ESET Online Help

Search
Select the category
Select the topic

Supported environment variables

Use the following variables in the rules if you want to match a specific system path. These variables substitute the system path of an event being executed on a client machine. Only events using such variables will be processed by a rule. Therefore, c:\windows\system32 and also %WINDIR%\system32 will not be matched, but %SYSTEM% will.

Windows

%SYSTEM%

%SYSTEMDRIVE%\windows\system32\

%WINDIR%

%SYSTEMDRIVE%\windows\

%PROGRAMDATA%

%SYSTEMDRIVE%\programdata\

%PROGRAMFILES%

%SYSTEMDRIVE%\program files\

%PROGRAMFILES(X86)%

%SYSTEMDRIVE%\program files (x86)\

%APPDATA%

%SYSTEMDRIVE%\users\*\appdata\roaming\

%LOCALAPPDATA%

%SYSTEMDRIVE%\users\*\appdata\local\

%HOME%

%SYSTEMDRIVE%\users\*\

%TMP%

%SYSTEMDRIVE%\users\*\appdata\local\temp\

HKCU

REGISTRY ONLY! Computer\HKEY_CURRENT_USER\

HKLM

REGISTRY ONLY! Computer\HKEY_LOCAL_MACHINE\

%RemovableDrive%

Points to place on any removable drive

%RemoteDrive%

Points to place on any remote drive

%CDROM%

Points to place on any CD-ROM drive

%COMMONAPPDATA%

%ALLUSERSPROFILE%

%COMMONDESKTOP%

%PUBLIC%\desktop\

%COMMONDOCUMENTS%

%PUBLIC%\documents\

%COMMONPROGRAMS%

%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\

%COMMONSTARTMENU%

%ALLUSERSPROFILE%\microsoft\windows\start menu\

%COMMONSTARTUP%

%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\

%COMMONTEMPLATES%

%ALLUSERSPROFILE%\microsoft\windows\templates\

%COMMONMUSIC%

%PUBLIC%\music\

%COMMONPICTURES%

%PUBLIC%\pictures\

%COMMONVIDEO%

%PUBLIC%\video\

%STARTMENU%

%SYSTEMDRIVE%\users\*\appdata\roaming\microsoft\windows\start menu\

%STARTUP%

%SYSTEMDRIVE%\users\*\appdata\roaming\microsoft\windows\start menu\programs\startup\

%DESKTOP%

%SYSTEMDRIVE%\users\*\desktop\

%LOCALAPPDATALOW%

%SYSTEMDRIVE%\users\*\appdata\locallow\

%TEMP%

%SYSTEMDRIVE%\users\*\appdata\local\temp\

%SYSTEMDRIVE%

usually “C:”

%ALLUSERSPROFILE%

= %PROGRAMDATA% = c:\programdata

%PUBLIC%

c:\users\public

Apple

%APPLICATIONS%

/applications/

%COMMONSTARTUPADMIN%

/library/startupitems/

%COMMONSTARTUPOS%

/system/library/startupitems/

%DESKTOPMAC%

~/desktop/

%DOCUMENTSMAC%

~/documents/

%DOWNLOADSMAC%

~/downloads/

%HOME%

~/

%LIBRARY%

/library/

%LIBRARYAPPSUPPORT%

/library/application support/

%LIBRARYEXTENSIONS%

/library/extensions/

%LIBRARYKEYCHAINS%

/library/keychains/

%LIBRARYPREFERENCES%

/library/preferences/

%VOLUMES%

/volumes/

%MOVIES%

~/movies/

%MUSICMAC%

~/music/

%NET%

/net/

%PICTURESMAC%

~/pictures/

%PROCSTARTBOOTBYADMIN%

/library/launchdaemons/

%PROCSTARTBOOTBYOS%

/system/library/launchdaemons/

%PROCSTARTUSERBYADMIN%

/library/launchagents/

%PROCSTARTUSERBYOS%

/system/library/launchagents/

%PROCSTARTUSERBYUSER%

~/library/launchagents/

%PUBLIC%

~/public/

%SYSTEMLIBRARY%

/system/library/

%SYSTEMLIBRARYEXTENSIONS%

/system/library/extensions/

%SYSTEMLIBRARYPREFERENCES%

/system/library/preferences/

%TMPMAC%

/tmp/

%TMPDIRVAR%

/var/folders and /private/var/folders

%TMPLIBRARY%

/library/caches/

%TMPLOCALLIBRARY%

~/library/caches/

%TMPPRIVATE%

/private/tmp/

%USERLIBRARY%

~/library/

%USERLIBRARYAPPSUPPORT%

~/library/application support/

%USERLIBRARYKEYCHAINS%

~/library/keychains/

%USERLIBRARYPREFERENCES%

~/library/preferences/

%USERSMAC%

/users/

Example of use

<process>
    <operator type="AND">
        <condition component="FileItem" property="Path" condition="is" value="%AppData%\Roaming\" />
        <condition component="FileItem" property="Extension" condition="is" value="exe" />
    </operator >
</process>