A Secondary File filter addresses situations where the intended target is not the primary executable file, such as RunDll.exe, but is rather a secondary file specified within the command line.
This document gives you a working example of how to use Secondary File filters.
MSI File Example
If you want to elevate .msi files that are in a network share, you cannot use a commandline filter because the following syntax does not work:
"\\SERVER\Share(WILDCARD).msi"
If you tried to use a command line filter, then you would have to specify each .msi file explicitly and then create several individual elevation policies–an extremely tedious task. Or you could create a commandline like \\SERVER\Share\, but this would elevate anything in the share folder. To target and elevate only .msi files efficiently, the solution is to use the Secondary File Filter.
A secondary file filter takes another filter as a parameter and uses it to filter the second half of the command-line. For example if the commandline is "msiexec.exe \\SERVER\Share\new_program.msi," then the secondary file filter checks only the "\\SERVER\Share\new_program.msi" parameter against the filter it references.
For an example of a Secondary File filter for use with msiexec and a file share containing msi files to be elvated, go to MSI Files not elevated by Network Share Elevation Policy and see the alternative solution.