ikiril01
commented
2 years ago Thanks! Seems like a nice addition to make the implementations more robust.
Closed EzLucky closed 2 years ago
ikiril01
commented
2 years ago Thanks! Seems like a nice addition to make the implementations more robust.
I used this rule with the EventID 4697 and had cases where the service file path was starting with "%windir%\" which equals to "C:\Windows\" if Windows is installed on C:.
I didn't check if EventID 7045 translates "%windir%" to "C:\Windows", but I don't think so as %systemroot% is not translated in the event.