Policy: Path Variables & Protected Paths
{rootdir}
C:\
/
/
Drive or filesystem root
{documents}
C:\Users\<user>\Documents
/home/<user>/Documents
/Users/<user>/Documents
User documents folder
{userdocuments}
Same as {documents}
Same as {documents}
Same as {documents}
Alias for documents
{userdesktop}
C:\Users\<user>\Desktop
/home/<user>/Desktop
/Users/<user>/Desktop
User desktop
{hasdesktop}
"true" / "false"
"true" / "false"
"true" / "false"
Whether a desktop environment is present
{systemroot}
C:\Windows
Windows directory
{windows}
C:\Windows
Alias for systemroot
{systemdrive}
C:
System drive (no trailing backslash)
{system32}
C:\Windows\System32
System32 directory
{syswow64}
C:\Windows\SysWOW64
32-bit system on 64-bit Windows
{programfiles}
C:\Program Files
Program Files
{programfilesx86}
C:\Program Files (x86)
Program Files (x86)
{userprofile}
C:\Users\<user>
User profile directory
{appdata}
C:\Users\<user>\AppData\Roaming
Roaming AppData
{localappdata}
C:\Users\<user>\AppData\Local
Local AppData
{programdata}
C:\ProgramData
ProgramData
{temp}
C:\Users\<user>\AppData\Local\Temp
User temp directory
{system}
/System
System root
{library}
/Library
Library
{applications}
/Applications
Applications folder
{volumes}
/Volumes
Volumes mount point
{downloads}
/Users/<user>/Downloads
User downloads
{launchdaemons}
/Library/LaunchDaemons
System launch daemons
{launchagents}
/Library/LaunchAgents
Launch agents
{bin}
/bin
/bin
Binaries
{etc}
/etc
/etc
Configuration
{tmp}
/tmp
/tmp
Temp
{usr}
/usr
/usr
User programs
{var}
/var
/var
Variable data
{home}
/home/<user>
/Users/<user>
User home
{approot}
Application root directory
C:\Program Files\KeeperPrivilegeManager
{pluginroot}
Plugins directory
C:\Program Files\KeeperPrivilegeManager\Plugins
{jobroot}
Jobs directory
C:\Program Files\KeeperPrivilegeManager\Jobs
Path Variables
Path variables are placeholders like {userprofile} or {system32} that resolve to real paths on each machine. They let you write one policy or job that works on every supported OS and install location.
Format:
{variableName}— curly braces, no$prefix.Case: Resolved case-insensitively on Windows; case-sensitive on Linux and macOS.
When resolved: At evaluation time (when the policy or job runs), not when the file is saved.
Common Path Variables (all platforms)
{rootdir}
C:\
/
/
Drive or filesystem root
{documents}
C:\Users\<user>\Documents
/home/<user>/Documents
/Users/<user>/Documents
User documents folder
{userdocuments}
Same as {documents}
Same as {documents}
Same as {documents}
Alias for documents
{userdesktop}
C:\Users\<user>\Desktop
/home/<user>/Desktop
/Users/<user>/Desktop
User desktop
{hasdesktop}
"true" / "false"
"true" / "false"
"true" / "false"
Whether a desktop environment is present
Windows-Specific Path Variables
{systemroot}
C:\Windows
Windows directory
{windows}
C:\Windows
Alias for systemroot
{systemdrive}
C:
System drive (no trailing backslash)
{system32}
C:\Windows\System32
System32 directory
{syswow64}
C:\Windows\SysWOW64
32-bit system on 64-bit Windows
{programfiles}
C:\Program Files
Program Files
{programfilesx86}
C:\Program Files (x86)
Program Files (x86)
{userprofile}
C:\Users\<user>
User profile directory
{appdata}
C:\Users\<user>\AppData\Roaming
Roaming AppData
{localappdata}
C:\Users\<user>\AppData\Local
Local AppData
{programdata}
C:\ProgramData
ProgramData
{temp}
C:\Users\<user>\AppData\Local\Temp
User temp directory
macOS Specific Path Variables
{system}
/System
System root
{library}
/Library
Library
{applications}
/Applications
Applications folder
{volumes}
/Volumes
Volumes mount point
{downloads}
/Users/<user>/Downloads
User downloads
{launchdaemons}
/Library/LaunchDaemons
System launch daemons
