search
Ctrlk
Log In

Windows Installation

hashtag
Pre-Requirements

The CyberCyte' s Windows agent is requires Microsoft .NET 4.7.2 or above version. Please download the latest .NET version with this link below:

MS .NET Framework Offical Website: https://dotnet.microsoft.com/en-us/download/dotnet-frameworkarrow-up-right

If the agent will be run on the older devices, please check out the compatible operating systems with this link below:

MS .NET Framework Compatibility List: https://learn.microsoft.com/en-us/dotnet/framework/get-started/system-requirementsarrow-up-right

The CyberCyte Windows agent supports the Windows operating systems listed below:

  • Windows 10

  • Windows 11

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

  • Windows Server 2025

hashtag
The Agent Deployment

Go to "Settings & Reporting" -> "Deployment Settings", then click on "Download". The executable Windows agent should be started after that. Once it is downloaded, click to run the executable, and when it is done, the machine data will be added to the portal.

Once the agent is deployed, please check that the initial data is being populated. Initial Sysmon data can take up to 15-20 minutes to be available within the system based on the configured parameters. Autoruns, processes, inventory data, and device information are available for Windows agents.

For Single Executable to Install:

"<path_to_custom_exe>" --silent --reinstallOnProblem --install --versioncheck=true

For Single MSI to Install:

msiexec /i "<path_to_msi_package>" /qn /norestart REINSTALL_ON_PROBLEM=true URL="<URL>" PROXY_URL="<PROXY_URL>" PROXY_USERNAME="<PROXY_USERNAME>" PROXY_PASSWORD="<PROXY_PASSWORD>" /l*v "C:\ProgramData\install_log.txt

It automatically installs required applications and services on the client's machine.

PMService: Responsible for agent package updates and ensures agent service is running.

ICSFAgentService: Collects data from the client and executes actions. Monitored by PMService and started if stopped automatically.

After installing PM Service, it automatically connects your instances, downloads the Windows Agent installer, and executes the installation process. Because PM Service downloads Agent Installer from download.cloudcyte.com, please ensure that client devices can access this domain and download .exe files from here.

circle-info

Note: Both applications require .NET SDK 4.6 or newer version

hashtag
Checking Installation

After installation of the agent, the agent registers itself automatically with the server. Please go to Endpoint & Network Devices →Endpoint Management →Asset Management to see the agent. It may take a couple of minutes to appear device on this screen.

Agents should be able to access CyberCyte Server on Port 443 and https://download.cloudcyte.com websites. If the agent is not shown here, please check access to the portal on the client first. If the entry is successful, please wait for communication interval settings.

hashtag
Agent Path and Services

Services

Service Name
Display Name

PMService

PMService

ICSFAgentService

ICSFAgentService

Main Executables

Process Name
Full Path

ICSFAgentService.exe

C:\Program Files\ICSFAgentService\ICSFAgentService.exe

PMService.exe

C:\Program Files\PMService\PMService.exe

EndPointDataCollector.exe

C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe

Note: Before starting the installation, please white list the below directories for the above three executables:

C:\ProgramData\PMService\ (and subdirectories)

In some cases, EDR/AV software does not allow directory-based whitelisting. In such a case, the below files should be permitted:

Process Name
Full Path

Sysmon Executable

C:\Windows\cyrthwinsys.exe

Sysmon Executable

C:\Windows<When-Other-Name-Used>.exe

ICSFAgentService.exe

C:\Program Files\ICSFAgentService\ICSFAgentService.exe

PMService.exe

C:\Program Files\PMService\PMService.exe

EndPointDataCollector.exe

C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe`

Agent Installer Installed By PMService

C:\Program Files\PMService\packages\windows agent\latest\files\ICSFAgentSetup.exe

Permit: C:\Program Files\PMService\packages\windows agent\latest\files\

PM Installer Installed By Agent

C:\ProgramData\PMService\Temp\PMInstaller*.exe

Permit: C:\ProgramData\PMService\Temp\

Agent Installer Installed By PMService

C:\Program Files\PMService\files\windows agent\WindowsAgent.exe

PM Uninstaller

C:\ProgramData\ICSFPackageManager\PMUninstaller.exe

ICSF Uninstaller

C:\ProgramData\ICSFAgent\ICSFAgentUninstaller.exe

Autorunsc Tool

C:\Program Files\ICSFAgentService\files\ps\sysinternals\autorunsc64.exe

Sigcheck Tool

C:\Program Files\ICSFAgentService\files\ps\sysinternals\sigcheck64_v2.90.exe

Web Shell Analyzer

C:\Program Files\ICSFAgentService\files\ps\webshell\wsa.exe

Sysmon Executable

C:\Program Files\THApplications\cyrthwinsys.exe

Sysmon Executable

C:\Program Files\THApplications\ .exe

hashtag
Checking the Agent Status

  • Using Services:

    • Execute this command in the shell and check if ICSFAgent and PMService is running:

      • services.msc

  • Using CyberCyte Portal:

    • Go to the "Asset Management" -> "Endpoint Management" on the portal. All of the agents will be listed under this page.

hashtag
Uninstalling/Disabling the Agent

  • IMPORTANT: The agent and package manager always checks each other and if one of the service is down or deleted, other service automaticly restores the other service. To delete them completely, you need to delete both of them one after the other.

