# Plugin: Redirect Evaluator

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="195.33331298828125">Field</th><th>Description</th></tr></thead><tbody><tr><td><code>sourceExePattern</code></td><td>The executable to intercept, matched by name (e.g. <code>rundll32\.exe</code>).</td></tr><tr><td><code>commandLinePattern</code></td><td>A pattern matched against the full command line (e.g. <code>ncpa\.cpl</code>). Use this to narrow a rule to a specific invocation of an executable.</td></tr><tr><td><code>elevationOnly</code></td><td>When <code>true</code>, the rule only applies to privilege elevation requests. Recommended for most redirect scenarios.</td></tr><tr><td><code>nonAdminOnly</code></td><td>When <code>true</code>, the rule only applies to standard (non-admin) users. Admins are unaffected and run the original process as normal.</td></tr><tr><td><code>targetExe</code></td><td>The substitute application to launch (e.g. <code>Keeper.NetworkConnections</code>). Must be a deployed EPM plugin or executable.</td></tr><tr><td><code>targetArguments</code></td><td>Optional arguments to pass to the substitute. Leave empty if none are needed.</td></tr></tbody></table>

**Audience:** IT admins. This page describes **`RedirectEvaluator`**, the EPM plugin that intercepts allowed privilege elevation requests and routes them to a substitute application instead of launching the original elevated process.

## What `RedirectEvaluator` Does

When EPM allows a privilege elevation request, it normally launches the requested executable with elevation. **`RedirectEvaluator`** sits inside that flow and gives you the ability to substitute a different application instead — so the user gets the functionality they need through a controlled path, without the original process ever running elevated.

A common example: a standard user opens Windows Network Connections (`rundll32.exe` + `ncpa.cpl`). Rather than elevating that system process, **`RedirectEvaluator`** intercepts the request and launches **Keeper.NetworkConnections** instead. The user gets the same result through a purpose-built UI; the original privileged process never runs.

Redirect is **additive** — it only activates after policy has already allowed the request. All standard controls (MFA, justification, approval) run first, unchanged.

## How It Works

**`RedirectEvaluator`** runs as the first task in the **LaunchPrivilegeElevation** job whenever redirect is enabled:

1. A privilege elevation request comes in and is allowed by policy.
2. The **LaunchPrivilegeElevation** job starts. The **check-redirect** task invokes **`RedirectEvaluator`**  with the request context: executable path, command line, user admin status, and event type.
3. **`RedirectEvaluator`** fetches its active rules via `GET /api/PluginSettings/RedirectEvaluator` and evaluates them in order. The first matching rule wins.
4. **If a rule matches:** **`RedirectEvaluator`**  returns the substitute target. The job sends DENY to the caller (so the original executable is not launched) and launches the substitute elevated instead. The user sees the substitute app.
5. **If no rule matches or redirect is disabled:** The job proceeds normally — the originally requested executable is launched elevated.

**`RedirectEvaluator`** runs as a Service-execution-type process task. Its output is a single JSON object (`denyOriginalRequest`, `redirectTargetExe`, `redirectTargetArgs`) that is merged into the job context and acted on by subsequent tasks.

### Deployment

**`RedirectEvaluator`** is deployed as part of the standard EPM component set:

* **Location:** `Jobs/bin/RedirectEvaluator/`
* **Configuration file:** `KeeperPrivilegeManager/Plugins/RedirectEvaluator.json`
* **Required companion job:** LaunchPrivilegeElevation — redirect runs inside this job and has no effect without it.
* **Substitute apps** (e.g. `Keeper.NetworkConnections`) must also be deployed under `Jobs/bin/` for **`RedirectEvaluator`** to resolve and launch them.

### Redirect Rules

Rules are defined under `metadata.redirect.rules` in `Plugins/RedirectEvaluator.json`. Each rule specifies what to intercept and what to launch instead.

<table><thead><tr><th width="194">Field</th><th>Description</th></tr></thead><tbody><tr><td><code>sourceExePattern</code></td><td>Regex matched against the <strong>executable name</strong> of the elevation request (e.g. <code>rundll32\.exe</code>). Case-insensitive. Use <code>\.</code> for a literal dot.</td></tr><tr><td><code>commandLinePattern</code></td><td>Regex matched against the <strong>full command line</strong>. Acts as a "contains" match. Cannot be empty — use <code>.*</code> to match any command line.</td></tr><tr><td><code>elevationOnly</code></td><td>When <code>true</code>, the rule applies only to Privilege Elevation requests. Recommended for most redirect scenarios.</td></tr><tr><td><code>nonAdminOnly</code></td><td>When <code>true</code>, the rule applies only to standard (non-admin) users. Admins are unaffected and run the original process.</td></tr><tr><td><code>targetExe</code></td><td>Short name of the substitute to launch (e.g. <code>Keeper.NetworkConnections</code>). Resolved to a full path from <code>Jobs/bin/</code> or <code>Plugins/bin/</code>.</td></tr><tr><td><code>targetArguments</code></td><td>Optional arguments passed to the substitute. Leave empty if none are needed.</td></tr></tbody></table>

Rules are evaluated in order. **The first matching rule wins** — put more specific rules before broader ones.

