Binary paths (classic)
The Nexthink solution stores the paths from where employees execute each binary file of their applications, up to a maximum of 20 paths per binary. The system stores binary paths in lowercase letters, converting them from uppercase when needed. They use the forward slash / to separate the names of folders in the hierarchy and is independent of the convention the underlying operating system of the devices uses.
Typical applications usually install their executable binary files in the same standard locations in the filesystem, independently of the device on which runs them. For example, the system installs most software applications under the Program Files directory of a Windows device. The execution of binaries from multiple or unusual locations usually indicates irregular employee behavior or even the presence of malware.
In the next section, learn what techniques Nexthink uses to avoid reporting too many paths for every single binary. If a path does not fall into any of the special categories discussed, they are stored in their full form.
Path aliases
Path aliases replace well-known directories with keywords, using a format similar to that of environment variables in Windows. In this way, binary paths of well-known locations become language neutral and independent of the drive where the binary is located. For instance, the paths D:\Program Files (English version) and C:\Programme (German version) both become %ProgramFiles% when stored as a binary path.
Contrary to the general rule for binary paths, path aliases may contain uppercase characters. Below is a table with the list of all path aliases, their description and a few examples of the folders that they replace:
%Windows%
Windows directory
DRIVE:\Windows
%System%
Windows system directory
DRIVE:\Windows\System32
%ProgramFiles%
Software installation directory
DRIVE:\Program Files
DRIVE:\Program Files (x86)
%UserProfile%
Directory containing user-specific data
DRIVE:\Documents and Settings\USERNAME
DRIVE:\Users\USERNAME
%AllProfile%
Directory holding data accessible by all users
DRIVE:\Document and Settings\All users
DRIVE:\Users\Public
%ProfileTemp%
Directory holding user-specific temporary files.
DRIVE:\Documents and Settings\USERNAME\Local Settings
DRIVE:\Users\USERNAME\AppData\Local
%WindowsTemp%
Temporary folders in hexadecimal format under the root directory
DRIVE:\c7fa349ced49048e8941a819b264eb8d
%NetDrive%
Network shared folder
\\SERVER\shared-dir
%RemovableDrive%
Non-permanent storage devices
MEDIA_DRIVE:\
(USB stick, CD / DVD, etc.)
%RecycleBin%
Directory holding deleted files
DRIVE:\$RECYCLE.BIN
Ellipsis in binary paths
Ellipsis in aliased paths
For privacy reasons and to avoid path explosion, the system does not record the complete binary path for binaries whose working path lies inside some of the aliased locations. Binaries executed from these locations do not have their full path stored:
%RecylceBin%%UserProfile%%AllProfile%%ProfileTemp%%WindowsTemp%%RemovableDrive%
Instead, a three-dot ellipsis /.../ replaces the part of the path after the alias. For example, the path of a typical binary installer setup.exe executed from a temporary Windows folder is recorded as follow:
%WindowsTemp%/.../setup.exe
Ellipsis for automatically generated folders
The Nexthink solution is also capable of detecting folders whose names are automatically generated identifiers. These are usually very long alphanumerical names that are meaningless to a human reader. Therefore, the name of these folders is not stored as is in binary paths, but replaced by an ellipsis /.../.
The following table contains the types of identifiers and some examples of what each one looks like in the filesystem:
GUID
4AQlP4lP0xGaDAMF6CwzAQ
3F2504E0-4F89-11D3-9A0C-0305E82C3301
MD5
79054025255fb1a26e4bc422aef54eb4
SHA1
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
Long Hexadecimal strings
Most hexadecimal strings containing 10 or more characters.
Long numbers
Most strings containing at least 10 digits in a row, except if the digits are all the same.
Last updated