# Windows Installation ## Pre-Requirements The CyberCyte' s Windows agent is requires Microsoft .NET 4.7.2 or above version. Please download the latest .NET version with this link below: MS .NET Framework Offical Website: If the agent will be run on the older devices, please check out the compatible operating systems with this link below: MS .NET Framework Compatibility List: The CyberCyte Windows agent supports the Windows operating systems listed below: * Windows 10 * Windows 11 * Windows Server 2016 * Windows Server 2019 * Windows Server 2022 * Windows Server 2025 ## The Agent Deployment Go to "Settings & Reporting" -> "Deployment Settings", then click on "Download". The executable Windows agent should be started after that. Once it is downloaded, click to run the executable, and when it is done, the machine data will be added to the portal. Once the agent is deployed, please check that the initial data is being populated. Initial Sysmon data can take up to 15-20 minutes to be available within the system based on the configured parameters. Autoruns, processes, inventory data, and device information are available for Windows agents.
*For Single Executable to Install:* `"" --silent --reinstallOnProblem --install --versioncheck=true` *For Single MSI to Install:* `msiexec /i "" /qn /norestart REINSTALL_ON_PROBLEM=true URL="" PROXY_URL="" PROXY_USERNAME="" PROXY_PASSWORD="" /l*v "C:\ProgramData\install_log.txt` It automatically installs required applications and services on the client's machine. PMService: Responsible for agent package updates and ensures agent service is running. ICSFAgentService: Collects data from the client and executes actions. Monitored by PMService and started if stopped automatically. After installing PM Service, it automatically connects your instances, downloads the Windows Agent installer, and executes the installation process. Because PM Service downloads Agent Installer from download.cloudcyte.com, please ensure that client devices can access this domain and download .exe files from here. {% hint style="info" %} Note: Both applications require .NET SDK 4.6 or newer version {% endhint %} ## Checking Installation After installation of the agent, the agent registers itself automatically with the server. Please go to Asset Management →Device Management→Agent to see the agent. It may take a couple of minutes to appear device on this screen. Agents should be able to access CyberCyte Server on Port 443 and websites. If the agent is not shown here, please check access to the portal on the client first. If the entry is successful, please wait for communication interval settings. ## Agent Path and Services Services | Service Name | Display Name | | ---------------- | ---------------- | | PMService | PMService | | ICSFAgentService | ICSFAgentService | Main Executables | Process Name | Full Path | | ------------------------- | --------------------------------------------------------------------------- | | ICSFAgentService.exe | C:\Program Files\ICSFAgentService\ICSFAgentService.exe | | PMService.exe | C:\Program Files\PMService\PMService.exe | | EndPointDataCollector.exe | C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe | Note: Before starting the installation, please white list the below directories for the above three executables: ``` C:\Program Files\ICSFAgentService (and subdirectories) C:\Program Files\PMService (and subdirectories) C:\Program Files\THApplications (and subdirectories) C:\ProgramData\ICSFAgent (and subdirectories) C:\ProgramData\ICSFPackageManager (and subdirectories) ``` C:\ProgramData\PMService\ (and subdirectories) In some cases, EDR/AV software does not allow directory-based whitelisting. In such a case, the below files should be permitted: | Process Name | Full Path | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Sysmon Executable | C:\Windows\cyrthwinsys.exe | | Sysmon Executable | C:\Windows\.exe | | ICSFAgentService.exe | C:\Program Files\ICSFAgentService\ICSFAgentService.exe | | PMService.exe | C:\Program Files\PMService\PMService.exe | | EndPointDataCollector.exe | C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe\` | | Agent Installer Installed By PMService |

C:\Program Files\PMService\packages\windows agent\latest\files\ICSFAgentSetup.exe

