# Policy: Path Variables & Protected Paths

Variable	Windows example	Linux example	macOS example	Description
`{rootdir}`	`C:\`	`/`	`/`	Drive or filesystem root
`{documents}`	`C:\Users\<user>\Documents`	`/home/<user>/Documents`	`/Users/<user>/Documents`	User documents folder
`{userdocuments}`	Same as `{documents}`	Same as `{documents}`	Same as `{documents}`	Alias for documents
`{userdesktop}`	`C:\Users\<user>\Desktop`	`/home/<user>/Desktop`	`/Users/<user>/Desktop`	User desktop
`{hasdesktop}`	`"true"` / `"false"`	`"true"` / `"false"`	`"true"` / `"false"`	Whether a desktop environment is present

Variable	Typical value	Description
`{systemroot}`	`C:\Windows`	Windows directory
`{windows}`	`C:\Windows`	Alias for systemroot
`{systemdrive}`	`C:`	System drive (no trailing backslash)
`{system32}`	`C:\Windows\System32`	System32 directory
`{syswow64}`	`C:\Windows\SysWOW64`	32-bit system on 64-bit Windows
`{programfiles}`	`C:\Program Files`	Program Files
`{programfilesx86}`	`C:\Program Files (x86)`	Program Files (x86)
`{userprofile}`	`C:\Users\<user>`	User profile directory
`{appdata}`	`C:\Users\<user>\AppData\Roaming`	Roaming AppData
`{localappdata}`	`C:\Users\<user>\AppData\Local`	Local AppData
`{programdata}`	`C:\ProgramData`	ProgramData
`{temp}`	`C:\Users\<user>\AppData\Local\Temp`	User temp directory

| Variable | Example | Description | | ----------------- | ------------------------- | --------------------- | | `{system}` | `/System` | System root | | `{library}` | `/Library` | Library | | `{applications}` | `/Applications` | Applications folder | | `{volumes}` | `/Volumes` | Volumes mount point | | `{downloads}` | `/Users//Downloads` | User downloads | | `{launchdaemons}` | `/Library/LaunchDaemons` | System launch daemons | | `{launchagents}` | `/Library/LaunchAgents` | Launch agents |

Variable	Linux example	macOS example	Description
`{bin}`	`/bin`	`/bin`	Binaries
`{etc}`	`/etc`	`/etc`	Configuration
`{tmp}`	`/tmp`	`/tmp`	Temp
`{usr}`	`/usr`	`/usr`	User programs
`{var}`	`/var`	`/var`	Variable data
`{home}`	`/home/<user>`	`/Users/<user>`	User home

| Variable | Description | Example (Windows) | | -------------- | -------------------------- | ------------------------------------------------- | | `{approot}` | Application root directory | `C:\Program Files\KeeperPrivilegeManager` | | `{pluginroot}` | Plugins directory | `C:\Program Files\KeeperPrivilegeManager\Plugins` | | `{jobroot}` | Jobs directory | `C:\Program Files\KeeperPrivilegeManager\Jobs` | ## **Path Variables** **Path variables** are placeholders like `{userprofile}` or `{system32}` that resolve to real paths on each machine. They let you write one policy or job that works on every supported OS and install location. * **Format:** `{variableName}` — curly braces, no `$` prefix. * **Case:** Resolved case-insensitively on Windows; case-sensitive on Linux and macOS. * **When resolved:** At evaluation time (when the policy or job runs), not when the file is saved. ### Common Path Variables (all platforms)

Variable	Windows example	Linux example	macOS example	Description
`{rootdir}`	`C:\`	`/`	`/`	Drive or filesystem root
`{documents}`	`C:\Users\<user>\Documents`	`/home/<user>/Documents`	`/Users/<user>/Documents`	User documents folder
`{userdocuments}`	Same as `{documents}`	Same as `{documents}`	Same as `{documents}`	Alias for documents
`{userdesktop}`	`C:\Users\<user>\Desktop`	`/home/<user>/Desktop`	`/Users/<user>/Desktop`	User desktop
`{hasdesktop}`	`"true"` / `"false"`	`"true"` / `"false"`	`"true"` / `"false"`	Whether a desktop environment is present

### Windows-Specific Path Variables

Variable	Typical value	Description
`{systemroot}`	`C:\Windows`	Windows directory
`{windows}`	`C:\Windows`	Alias for systemroot
`{systemdrive}`	`C:`	System drive (no trailing backslash)
`{system32}`	`C:\Windows\System32`	System32 directory
`{syswow64}`	`C:\Windows\SysWOW64`	32-bit system on 64-bit Windows
`{programfiles}`	`C:\Program Files`	Program Files
`{programfilesx86}`	`C:\Program Files (x86)`	Program Files (x86)
`{userprofile}`	`C:\Users\<user>`	User profile directory
`{appdata}`	`C:\Users\<user>\AppData\Roaming`	Roaming AppData
`{localappdata}`	`C:\Users\<user>\AppData\Local`	Local AppData
`{programdata}`	`C:\ProgramData`	ProgramData
`{temp}`	`C:\Users\<user>\AppData\Local\Temp`	User temp directory