{launchagents}
/Library/LaunchAgents
Launch agents
Linux and macOS Shared Path Variables
{bin}
/bin
/bin
Binaries
{etc}
/etc
/etc
Configuration
{tmp}
/tmp
/tmp
Temp
{usr}
/usr
/usr
User programs
{var}
/var
/var
Variable data
{home}
/home/<user>
/Users/<user>
User home
Application-Specific Path Variables
These resolve relative to the Keeper Privilege Manager install:
{approot}
Application root directory
C:\Program Files\KeeperPrivilegeManager
{pluginroot}
Plugins directory
C:\Program Files\KeeperPrivilegeManager\Plugins
{jobroot}
Jobs directory
C:\Program Files\KeeperPrivilegeManager\Jobs
Use them in plugin configs or job paths so paths stay correct regardless of install location.
User-Specific vs System Variables
User-specific:
{userprofile},{documents},{userdesktop},{appdata},{temp},{home},{downloads}— resolve to the requesting user’s paths (e.g., the user whose action triggered the policy).System:
{systemroot},{system32},{programfiles},{programdata},{bin},{etc}— resolve to the same path for all users on that machine.
Custom Path Variables
Some deployments support custom path variables (e.g., in application or path-resolution settings). If available, you can define names like {companyshare} or {deployroot} and reference them in policies or jobs the same way as built-in variables. Check your configuration or admin console for where to define them.
Protected Paths
Protected Paths are essential for File Access Policies
Protected Paths are a safeguard built into File Access Policy evaluation. When a File Access Policy uses a wildcard — for example, denying all *.exe files in a folder — that pattern could inadvertently match critical operating system binaries in system directories like C:\Windows\System32 or /usr/bin, breaking normal OS operation. To prevent this, KEPM maintains a per-platform list of protected directories where wildcard DENY policies are automatically bypassed, no matter how broad the pattern is. Explicit path policies are always evaluated regardless of protection status, so you can still enforce File Access controls against specific executables inside protected directories when needed.
On Windows, certain paths are protected: executables in those locations are excluded from wildcard DENY file-access policies so critical system binaries are not blocked. Protected paths typically include:
{systemroot}(and key subdirs such as System32, WinSxS, Microsoft.NET, Boot, recovery){programfiles}and{programfilesx86}
Protected path lists can be extended by configuration or policy. Use this when designing file-access policies so you don’t accidentally deny system executables.
Linux Default Protected Paths
Executables in these paths are excluded from wildcard File Access DENY policies. Protection applies recursively to all subdirectories. Explicit path policies are always evaluated regardless of protection status.
/bin
Essential system binaries
/sbin
System administration binaries
/usr/bin
User-facing system utilities
/usr/sbin
System administration utilities
/usr/lib
System shared libraries
/usr/libexec
System daemon executables
/lib
Essential shared libraries
/lib64
64-bit essential shared libraries
/etc
System configuration files
/etc/passwd
User account database
/etc/shadow
Encrypted user password store
/etc/sudoers
sudo privilege configuration
/boot
Boot loader and kernel files
/dev
Device files
/proc
Kernel and process information (virtual filesystem)
/sys
Hardware and driver information (virtual filesystem)
/opt/keeper
Keeper Privilege Manager installation directory
Linux High-Risk Paths
The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt authentication, disable system initialization, or render the system unbootable.