Permit: C:\Program Files\PMService\packages\windows agent\latest\files\

| | PM Installer Installed By Agent |

C:\ProgramData\PMService\Temp\PMInstaller\*.exe

Permit: C:\ProgramData\PMService\Temp\

| | Agent Installer Installed By PMService | C:\Program Files\PMService\files\windows agent\WindowsAgent.exe | | PM Uninstaller | C:\ProgramData\ICSFPackageManager\PMUninstaller.exe | | ICSF Uninstaller | C:\ProgramData\ICSFAgent\ICSFAgentUninstaller.exe | | Autorunsc Tool | C:\Program Files\ICSFAgentService\files\ps\sysinternals\autorunsc64.exe | | Sigcheck Tool | C:\Program Files\ICSFAgentService\files\ps\sysinternals\sigcheck64\_v2.90.exe | | Web Shell Analyzer | C:\Program Files\ICSFAgentService\files\ps\webshell\wsa.exe | | Sysmon Executable | C:\Program Files\THApplications\cyrthwinsys.exe | | Sysmon Executable | C:\Program Files\THApplications\ .exe | ## Checking the Agent Status * Using Services: * Execute this command in the shell and check if ICSFAgent and PMService is running: * `services.msc` * Using CyberCyte Portal: * Go to the "Asset Management" -> "Endpoint Management" on the portal. All of the agents will be listed under this page. ## Uninstalling/Disabling the Agent * IMPORTANT: The agent and package manager always checks each other and if one of the service is down or deleted, other service automaticly restores the other service. To delete them completely, you need to delete both of them one after the other. * Using Command Line: * Execute these commands in the command line: * *For Single MSI to Uninstall:* `msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=uninstallall /l*v "C:\ProgramData\PMService\uninstall_log.txt"` * *For Single MSI to Uninstall With Sysmon:* `msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=`uninstallallwithsysmon `/l*v "C:\ProgramData\PMService\uninstall_log.txt"` * *For Single Executable to Uninstall:* `"C:\ProgramData\PMService\PMUninstaller.exe" --uninstallallwithsysmon --silent` * Using Control Panel: * Go to the Control Panel and click uninstall these two apps; "ICSFAgent" and "PMService" * Disabling the Agent: * Go to the "Asset Management" -> "Endpoint Management" on the portal. Right-click on the machine and disable the agent. This action only disables agent data collection, the agent will update itself but not collect any data. ## Detailed Parameters for Agents **MSI Install/Uninstall Parameters** * `/qn`: Quite installation process * `/norestart`: No restart after installation process * ``: MSI packge path on downloaded computer * `REINSTALL_ON_PROBLEM`: Flag to check if current installed services are corrupted or not. Options: `true`, `false` * `RUN_UNINSTALL_SCRIPT`: Flag to run uninstall script before installation. Options: `true`, `false` * `UNINSTALL_OPTION`: Uninstall option to uninstall ICSFAgent and PMService. Options: `uninstall`, `uninstallagent`, `uninstallall` * `uninstall`: To uninstall only PM service * `uninstallagent`: To uninstall only ICSFAgent service * `uninstallall`: To uninstall PM and ICSAgent services * ``: PM config url. It is already in place. * ``: It will be coming as filled if it exists in organization * ``: It will be coming as filled if it exists in organization * ``: It will be coming as filled if it exists in organization * ``: This will not be set automatically. User should enter password by hand. * `/l*v "C:\ProgramData\PMService_install_log.txt"` -> This is for logging installation process Examples: * Only installation:`msiexec /i "" /qn /norestart URL="" PROXY_URL="" PROXY_USERNAME="" PROXY_PASSWORD="" /l*v "C:\ProgramData\PMService_install_log.txt"` * Uninstall-Install:`msiexec /i "" /qn /norestart RUN_UNINSTALL_SCRIPT=true UNINSTALL_OPTION=uninstallall URL="" PROXY_URL="" PROXY_USERNAME="" PROXY_PASSWORD="" /l*v "C:\ProgramData\PMService_uninstall_install_log.txt"` * Uninstall-Install if current installation is corrupted:`msiexec /i "" /qn /norestart REINSTALL_ON_PROBLEM=true URL="" PROXY_URL="" PROXY_USERNAME="" PROXY_PASSWORD="" /l*v "C:\ProgramData\PMService_reinstall_on_problem_log.txt"` **MSI Uninstall Parameters** * Uninstaller path: `"C:\ProgramData\PMService\PMUninstaller.msi"` * Command: `msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=uninstallall /l*v "C:\ProgramData\PMService_uninstall_log.txt"` * All parameters: * `/qn`: Quite installation process * `/norestart`: No restart after installation process * `/l*v "C:\ProgramData\PMService_uninstall_log.txt"` -> This is for logging installation process * UNINSTALL\_OPTION -> `uninstall`, `uninstallall`, `uninstallallwithsysmon`, `uninstallagent`, `uninstallsysmon` * `uninstall`: To uninstall only PM service * `uninstallall`: To uninstall PM and ICSAgent services * `uninstallallwithsysmon`: To uninstall PM, ICSAgent and sysmon services * `uninstallagent`: To uninstall only ICSFAgent service * `uninstallsysmon`: To uninstall only sysmon service **Custom PMService Parameters** * Install: `"" --silent --install --versioncheck=false` * Uninstall-Install: `"" --silent --uninstall --install --versioncheck=false` * Uninstall-Install on problem only (Will not install if already not installed. Only will check if installed version is corrupted.): `"" --silent --reinstallOnProblem` * Uninstall-Install on problem, install if not installed: `"" --silent --reinstallOnProblem --install --versioncheck=true` * Uninstall: `"C:\ProgramData\PMService\PMUninstaller.exe" --uninstall --silent` * All parameters: * `--reinstallOnProblem`: Flag to check if current installed services are corrupted or not. Default is false if not specified. * `--versioncheck`: Flag to decide if version will be installed regardless of the installed version. Default is true if not specified. * `--versioncheck=true` -> With this value, PMInstaller will check if version is already installed. If not, it will install; if installed, installation will skipped. * `--versioncheck=false` -> With this value, PMInstaller will remove installed version and install new version, no matter what the version is. * Uninstall options: * `--uninstall`: To uninstall only PM service * `--uninstallall`: To uninstall PM and ICSAgent services * `--uninstallallwithsysmon`: To uninstall PM, ICSAgent and sysmon services * `--uninstallagent`: To uninstall only ICSFAgent service * `--uninstallsysmon`: To uninstall only sysmon service --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudcyte.com/pre-requirements-and-initialization-of-the-platform/agent-installations/windows-installation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.