Binary paths

Overview

Nexthink stores the paths from where end-users execute each binary file of their applications, up to a maximum of 20 paths per binary. Binary paths are stored in lowercase letters (converting from uppercase when needed), and they use the forward slash (/) to separate the names of folders in the hierarchy, independently of the convention used by the underlying operating system of the devices.

Typical applications usually install their executable binary files in the same standard locations in the filesystem, independently of the device on which they are run. For example, most software applications are installed under the Program Files directory of a Windows device. The execution of binaries from multiple or unusual locations usually indicate a strange behavior of users or even the presence of malware.

To avoid reporting too many paths for every single binary, Nexthink uses some techniques that are detailed below. Paths that do not fall into any of the special categories shown below are stored in their full form.

Path aliases

Path aliases replace well-known directories by keywords, using a format similar to that of environment variables in Windows. In this way, binary paths of well-known locations become language neutral and independent of the drive in which the binary is located. For instance, the paths D:\Program Files (English version) and C:\Programme (German version) become both %ProgramFiles% when stored in Nexthink as a binary path.

Contrary to the general rule for binary paths, path aliases may contain uppercase characters. Find below a table with the list of all path aliases, their description, and a few exaples of the folders that they replace:

Path alias Description Example

Path alias	Description	Example
%Windows%	Windows directory	DRIVE:\Windows
%System%	Windows system directory	DRIVE:\Windows\System32
%ProgramFiles%	Software installation directory	DRIVE:\Program Files DRIVE:\Program Files (x86)
%UserProfile%	Directory holding user-specific data	DRIVE:\Documents and Settings\USERNAME DRIVE:\Users\USERNAME
%AllProfile%	Directory holding data accessible by all users	DRIVE:\Document and Settings\All users Code `DRIVE:\Users\Public (Windows Vista and higher)`
%ProfileTemp%	Directory holding user-specific temporary files.	DRIVE:\Documents and Settings\USERNAME\Local Settings Code `DRIVE:\Users\USERNAME\AppData\Local`
%WindowsTemp%	Temporary folders in hexadecimal format under the root directory	DRIVE:\c7fa349ced49048e8941a819b264eb8d
%NetDrive%	Network shared folder	\\SERVER\shared-dir
%RemovableDrive%	Non-permanent storage devices	MEDIA_DRIVE:\ (USB stick, CD / DVD, etc.)
%RecycleBin%	Directory holding deleted files	DRIVE:\$RECYCLE.BIN

%Windows%

Windows directory

DRIVE:\Windows

%System%

Windows system directory

DRIVE:\Windows\System32

%ProgramFiles%

Software installation directory

DRIVE:\Program Files

DRIVE:\Program Files (x86)

%UserProfile%

Directory holding user-specific data

DRIVE:\Documents and Settings\USERNAME

DRIVE:\Users\USERNAME

%AllProfile%

Directory holding data accessible by all users

DRIVE:\Document and Settings\All users

Code

 DRIVE:\Users\Public (Windows Vista and higher)

%ProfileTemp%

Directory holding user-specific temporary files.

DRIVE:\Documents and Settings\USERNAME\Local Settings

Code

 DRIVE:\Users\USERNAME\AppData\Local

%WindowsTemp%

Temporary folders in hexadecimal format under the root directory

DRIVE:\c7fa349ced49048e8941a819b264eb8d

%NetDrive%

Network shared folder

\\SERVER\shared-dir

%RemovableDrive%

Non-permanent storage devices

MEDIA_DRIVE:\ (USB stick, CD / DVD, etc.)

%RecycleBin%

Directory holding deleted files

DRIVE:\$RECYCLE.BIN

Ellipsis in binary paths

Ellipsis in aliased paths

For privacy reasons and to avoid path explosion, the complete binary path is not recorded for binaries whose working path lies inside some of the aliased locations. Binaries executed from these locations do not have their full path stored:

%RecylceBin%
%UserProfile%
%AllProfile%
%ProfileTemp%
%WindowsTemp%
%RemovableDrive%

Instead, a three dot ellipsis (/.../) replaces the part of the path after the alias. For example, the path of a typical binary installer setup.exe executed from a temporary Windows folder is recorded as:

%WindowsTemp%/.../setup.exe

Ellipsis for automatically generated folders

Nexthink is also capable of detecting folders whose names are automatically generated identifiers. These are usually very long alphanumerical names that are meaningless to a human reader. Therefore, the name of those folders is not stored as is in binary paths, but replaced by an ellipsis (/.../).

The following table contains the types of identifiers recognized by Nexthink and some examples of how each one of them looks like in the filesystem:

Type of ID
GUID	4AQlP4lP0xGaDAMF6CwzAQ 3F2504E0-4F89-11D3-9A0C-0305E82C3301
MD5	79054025255fb1a26e4bc422aef54eb4
SHA1	2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
Long Hexadecimal strings	Most hexadecimal strings containing 10 or more characters
Long numbers	Most strings containing at least 10 digits in a row, except if the digits are all the same.

Type of ID

GUID

4AQlP4lP0xGaDAMF6CwzAQ

3F2504E0-4F89-11D3-9A0C-0305E82C3301

MD5

79054025255fb1a26e4bc422aef54eb4

SHA1

2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

Long Hexadecimal strings

Most hexadecimal strings containing 10 or more characters

Long numbers

Most strings containing at least 10 digits in a row, except if the digits are all the same.

RELATED CONCEPT

Binary

Last updated 4 months ago