Binary paths (classic)

The Nexthink solution stores the paths from where employees execute each binary file of their applications, up to a maximum of 20 paths per binary. The system stores binary paths in lowercase letters, converting them from uppercase when needed. They use the forward slash / to separate the names of folders in the hierarchy and is independent of the convention the underlying operating system of the devices uses.

Typical applications usually install their executable binary files in the same standard locations in the filesystem, independently of the device on which runs them. For example, the system installs most software applications under the Program Files directory of a Windows device. The execution of binaries from multiple or unusual locations usually indicates irregular employee behavior or even the presence of malware.

In the next section, learn what techniques Nexthink uses to avoid reporting too many paths for every single binary. If a path does not fall into any of the special categories discussed, they are stored in their full form.

Path aliases

Path aliases replace well-known directories with keywords, using a format similar to that of environment variables in Windows. In this way, binary paths of well-known locations become language neutral and independent of the drive where the binary is located. For instance, the paths D:\Program Files (English version) and C:\Programme (German version) both become %ProgramFiles% when stored as a binary path.

Contrary to the general rule for binary paths, path aliases may contain uppercase characters. Below is a table with the list of all path aliases, their description and a few examples of the folders that they replace:

Path alias Description Example

Path alias	Description	Example
`%Windows%`	Windows directory	`DRIVE:\Windows`
`%System%`	Windows system directory	`DRIVE:\Windows\System32`
`%ProgramFiles%`	Software installation directory	`DRIVE:\Program Files` `DRIVE:\Program Files (x86)`
`%UserProfile%`	Directory containing user-specific data	`DRIVE:\Documents and Settings\USERNAME` `DRIVE:\Users\USERNAME`
`%AllProfile%`	Directory holding data accessible by all users	`DRIVE:\Document and Settings\All users` `DRIVE:\Users\Public`
`%ProfileTemp%`	Directory holding user-specific temporary files.	`DRIVE:\Documents and Settings\USERNAME\Local Settings` `DRIVE:\Users\USERNAME\AppData\Local`
`%WindowsTemp%`	Temporary folders in hexadecimal format under the root directory	`DRIVE:\c7fa349ced49048e8941a819b264eb8d`
`%NetDrive%`	Network shared folder	`\\SERVER\shared-dir`
`%RemovableDrive%`	Non-permanent storage devices	`MEDIA_DRIVE:\` (USB stick, CD / DVD, etc.)
`%RecycleBin%`	Directory holding deleted files	`DRIVE:\$RECYCLE.BIN`

%Windows%

Windows directory

DRIVE:\Windows

%System%

Windows system directory

DRIVE:\Windows\System32

%ProgramFiles%

Software installation directory

DRIVE:\Program Files

DRIVE:\Program Files (x86)

%UserProfile%

Directory containing user-specific data

DRIVE:\Documents and Settings\USERNAME

DRIVE:\Users\USERNAME

%AllProfile%

Directory holding data accessible by all users

DRIVE:\Document and Settings\All users

DRIVE:\Users\Public

%ProfileTemp%

Directory holding user-specific temporary files.

DRIVE:\Documents and Settings\USERNAME\Local Settings

DRIVE:\Users\USERNAME\AppData\Local

%WindowsTemp%

Temporary folders in hexadecimal format under the root directory

DRIVE:\c7fa349ced49048e8941a819b264eb8d

%NetDrive%

Network shared folder

\\SERVER\shared-dir

%RemovableDrive%

Non-permanent storage devices

MEDIA_DRIVE:\ (USB stick, CD / DVD, etc.)

%RecycleBin%

Directory holding deleted files

DRIVE:\$RECYCLE.BIN

Ellipsis in binary paths

Ellipsis in aliased paths

For privacy reasons and to avoid path explosion, the system does not record the complete binary path for binaries whose working path lies inside some of the aliased locations. Binaries executed from these locations do not have their full path stored:

%RecylceBin%
%UserProfile%
%AllProfile%
%ProfileTemp%
%WindowsTemp%
%RemovableDrive%

Instead, a three-dot ellipsis /.../ replaces the part of the path after the alias. For example, the path of a typical binary installer setup.exe executed from a temporary Windows folder is recorded as follow:

%WindowsTemp%/.../setup.exe

Ellipsis for automatically generated folders

The Nexthink solution is also capable of detecting folders whose names are automatically generated identifiers. These are usually very long alphanumerical names that are meaningless to a human reader. Therefore, the name of these folders is not stored as is in binary paths, but replaced by an ellipsis /.../.

The following table contains the types of identifiers and some examples of what each one looks like in the filesystem:

Type of ID Examples

Type of ID	Examples
GUID	`4AQlP4lP0xGaDAMF6CwzAQ` `3F2504E0-4F89-11D3-9A0C-0305E82C3301`
MD5	`79054025255fb1a26e4bc422aef54eb4`
SHA1	`2fd4e1c67a2d28fced849ee1bb76e7391b93eb12`
Long Hexadecimal strings	Most hexadecimal strings containing 10 or more characters.
Long numbers	Most strings containing at least 10 digits in a row, except if the digits are all the same.

GUID

4AQlP4lP0xGaDAMF6CwzAQ

3F2504E0-4F89-11D3-9A0C-0305E82C3301

MD5

79054025255fb1a26e4bc422aef54eb4

SHA1

2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

Long Hexadecimal strings

Most hexadecimal strings containing 10 or more characters.

Long numbers

Most strings containing at least 10 digits in a row, except if the digits are all the same.

Last updated 5 months ago