### **macOS Specific Path Variables**

Variable	Example	Description
`{system}`	`/System`	System root
`{library}`	`/Library`	Library
`{applications}`	`/Applications`	Applications folder
`{volumes}`	`/Volumes`	Volumes mount point
`{downloads}`	`/Users/<user>/Downloads`	User downloads
`{launchdaemons}`	`/Library/LaunchDaemons`	System launch daemons
`{launchagents}`	`/Library/LaunchAgents`	Launch agents

### Linux and macOS Shared Path Variables

Variable	Linux example	macOS example	Description
`{bin}`	`/bin`	`/bin`	Binaries
`{etc}`	`/etc`	`/etc`	Configuration
`{tmp}`	`/tmp`	`/tmp`	Temp
`{usr}`	`/usr`	`/usr`	User programs
`{var}`	`/var`	`/var`	Variable data
`{home}`	`/home/<user>`	`/Users/<user>`	User home

### Application-Specific Path Variables These resolve relative to the Keeper Privilege Manager install:

Variable	Description	Example (Windows)
`{approot}`	Application root directory	`C:\Program Files\KeeperPrivilegeManager`
`{pluginroot}`	Plugins directory	`C:\Program Files\KeeperPrivilegeManager\Plugins`
`{jobroot}`	Jobs directory	`C:\Program Files\KeeperPrivilegeManager\Jobs`

Use them in plugin configs or job paths so paths stay correct regardless of install location. ### User-Specific vs System Variables * **User-specific:** `{userprofile}`, `{documents}`, `{userdesktop}`, `{appdata}`, `{temp}`, `{home}`, `{downloads}` — resolve to the **requesting user’s** paths (e.g., the user whose action triggered the policy). * **System:** `{systemroot}`, `{system32}`, `{programfiles}`, `{programdata}`, `{bin}`, `{etc}` — resolve to the same path for all users on that machine. ### Custom Path Variables Some deployments support **custom** path variables (e.g., in application or path-resolution settings). If available, you can define names like `{companyshare}` or `{deployroot}` and reference them in policies or jobs the same way as built-in variables. Check your configuration or admin console for where to define them. *** ## Protected Paths {% hint style="info" %} #### Protected Paths are essential for File Access Policies Protected Paths are a safeguard built into File Access Policy evaluation. When a File Access Policy uses a wildcard — for example, denying all `*.exe` files in a folder — that pattern could inadvertently match critical operating system binaries in system directories like `C:\Windows\System32` or `/usr/bin`, breaking normal OS operation. To prevent this, KEPM maintains a per-platform list of protected directories where wildcard DENY policies are automatically bypassed, no matter how broad the pattern is. Explicit path policies are always evaluated regardless of protection status, so you can still enforce File Access controls against specific executables inside protected directories when needed. {% endhint %} On Windows, certain paths are **protected**: executables in those locations are excluded from wildcard DENY file-access policies so critical system binaries are not blocked. Protected paths typically include: * `{systemroot}` (and key subdirs such as System32, WinSxS, Microsoft.NET, Boot, recovery) * `{programfiles}` and `{programfilesx86}` Protected path lists can be extended by configuration or policy. Use this when designing file-access policies so you don’t accidentally deny system executables. #### Linux Default Protected Paths Executables in these paths are excluded from wildcard File Access DENY policies. Protection applies recursively to all subdirectories. Explicit path policies are always evaluated regardless of protection status.

Path	Description
`/bin`	Essential system binaries
`/sbin`	System administration binaries
`/usr/bin`	User-facing system utilities
`/usr/sbin`	System administration utilities
`/usr/lib`	System shared libraries
`/usr/libexec`	System daemon executables
`/lib`	Essential shared libraries
`/lib64`	64-bit essential shared libraries
`/etc`	System configuration files
`/etc/passwd`	User account database
`/etc/shadow`	Encrypted user password store
`/etc/sudoers`	sudo privilege configuration
`/boot`	Boot loader and kernel files
`/dev`	Device files
`/proc`	Kernel and process information (virtual filesystem)
`/sys`	Hardware and driver information (virtual filesystem)
`/opt/keeper`	Keeper Privilege Manager installation directory

#### Linux High-Risk Paths The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt authentication, disable system initialization, or render the system unbootable.

