Rule Variables

Rule Variables for d7x, KillEmAll, and CryptoPrevent

Rule Variables are not supported in all ‘rules’ or ‘definition’ files used by d7x or KillEmAll. Currently supported areas include:

KillEmAll v5+ (stand-alone and d7x integrated) – Allowed Program Rules
CryptoPrevent v8+ – Command line options, FolderWatch, SRP policies

Description:

A ‘variable’ refers to the same thing you might remember from Algebra, however for for these purposes specifically it is a plain text word, that is interpreted by the software and evaluated to determine if it should be replaced with different text for any reason. This evaluation and decision would be performed based on certain conditions that could change the necessity of the textual data to be processed.

For our purposes, these Rule Variables have the following characteristics:

Each variable (or lack thereof) in the ‘Search Path’ table will be evaluated to a certain file system location where files (programs) reside.

Normalizing:

When adding rules to a definition file in KillEmAll v5, you are presented with an automatic conversion to the appropriate matching Rule Variable as defined below. This process is called “Normalizing” and is used by the software when comparing target items to the rules in your definition files.

In our case for example, one may wish to normalize an entry by substituting the word/variable “pf” to mean “Program Files” or “Program Files (x86)” (or both locations) depending on whether the operating system was 64bit or not. (Note that normalizing to short words mean smaller data files, and subsequently faster interpretation by the application should files get very large.)

Normalizing is recommended but not necessary (nor is it desired in all cases) as one may want to intend for a very specific file/path to be interpreted instead of a general one.

Variable Delimiters:

Every variable needs a ‘delimiter’ to separate it from the text to be interpreted literally. The delimiters in this case are < and > which surround the variable.

Note the variable MUST begin with the < sign, and end with the > sign, and does not include a trailing backslash when replaced!

e.g. <var>\path\file.exe

Examples:

<d>\partial path\name.ext
- evaluates to:
  - %systemdrive%\partial path\name.ext
  - (aka C:\ on most systems)

<s>\file name.exe
- evaluates to BOTH:
  - %windir%\system32\file name.exe
  - %windir%\syswow64\file name.exe
  - (aka C:\Windows\syswow64\file name.exe)

<s32>\file name.exe
- on 32bit systems AND/OR 64bit systems, evaluates to ONLY:
  - %windir%\system32\file name.exe
  - (aka C:\Windows\system32\file name.exe)

<s64>\file name.exe
- on 32bit systems, evaluates to ONLY:
  - %windir%\system32\file name.exe
  - (aka C:\Windows\system32\file name.exe)
- on 64bit systems, evaluates to BOTH:
  - %windir%\system32\file name.exe
  - %windir%\syswow64\file name.exe
  - (aka C:\Windows\system32\file name.exe and C:\Windows\syswow64\file name.exe respectively)

32/64bit notes:

(although below is only given with <s> variant examples, the 32/64bit concept applies to similar variable variations e.g. <pf> and <cf>)

use <s64> for 32bit only apps
- (meaning it will be found in system32 on 32bit systems, or syswow64 on 64bit systems)
use <s32> for 64bit only apps
- (meaning it will always be found in system32)
use <s> for unknown or both *bit apps
- (evaluating to either/both system32 and/or syswow64 no matter what system it is on)

Windows Environment Variable notation (note the %variables% in the chart below) is provided as shorthand and for more knowledgable users and is explained below the variable in the first few occurrences, but may not be explained repetitively everywhere.

