalizing is recommended but not necessary (nor is it desired in all cases) as one may want to intend for a very specific file/path to be interpreted instead of a general one.
Variable Delimiters:
Every variable needs a ‘delimiter’ to separate it from the text to be interpreted literally. The delimiters in this case are < and > which surround the variable.
Note the variable MUST begin with the < sign, and end with the > sign, and does not include a trailing backslash when replaced!
- e.g. <var>\path\file.exe
Examples:
- <d>\partial path\name.ext
- evaluates to:
- %systemdrive%\partial path\name.ext
- (aka C:\ on most systems)
- evaluates to:
- <s>\file name.exe
- evaluates to BOTH:
- %windir%\system32\file name.exe
- %windir%\syswow64\file name.exe
- (aka C:\Windows\syswow64\file name.exe)
- evaluates to BOTH:
- <s32>\file name.exe
- on 32bit systems AND/OR 64bit systems, evaluates to ONLY:
- %windir%\system32\file name.exe
- (aka C:\Windows\system32\file name.exe)
- on 32bit systems AND/OR 64bit systems, evaluates to ONLY:
- <s64>\file name.exe
- on 32bit systems, evaluates to ONLY:
- %windir%\system32\file name.exe
- (aka C:\Windows\system32\file name.exe)
- on 64bit systems, evaluates to BOTH:
- %windir%\system32\file name.exe
- %windir%\syswow64\file name.exe
- (aka C:\Windows\system32\file name.exe and C:\Windows\syswow64\file name.exe respectively)
- on 32bit systems, evaluates to ONLY:
32/64bit notes:
(although below is only given with <s> variant examples, the 32/64bit concept applies to similar variable variations e.g. <pf> and <cf>)
- use <s64> for 32bit only apps
- (meaning it will be found in system32 on 32bit systems, or syswow64 on 64bit systems)
- use <s32> for 64bit only apps
- (meaning it will always be found in system32)
- use <s> for unknown or both *bit apps
- (evaluating to either/both system32 and/or syswow64 no matter what system it is on)
Windows Environment Variable notation (note the %variables% in the chart below) is provided as shorthand and for more knowledgable users and is explained below the variable in the first few occurrences, but may not be explained repetitively everywhere.
Search Path: | Search Path: 64bit OS
|
Search Path: 32bit OS
(multiple lines and %userprofile% mean the same) |
X:\ |
|
(no change from 64bit behavior) |
(unspecified) |
|
(no change from 64bit behavior) |
d |
|
|
w |
|
|
s |
|
|
s32 |
|
|
s64 |
|
N/A (abort any action with this def) |
pf |
|
|
p32 |
|
|
p64 |
|
N/A (abort any action with this def) |
cf |
|
|
c32 |
|
|
c64 |
|
N/A (abort any action with this def) |
u |
|
|
up |
|
(no change from 64bit behavior)
|
uf |
|
(no change from 64bit behavior) |
dt |
|
(no change from 64bit behavior) |
sm |
|
(no change from 64bit behavior) |
sf |
|
(no change from 64bit behavior) |
ad |
|
(no change from 64bit behavior) |
ar |
|
(no change from 64bit behavior) |
al |
|
(no change from 64bit behavior) |
alw |
|
(no change from 64bit behavior) |
pd |
|
(no change from 64bit behavior) |
Registry Variables
d7x/KillEmAll has additional registry variables which can be used in the “Delete Rules (Registry Keys)” and “Delete Rules (Registry Values)” areas of the “File System/Registry” tab in KillEmAll.
Variable: | Registry Path:
|
hka |
|
hku |
|
sw |
|
cs |
|
rk |
|
Latest News
-
d7x v21.1.15.1 Release Notes Fixed a recent issue with Delete Temp Files routines (taking...
Read More -
CryptoPrevent Bulk Installer – .NET Error, Missing Chilkat dll If you’re receiving the following error while running your customized...
Read More -
New Video: d7xRDT (d7x Remote Deployment Tool) Quick Start If you aren’t already using the d7xRDT in your remote...
Read More -
d7x Release Notes (in Video) v20.12.x – v21.1.11 Recap If you hate reading, we occasionally produce a video version...
Read More -
d7x v21.1.11 Release Notes Improved “Extensions – Action\Command Prompt Here” shell extension (right-click on...
Read More -
d7x v21.1.9 Release Notes Performed a lot of work to improve deleting stubborn files/directories...
Read More -
KillEmAll Mini – Intro/Usage Video Introducing the newest KillEmAll Mini and detailing usage…
-
KillEmAll and KillEmAll Mini updated to v20.12.31 KillEmAll Mini Release Notes: Improved KillEmAll usage/flow of execution/feature set....
Read More -
d7x v20.12.31 Release Notes Updated KillEmAll to fix issues with not recognizing when it...
Read More -
KillEmAll Mini v20.12.28 KillEmAll Mini is a no frills implementation of the fully...
Read More