diff --git a/rules/windows/image_load/image_load_susp_vss_ps_load.yml b/rules/windows/image_load/image_load_susp_vss_ps_load.yml
index 29019948c..929eedf87 100644
--- a/rules/windows/image_load/image_load_susp_vss_ps_load.yml
+++ b/rules/windows/image_load/image_load_susp_vss_ps_load.yml
@@ -35,7 +35,11 @@ detection:
             - '\rundll32.exe'
             - '\inetsrv\iissetup.exe'
             - '\inetsrv\appcmd.exe'
-        Image|contains: 'c:\windows\'
+        Image|startswith: 'C:\Windows\'
+    filter_programfiles:
+        Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
     filter_update:
         CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
         CommandLine|contains: '\dismhost.exe {'