How to Use .NET Regex Within ThreatLocker

2 min. readlast update: 07.18.2025

ThreatLocker supports the use of regular expressions (Regex) within Application Definitions. Regex must be .NET-based, or ThreatLocker may not recognize it.

The ONLY location within the ThreatLocker portal that supports the use of Regex is Application Definitions.

Regex must be written using .NET. It is recommended that all regular expressions be tested using a .NET-specific Regex tester, such as regexstorm.net, before inserting them into ThreatLocker Application Definitions or Storage Policies.

Inserting Regex Rules Into an Application Definition

Within the ThreatLocker Portal, use the 'Modules' dropdown and select 'Application Control'.

In the 'Application Control' page, you can either select an existing application to edit or select the '+ New Application' button at the top left of the page.

Selecting either of these options will open a side panel titled 'Create Application' or 'Edit Application'. Within the 'Create Application' or 'Edit Application' page, navigate to the 'Application Files' tab at the top of the side panel.

Select Full Path, Process Path, or Created By from the 'Condition' dropdown in the 'File Rules' section. Then, enter the desired regular expression prefixed with Regex in the 'Value' field. For example:

Regex:\\appdata\\(local|locallow|roaming)\\temp

Note: When creating a Regex rule, ensure that it is not too broad. One of the limitations of Regex is that different strings can match the same Regex rule. Broad Regex rules may allow unintended strings to match, resulting in an insecure Application definition.

Regex Limitations

Although ThreatLocker does support the use of Regex in the locations listed above, it does not provide as much control as specifying an exact path or process, as more than a single path or process can match a specified Regex command.  It is recommended to use exact paths and process paths whenever possible.

When a policy is matched using a Regex rule, the file is logged in the Unified Audit and shows the policy matches. However, it will not show a matching application if the Unified Audit log is expanded and 'Permit Application' or 'Add to Application' is selected. 
 
The path or process does not exactly match the text specified within the application definition because the text is a regular expression, and application matches look for an exact text match. Therefore, the matching application will not be displayed even though the policy remains in full effect.
Was this article helpful?