Path	Description	Risk
`/etc/passwd`	User account database	Corruption breaks all user authentication system-wide
`/etc/shadow`	Encrypted user password store	Corruption prevents password-based login for all users
`/bin/sh`	Default system shell	Corruption breaks scripts, system init, and recovery tools that depend on `sh`
`/sbin/init`	System initialization process (PID 1)	Corruption prevents the OS from booting

{% hint style="info" %} Learn more about how [**Policy: Wildcards**](/keeperpam/endpoint-privilege-manager/policies/wildcards.md) behave in application vs. folder filters and what to avoid. {% endhint %} #### Generic Unix Default Protected Paths These paths serve as the fallback protected directory set for Unix-based environments where a platform-specific list is not defined. Explicit path policies are always evaluated regardless of protection status.

Path	Description
`/bin`	Essential system binaries
`/sbin`	System administration binaries
`/usr/bin`	User-facing system utilities
`/usr/sbin`	System administration utilities
`/etc`	System configuration files
`/dev`	Device files
`/proc`	Kernel and process information (virtual filesystem)
`/sys`	Hardware and driver information (virtual filesystem)

#### macOS Default Protected Paths Wildcard File Access DENY policies are bypassed for executables in these paths. Explicit path policies are always evaluated regardless of protection status.

Path	Description
`/System`	macOS system root and all subdirectories
`/bin`	Essential system binaries
`/sbin`	System administration binaries
`/usr/bin`	User-facing system utilities
`/usr/sbin`	System administration utilities
`/private/etc`	System configuration files
`/Library/Security`	Security framework
`/Applications/Utilities`	Built-in utility applications
`/Applications`	All applications in the main Applications directory
`/System/Applications`	Built-in macOS applications

#### macOS High-Risk Paths The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt core OS services, break authentication, or render the system unbootable. | Path | Description | Risk | | ------------------------------ | ---------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | `/System/Library/CoreServices` | Core macOS system services including the Finder, WindowServer, and boot components | Corruption breaks system startup, the GUI environment, or both | | `/private/etc` | System configuration files (also accessible as `/etc`) | Corruption to files such as `passwd`, `sudoers`, or `hosts` breaks authentication, privilege resolution, and network behavior | {% hint style="success" %} `/Applications` and `/System/Applications` are protected by design. For the full rationale and guidance on where to scope wildcard vs. explicit path policies, see [macOS Protected Path Design Intent](/keeperpam/endpoint-privilege-manager/reference/macos-protected-path-design-intent.md) for greater detail. {% endhint %} ### Windows Default Protected Paths Executables in these paths are excluded from wildcard File Access DENY policies. Protection is recursive — all subdirectories are included. Explicit path policies are always evaluated regardless of protection status. The list can be extended via a ProtectedPaths policy or the `UserProtectedDirectories.json` / `PolicyProtectedDirectories.json` files under the PathResolution storage folder. | Variable | Resolves To (Typical) | Description | | --------------------------------- | -------------------------------------------------------------- | ----------------------------------------------- | | `{systemroot}` | `C:\Windows` | Windows directory root and all subdirectories | | `{system32}` | `C:\Windows\System32` | Core system binaries | | `{systemroot}\SysWOW64` | `C:\Windows\SysWOW64` | 32-bit system binaries on 64-bit Windows | | `{systemroot}\WinSxS` | `C:\Windows\WinSxS` | Side-by-side component assemblies | | `{systemroot}\servicing` | `C:\Windows\servicing` | Windows Update and Servicing Stack | | `{systemroot}\Microsoft.NET` | `C:\Windows\Microsoft.NET` | .NET Framework runtime files | | `{systemroot}\assembly` | `C:\Windows\assembly` | Global Assembly Cache (GAC) | | `{systemroot}\Boot` | `C:\Windows\Boot` | Boot manager files | | `{systemroot}\recovery` | `C:\Windows\recovery` | Windows Recovery Environment | | `{systemroot}\System32\config` | `C:\Windows\System32\config` | Registry hive files | | `{systemroot}\System32\drivers` | `C:\Windows\System32\drivers` | Kernel-mode device drivers | | `{programfiles}` | `C:\Program Files` | Installed 64-bit applications | | `{programfilesx86}` | `C:\Program Files (x86)` | Installed 32-bit applications on 64-bit Windows | | `{programfiles}\Windows Defender` | `C:\Program Files\Windows Defender` | Windows Defender antivirus binaries | | `{programfiles}\Windows NT` | `C:\Program Files\Windows NT` | Core Windows NT components | | N/A | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` | System startup programs | #### Windows High-Risk Paths The following paths contain critical system files and should never be targeted by File Access policies. Modification to files in these locations can corrupt the registry, destabilize drivers, or render the system unbootable. | Path | Description | Risk | | ----------------------------- | ------------------------------------------------------------- | ------------------------------------------- | | `C:\Windows\System32\config` | Registry hive files (`SYSTEM`, `SAM`, `SECURITY`, `SOFTWARE`) | Registry corruption; system unbootable | | `C:\Windows\System32\drivers` | Kernel-mode device drivers (`.sys` files) | Driver failure; Blue Screen of Death (BSOD) | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/path-variables.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.