# Path Variables
**Path variables** are placeholders like `{userprofile}` or `{system32}` that resolve to real paths on each machine. They let you write one policy or job that works on every supported OS and install location.
* **Format:** `{variableName}` — curly braces, no `$` prefix.
* **Case:** Resolved case-insensitively on Windows; case-sensitive on Linux and macOS.
* **When resolved:** At evaluation time (when the policy or job runs), not when the file is saved.
***
### Common Variables (all platforms)
| Variable | Windows example | Linux example | macOS example | Description |
| ----------------- | --------------------------- | ------------------------ | ------------------------- | ---------------------------------------- |
| `{rootdir}` | `C:\` | `/` | `/` | Drive or filesystem root |
| `{documents}` | `C:\Users\\Documents` | `/home//Documents` | `/Users//Documents` | User documents folder |
| `{userdocuments}` | Same as `{documents}` | Same as `{documents}` | Same as `{documents}` | Alias for documents |
| `{userdesktop}` | `C:\Users\\Desktop` | `/home//Desktop` | `/Users//Desktop` | User desktop |
| `{hasdesktop}` | `"true"` / `"false"` | `"true"` / `"false"` | `"true"` / `"false"` | Whether a desktop environment is present |
***
### Windows-Specific Variables
| Variable | Typical value | Description |
| ------------------- | ------------------------------------ | ------------------------------------ |
| `{systemroot}` | `C:\Windows` | Windows directory |
| `{windows}` | `C:\Windows` | Alias for systemroot |
| `{systemdrive}` | `C:` | System drive (no trailing backslash) |
| `{system32}` | `C:\Windows\System32` | System32 directory |
| `{syswow64}` | `C:\Windows\SysWOW64` | 32-bit system on 64-bit Windows |
| `{programfiles}` | `C:\Program Files` | Program Files |
| `{programfilesx86}` | `C:\Program Files (x86)` | Program Files (x86) |
| `{userprofile}` | `C:\Users\` | User profile directory |
| `{appdata}` | `C:\Users\\AppData\Roaming` | Roaming AppData |
| `{localappdata}` | `C:\Users\\AppData\Local` | Local AppData |
| `{programdata}` | `C:\ProgramData` | ProgramData |
| `{temp}` | `C:\Users\\AppData\Local\Temp` | User temp directory |
***
### Linux and macOS Variables
**Common (Linux and macOS):**
| Variable | Linux example | macOS example | Description |
| -------- | -------------- | --------------- | ------------- |
| `{bin}` | `/bin` | `/bin` | Binaries |
| `{etc}` | `/etc` | `/etc` | Configuration |
| `{tmp}` | `/tmp` | `/tmp` | Temp |
| `{usr}` | `/usr` | `/usr` | User programs |
| `{var}` | `/var` | `/var` | Variable data |
| `{home}` | `/home/` | `/Users/` | User home |
**macOS-only:**
| Variable | Example | Description |
| ----------------- | ------------------------- | --------------------- |
| `{system}` | `/System` | System root |
| `{library}` | `/Library` | Library |
| `{applications}` | `/Applications` | Applications folder |
| `{volumes}` | `/Volumes` | Volumes mount point |
| `{downloads}` | `/Users//Downloads` | User downloads |
| `{launchdaemons}` | `/Library/LaunchDaemons` | System launch daemons |
| `{launchagents}` | `/Library/LaunchAgents` | Launch agents |
***
### Application-Specific Variables
These resolve relative to the Keeper Privilege Manager install:
| Variable | Description | Example (Windows) |
| -------------- | -------------------------- | ------------------------------------------------- |
| `{approot}` | Application root directory | `C:\Program Files\KeeperPrivilegeManager` |
| `{pluginroot}` | Plugins directory | `C:\Program Files\KeeperPrivilegeManager\Plugins` |
| `{jobroot}` | Jobs directory | `C:\Program Files\KeeperPrivilegeManager\Jobs` |
Use them in plugin configs or job paths so paths stay correct regardless of install location.
***
### User-Specific vs System Variables
* **User-specific:** `{userprofile}`, `{documents}`, `{userdesktop}`, `{appdata}`, `{temp}`, `{home}`, `{downloads}` — resolve to the **requesting user’s** paths (e.g., the user whose action triggered the policy).
* **System:** `{systemroot}`, `{system32}`, `{programfiles}`, `{programdata}`, `{bin}`, `{etc}` — resolve to the same path for all users on that machine.
***
### Protected Paths (file access policies)
On Windows, certain paths are **protected**: executables in those locations are excluded from wildcard DENY file-access policies so critical system binaries are not blocked. Protected paths typically include:
* `{systemroot}` (and key subdirs such as System32, WinSxS, Microsoft.NET, Boot, recovery)
* `{programfiles}` and `{programfilesx86}`
Protected path lists can be extended by configuration or policy. Use this when designing file-access policies so you don’t accidentally deny system executables.
**See** [**Reference: Wildcards**](https://github.com/Keeper-Security/keeper-privilege-manager/blob/KEPM_V1.1/review/Documentation/GettingStarted/12-Reference-Wildcards.md) for how wildcards behave in application vs. folder filters and what to avoid.
### Custom Variables
Some deployments support **custom** path variables (e.g., in application or path-resolution settings). If available, you can define names like `{companyshare}` or `{deployroot}` and reference them in policies or jobs the same way as built-in variables. Check your configuration or admin console for where to define them.
#### Return to [Reference Index](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference)