Search Path:	Search Path: 64bit OS (multiple lines mean multiple paths/actions for the one def entry; the *%userprofile% Search Path* is always evaluated to *EACH AND EVERY directory* in the user profile root (e.g. c:\documents and settings or c:\users)	Search Path: 32bit OS (multiple lines and %userprofile% mean the same)
X:\	X:\ (NOT a variable, you will literally specify X or Y or C or D or G or whatever with a colon and backslash, and this is interpreted by the software to expect this specific drive letter, if found to be valid on the system.)	(no change from 64bit behavior)
(unspecified)	(any valid drive letter, path, and/or filename relating to the operation being performed)	(no change from 64bit behavior)
d	%systemdrive% (the root ‘partition’ or ‘drive’ where Windows is installed, e.g. C:\ on most systems)	%systemdrive%
w	%windir% (C:\Windows on most systems)	%windir%
s	%windir%\system32 %windir%\syswow64	%windir%\system32
s32	%windir%\syswow64	%windir%\system32
s64	%windir%\system32	N/A (abort any action with this def)
pf	%programfiles% (C:\Program Files on most systems) %programfiles(x86)% (C:\Program Files (x86) on most systems)	%programfiles%
p32	%programfiles(x86)%	%programfiles%
p64	%programfiles%	N/A (abort any action with this def)
cf	%commonprogramfiles% (C:\Program Files\Common Program Files on most systems) %commonprogramfiles(x86)% (C:\Program Files\Common Program Files (x86) on most systems)	%commonprogramfiles%
c32	%commonprogramfiles(x86)%	%commonprogramfiles%
c64	%commonprogramfiles%	N/A (abort any action with this def)
u	%systemdrive%\Users or %systemdrive%\Documents and Settings	%systemdrive%\Users or %systemdrive%\Documents and Settings
up	%userprofileroot%\all users (XP only) (C:\Documents and Settings\All Users on most XP systems) %userprofileroot%\public (Vista+ only) (C:\Documents and Settings\Public on most Vista and above systems) %userprofile%\%username% (C:\Documents and Settings\Bob or C:\Users\Bob -for a user named ‘Bob’ on most systems)	(no change from 64bit behavior)
uf	all common user data folders found inside a user profile directory, (e.g. where most of your data is stored by default) such as: Documents, Pictures, Videos, Downloads, Desktop, etc. including any ‘My ‘ variants	(no change from 64bit behavior)
dt	%userprofile%\desktop\	(no change from 64bit behavior)
sm	%userprofileroot%\all users\start menu\ (XP only) %userprofile%\start menu\ (XP only) %programdata%\Microsoft\Windows\Start Menu\ (Vista+ only) (C:\ProgramData\Microsoft\Windows\Start Menu\ on most Vista and above systems) %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\ (Vista+ only)	(no change from 64bit behavior)
sf	%userprofileroot%\all users\start menu\programs\startup\ (XP only) %userprofile%\start menu\programs\startup\ (XP only) %programdata%\Microsoft\Windows\Start Menu\programs\startup\ (Vista+ only) %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\ (Vista+ only)	(no change from 64bit behavior)
ad	%userprofile%\appdata\roaming\ (Vista+ only, note this IS %appdata% so not necessary to do that too) %userprofile%\application data\ (XP only, note this IS %appdata% so not necessary to do that too) %userprofile%\appdata\local\ (Vista+ only, note this IS %localappdata% so not necessary to do that too) %userprofile%\local settings\application data\ (XP only, note %localappdata% env var does not exist on XP) %userprofile%\appdata\locallow\ (Vista+ only) %userprofileroot%\all users\application data\ (XP only – and note same as %a% for this particular path) %programdata%\ (Vista+ only)	(no change from 64bit behavior)
ar	%userprofile%\appdata\roaming\ (Vista+ only, note this IS %appdata% so not necessary to do that too) %userprofile%\application data\ (XP only, note this IS %appdata% so not necessary to do that too)	(no change from 64bit behavior)
al	%userprofile%\appdata\local\ (Vista+ only, note this IS %localappdata% so not necessary to do that too) %userprofile%\local settings\application data\ (XP only, note %localappdata% env var does not exist on XP)	(no change from 64bit behavior)
alw	%userprofile%\appdata\locallow\ (Vista+ only)	(no change from 64bit behavior)
pd	%userprofileroot%\all users\application data\ (XP only – and note same as %a% for this particular path) %programdata%\ (Vista+ only)	(no change from 64bit behavior)

Registry Variables

d7x/KillEmAll has additional registry variables which can be used in the “Delete Rules (Registry Keys)” and “Delete Rules (Registry Values)” areas of the “File System/Registry” tab in KillEmAll.

Variable:	Registry Path: (multiple lines mean multiple paths/actions for the one def entry)
hka	HKLM HKCU HKU\[user guid]
hku	HKCU HKU\[user guid]
sw	HKLM\Software HKCU\Software HKU\[user guid]\Software
cs	HKLM\System\CurrentControlSet HKLM\System\ControlSet00x (where x = any number found)
rk	ALL startup/run keys for HKLM, HKCU, and HKU e.g. HKLM\Software\Microsoft\Windows\CurrentVersion\Run (and RunOnce)

Latest News

d7x v20.2.3 Release Notes Added Workgroup name to System Info tab when system is...
Read More
d7x v20.1.23 Release Notes Added new option/tab to uninstall Windows Store Apps in KillEmAll/dUninstaller...
Read More
d7x v20.1.11 Release Notes Added tweak “Disable Background Store Apps” which will prevent ALL...
Read More
New app: Uncle Carey’s Windows 10 NetFix has been released! Uncle Carey’s Windows 10 NetFix was conceived by Carey Holzman and developed...
Read More
Lockdown v1.0 Released! Lockdown is a preventative measure for use against malware/ransomware attacks,...
Read More

Rule Variables

Rule Variables for d7x, KillEmAll, and CryptoPrevent

Description:

Normalizing:

Variable Delimiters:

Examples:

32/64bit notes:

Registry Variables

Latest News

Subscribe to Blog via Email

Chase Miller

Joseph E. Pint (NYS Licensed Private Investigator, Digital Forensics Division: UID #: 11000192051, Sr. Data Recovery Technician, Sr. Digital Forensics Examiner)

PCGamer

Donald Sayers

Dustin Davis