### Built-in Example: ncpa.cpl → Keeper.NetworkConnections

The default configuration ships with a rule for Windows Network Connections:

```json
"redirect": {
  "enabled": true,
  "rules": [
    {
      "sourceExePattern": "rundll32\\.exe",
      "commandLinePattern": "ncpa\\.cpl",
      "elevationOnly": true,
      "nonAdminOnly": true,
      "targetExe": "Keeper.NetworkConnections",
      "targetArguments": ""
    }
  ]
}
```

This intercepts any elevation request where `rundll32.exe` is called with `ncpa.cpl` on the command line, for non-admin users only. Matching requests are redirected to the Keeper Network Connections UI with no extra arguments. Admins are unaffected.

### Enabling and Disabling Redirect

Redirect is controlled by a single flag in `Plugins/RedirectEvaluator.json`:

* `metadata.redirect.enabled: true` — redirect is on; rules are evaluated for every allowed elevation request.
* `metadata.redirect.enabled: false` — redirect is off; the check-redirect task is skipped entirely and the normal launch-elevated path runs.

When disabled, **`RedirectEvaluator`** is not invoked at all — there is no performance impact on the elevation flow.

### Deploying Configuration Centrally

Rather than editing `Plugins/RedirectEvaluator.json` on each endpoint manually, redirect rules can be pushed centrally using a `SettingsUpdate` policy:

```json
{
  "PolicyId": "redirect-evaluator-ncpa-redirect",
  "PolicyName": "Redirect ncpa.cpl to Keeper.NetworkConnections",
  "PolicyType": "SettingsUpdate",
  "Status": "enabled",
  "Extension": {
    "PluginName": "RedirectEvaluator",
    "Action": "Update",
    "SettingsJson": "{ ...full RedirectEvaluator plugin JSON including metadata.redirect... }"
  }
}
```

`SettingsJson` must contain the **complete** plugin JSON — the existing file on the endpoint is replaced entirely when the policy is applied, not merged. Build the inner JSON separately and serialize it into the `SettingsJson` string to avoid escaping errors.

Once the policy is deployed and the **Process Configuration Policies** job runs, the updated configuration is written to `Plugins/RedirectEvaluator.json`. A service restart may be required depending on your deployment version.

{% hint style="info" %}
**Note on tamper protection:** If EPM detects that `Plugins/RedirectEvaluator.json` was modified outside of the normal policy flow, it may skip reloading the file on hot reload. In that case, a full service restart is required for changes to take effect. Pushing settings via the management console into Unified Storage avoids this constraint.
{% endhint %}

## Summary

<table><thead><tr><th width="191.3333740234375">Topic</th><th>Detail</th></tr></thead><tbody><tr><td><strong>What it does</strong></td><td>Substitutes a different executable for an allowed elevation request</td></tr><tr><td><strong>When it runs</strong></td><td>Inside LaunchPrivilegeElevation, after policy allows the request and before the elevated launch</td></tr><tr><td><strong>Where to configure</strong></td><td><code>Plugins/RedirectEvaluator.json</code> → <code>metadata.redirect.enabled</code> and <code>metadata.redirect.rules</code></td></tr><tr><td><strong>Rule matching</strong></td><td>First matching rule wins; ordered by specificity</td></tr><tr><td><strong>Enabling/disabling</strong></td><td><code>metadata.redirect.enabled</code> — no service restart required to toggle</td></tr><tr><td><strong>Deploying rules</strong></td><td><code>SettingsUpdate</code> policy + Process Configuration Policies job</td></tr><tr><td><strong>Substitute app requirement</strong></td><td>Target must be deployed under <code>Jobs/bin/</code> or <code>Plugins/bin/</code></td></tr><tr><td><strong>Built-in example</strong></td><td><code>rundll32.exe</code> + <code>ncpa.cpl</code> → <code>Keeper.NetworkConnections</code> for non-admin users</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/integrations/examples/redirectevaluator-plugin-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.