  • Using Command Line:

    • Execute these commands in the command line:

      • For Single MSI to Uninstall:

        msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=uninstallall /l*v "C:\ProgramData\PMService\uninstall_log.txt"

      • For Single MSI to Uninstall With Sysmon:

        msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=uninstallallwithsysmon /l*v "C:\ProgramData\PMService\uninstall_log.txt"

      • For Single Executable to Uninstall With Sysmon:

        "C:\ProgramData\PMService\PMUninstaller.exe" --uninstallallwithsysmon --silent

      • For Manually uninstall the agent:

file-download
35KB
Uninstall_CyberCyte_Agent.ps1
arrow-up-right-from-squareOpen

  • Using Control Panel:

    • CyberCyte agent not visible on the Control Panel, please execute commands or ps1 script above to uninstall the agent completely.

  • Disabling the Agent:

    • Go to the "Asset Management" -> "Endpoint Management" on the portal. Right-click on the machine and disable the agent. This action only disables agent data collection, the agent will update itself but not collect any data.

hashtag
Detailed Parameters for Agents

MSI Install/Uninstall Parameters

  • /qn: Quite installation process

  • /norestart: No restart after installation process

  • <path_to_msi_package>: MSI packge path on downloaded computer

  • REINSTALL_ON_PROBLEM: Flag to check if current installed services are corrupted or not. Options: true, false

  • RUN_UNINSTALL_SCRIPT: Flag to run uninstall script before installation. Options: true, false

  • UNINSTALL_OPTION: Uninstall option to uninstall ICSFAgent and PMService. Options: uninstall, uninstallagent, uninstallall

    • uninstall: To uninstall only PM service

    • uninstallagent: To uninstall only ICSFAgent service

    • uninstallall: To uninstall PM and ICSAgent services

  • <URL>: PM config url. It is already in place.

  • <PROXY_IP_ADDRESS>: It will be coming as filled if it exists in organization

  • <PROXY_PORT>: It will be coming as filled if it exists in organization

  • <PROXY_USERNAME>: It will be coming as filled if it exists in organization

  • <PROXY_PASSWORD>: This will not be set automatically. User should enter password by hand.

  • /l*v "C:\ProgramData\PMService_install_log.txt" -> This is for logging installation process

Examples:

  • Only installation:msiexec /i "<path_to_msi_package>" /qn /norestart URL="<URL>" PROXY_URL="<PROXY_URL>" PROXY_USERNAME="<PROXY_USERNAME>" PROXY_PASSWORD="<PROXY_PASSWORD>" /l*v "C:\ProgramData\PMService_install_log.txt"

  • Uninstall-Install:msiexec /i "<path_to_msi_package>" /qn /norestart RUN_UNINSTALL_SCRIPT=true UNINSTALL_OPTION=uninstallall URL="<URL>" PROXY_URL="<PROXY_URL>" PROXY_USERNAME="<PROXY_USERNAME>" PROXY_PASSWORD="<PROXY_PASSWORD>" /l*v "C:\ProgramData\PMService_uninstall_install_log.txt"

  • Uninstall-Install if current installation is corrupted:msiexec /i "<path_to_msi_package>" /qn /norestart REINSTALL_ON_PROBLEM=true URL="<URL>" PROXY_URL="<PROXY_URL>" PROXY_USERNAME="<PROXY_USERNAME>" PROXY_PASSWORD="<PROXY_PASSWORD>" /l*v "C:\ProgramData\PMService_reinstall_on_problem_log.txt"

MSI Uninstall Parameters

  • Uninstaller path: "C:\ProgramData\PMService\PMUninstaller.msi"

  • Command: msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALL_OPTION=uninstallall /l*v "C:\ProgramData\PMService_uninstall_log.txt"

  • All parameters:

    • /qn: Quite installation process

    • /norestart: No restart after installation process

    • /l*v "C:\ProgramData\PMService_uninstall_log.txt" -> This is for logging installation process

    • UNINSTALL_OPTION -> uninstall, uninstallall, uninstallallwithsysmon, uninstallagent, uninstallsysmon

      • uninstall: To uninstall only PM service

      • uninstallall: To uninstall PM and ICSAgent services

      • uninstallallwithsysmon: To uninstall PM, ICSAgent and sysmon services

      • uninstallagent: To uninstall only ICSFAgent service

      • uninstallsysmon: To uninstall only sysmon service

Custom PMService Parameters

  • Install: "<path_to_custom_exe>" --silent --install --versioncheck=false

  • Uninstall-Install: "<path_to_custom_exe>" --silent --uninstall --install --versioncheck=false

  • Uninstall-Install on problem only (Will not install if already not installed. Only will check if installed version is corrupted.): "<path_to_custom_exe>" --silent --reinstallOnProblem

  • Uninstall-Install on problem, install if not installed: "<path_to_custom_exe>" --silent --reinstallOnProblem --install --versioncheck=true

  • Uninstall: "C:\ProgramData\PMService\PMUninstaller.exe" --uninstall --silent

  • All parameters:

    • --reinstallOnProblem: Flag to check if current installed services are corrupted or not. Default is false if not specified.

    • --versioncheck: Flag to decide if version will be installed regardless of the installed version. Default is true if not specified.

      • --versioncheck=true -> With this value, PMInstaller will check if version is already installed. If not, it will install; if installed, installation will skipped.

      • --versioncheck=false -> With this value, PMInstaller will remove installed version and install new version, no matter what the version is.

  • Uninstall options:

    • --uninstall: To uninstall only PM service

    • --uninstallall: To uninstall PM and ICSAgent services

    • --uninstallallwithsysmon: To uninstall PM, ICSAgent and sysmon services

    • --uninstallagent: To uninstall only ICSFAgent service

    • --uninstallsysmon: To uninstall only sysmon service

PreviousActive Directory Windows Agent InstallationNextLinux Installation

Last updated

Was this helpful?