Binary paths
Overview
Nexthink stores the paths from where end-users execute each binary file of their applications, up to a maximum of 20 paths per binary. Binary paths are stored in lowercase letters (converting from uppercase when needed), and they use the forward slash (/) to separate the names of folders in the hierarchy, independently of the convention used by the underlying operating system of the devices.
Typical applications usually install their executable binary files in the same standard locations in the filesystem, independently of the device on which they are run. For example, most software applications are installed under the Program Files directory of a Windows device. The execution of binaries from multiple or unusual locations usually indicate a strange behavior of users or even the presence of malware.
To avoid reporting too many paths for every single binary, Nexthink uses some techniques that are detailed below. Paths that do not fall into any of the special categories shown below are stored in their full form.
Path aliases
Path aliases replace well-known directories by keywords, using a format similar to that of environment variables in Windows. In this way, binary paths of well-known locations become language neutral and independent of the drive in which the binary is located. For instance, the paths D:\Program Files (English version) and C:\Programme (German version) become both %ProgramFiles% when stored in Nexthink as a binary path.
Contrary to the general rule for binary paths, path aliases may contain uppercase characters. Find below a table with the list of all path aliases, their description, and a few exaples of the folders that they replace:
%Windows%
Windows directory
DRIVE:\Windows
%System%
Windows system directory
DRIVE:\Windows\System32
%ProgramFiles%
Software installation directory
DRIVE:\Program Files
DRIVE:\Program Files (x86)
%UserProfile%
Directory holding user-specific data
DRIVE:\Documents and Settings\USERNAME
DRIVE:\Users\USERNAME
%AllProfile%
Directory holding data accessible by all users
DRIVE:\Document and Settings\All users
%ProfileTemp%
Directory holding user-specific temporary files.
DRIVE:\Documents and Settings\USERNAME\Local Settings
%WindowsTemp%
Temporary folders in hexadecimal format under the root directory
DRIVE:\c7fa349ced49048e8941a819b264eb8d
%NetDrive%
Network shared folder
\\SERVER\shared-dir
%RemovableDrive%
Non-permanent storage devices
MEDIA_DRIVE:\ (USB stick, CD / DVD, etc.)
%RecycleBin%
Directory holding deleted files
DRIVE:\$RECYCLE.BIN
Ellipsis in binary paths
Ellipsis in aliased paths
For privacy reasons and to avoid path explosion, the complete binary path is not recorded for binaries whose working path lies inside some of the aliased locations. Binaries executed from these locations do not have their full path stored:
%RecylceBin%
%UserProfile%
%AllProfile%
%ProfileTemp%
%WindowsTemp%
%RemovableDrive%
Instead, a three dot ellipsis (/.../) replaces the part of the path after the alias. For example, the path of a typical binary installer setup.exe executed from a temporary Windows folder is recorded as:
%WindowsTemp%/.../setup.exe
Ellipsis for automatically generated folders
Nexthink is also capable of detecting folders whose names are automatically generated identifiers. These are usually very long alphanumerical names that are meaningless to a human reader. Therefore, the name of those folders is not stored as is in binary paths, but replaced by an ellipsis (/.../).
The following table contains the types of identifiers recognized by Nexthink and some examples of how each one of them looks like in the filesystem:
GUID
4AQlP4lP0xGaDAMF6CwzAQ
3F2504E0-4F89-11D3-9A0C-0305E82C3301
MD5
79054025255fb1a26e4bc422aef54eb4
SHA1
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
Long Hexadecimal strings
Most hexadecimal strings containing 10 or more characters
Long numbers
Most strings containing at least 10 digits in a row, except if the digits are all the same.
RELATED CONCEPT
Last updated
Was this helpful?