/etc/passwd
User account database
Corruption breaks all user authentication system-wide
/etc/shadow
Encrypted user password store
Corruption prevents password-based login for all users
/bin/sh
Default system shell
Corruption breaks scripts, system init, and recovery tools that depend on sh
/sbin/init
System initialization process (PID 1)
Corruption prevents the OS from booting
Learn more about how Policy: Wildcards behave in application vs. folder filters and what to avoid.
Generic Unix Default Protected Paths
These paths serve as the fallback protected directory set for Unix-based environments where a platform-specific list is not defined. Explicit path policies are always evaluated regardless of protection status.
/bin
Essential system binaries
/sbin
System administration binaries
/usr/bin
User-facing system utilities
/usr/sbin
System administration utilities
/etc
System configuration files
/dev
Device files
/proc
Kernel and process information (virtual filesystem)
/sys
Hardware and driver information (virtual filesystem)
macOS Default Protected Paths
Wildcard File Access DENY policies are bypassed for executables in these paths. Explicit path policies are always evaluated regardless of protection status.
/System
macOS system root and all subdirectories
/bin
Essential system binaries
/sbin
System administration binaries
/usr/bin
User-facing system utilities
/usr/sbin
System administration utilities
/private/etc
System configuration files
/Library/Security
Security framework
/Applications/Utilities
Built-in utility applications
/Applications
All applications in the main Applications directory
/System/Applications
Built-in macOS applications
macOS High-Risk Paths
The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt core OS services, break authentication, or render the system unbootable.
/System/Library/CoreServices
Core macOS system services including the Finder, WindowServer, and boot components
Corruption breaks system startup, the GUI environment, or both
/private/etc
System configuration files (also accessible as /etc)
Corruption to files such as passwd, sudoers, or hosts breaks authentication, privilege resolution, and network behavior
/Applications and /System/Applications are protected by design. For the full rationale and guidance on where to scope wildcard vs. explicit path policies, see macOS Protected Path Design Intent for greater detail.
Windows Default Protected Paths
Executables in these paths are excluded from wildcard File Access DENY policies. Protection is recursive — all subdirectories are included. Explicit path policies are always evaluated regardless of protection status.
The list can be extended via a ProtectedPaths policy or the UserProtectedDirectories.json / PolicyProtectedDirectories.json files under the PathResolution storage folder.
{systemroot}
C:\Windows
Windows directory root and all subdirectories
{system32}
C:\Windows\System32
Core system binaries
{systemroot}\SysWOW64
C:\Windows\SysWOW64
32-bit system binaries on 64-bit Windows
{systemroot}\WinSxS
C:\Windows\WinSxS
Side-by-side component assemblies
{systemroot}\servicing
C:\Windows\servicing
Windows Update and Servicing Stack
{systemroot}\Microsoft.NET
C:\Windows\Microsoft.NET
.NET Framework runtime files
{systemroot}\assembly
C:\Windows\assembly
Global Assembly Cache (GAC)
{systemroot}\Boot
C:\Windows\Boot
Boot manager files
{systemroot}\recovery
C:\Windows\recovery
Windows Recovery Environment
{systemroot}\System32\config
C:\Windows\System32\config
Registry hive files
{systemroot}\System32\drivers
C:\Windows\System32\drivers
Kernel-mode device drivers
{programfiles}
C:\Program Files
Installed 64-bit applications
{programfilesx86}
C:\Program Files (x86)
Installed 32-bit applications on 64-bit Windows
{programfiles}\Windows Defender
C:\Program Files\Windows Defender
Windows Defender antivirus binaries
{programfiles}\Windows NT
C:\Program Files\Windows NT
Core Windows NT components
N/A
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
System startup programs
Windows High-Risk Paths
The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt the registry, destabilize drivers, or render the system unbootable.
C:\Windows\System32\config
Registry hive files (SYSTEM, SAM, SECURITY, SOFTWARE)
Registry corruption; system unbootable
C:\Windows\System32\drivers
Kernel-mode device drivers (.sys files)
Driver failure; Blue Screen of Death (BSOD)
Last updated
Was this helpful?