# Troubleshooting the Windows Agent

## Checking the Agent:

Once the agent is installed, two services are installed:

* PMService: This service performs updates for the agent.
* ICSFAgentService: This service executes all agent functions. When this service is restarted, the agent re-initiates artifact collection policies and registers itself to the server.

The below files and folders can be used for Troubleshooting:

* C:\Program Files\ICSFAgentService\logs\\<>.txt: This is the main file used by the agent to write any exception.
* C:\Program Files\ICSFAgentService\logs\\\<folder>: Every module and major artifact collector of the agent creates separate log files, which could be needed for Troubleshooting.
* C:\Program Files\ICSFAgentService\debug.txt: When set to true and the ICSFAgentService is restarted, more detailed logging is enabled.
* C:\Program Files\ICSFAgentService\ICSFAgentService.url.txt: The main URL agent-server communicates is written here if it needs to be checked for Troubleshooting.
* C:\Program Files\ICSFAgentService\files\collector\\\<Collector Name>\_\<Logs/Results/Settings>.txt: Every artifact collection type creates three files under this folder. The settings, log and the last result are available for Troubleshooting.
* C:\ProgramData\ICSFAgentService\PolicyExecutionTime.json: When LastExecutionTime set to "", the collection can be initiated instantly.
* C:\ProgramData\ICSFAgentService\Event Logs Collections: Security logs to be sent to server is stored in this folder.
* C:\ProgramData\ICSFAgentService\Sysmon Logs Collections: Sysmon logs to the server are stored in this folder.
* C:\ProgramData\ICSFAgent\Thor\ThorPolicyExecutionTime.json: When LastExecutionTime is set to "", Thor collections can be started immediately.
* C:\ProgramData\ICSFAgent\Sysmon Settings: Sysmon settings are stored in this folder.
* C:\ProgramData\ICSFPackageManager: Software deployments are managed through this folder.
* C:\ProgramData\PMService: Package manager settings are stored in this folder. The file is encrypted.

Also, please check the machine and server communication with ping, curl, or other tools.

## Checking the Portal:

Please check the Windows policies, the rules should be assigned below by default. The users can customize the policy rules according to their requirements.

<figure><img src="/files/IUyym89IwawluPtysNMI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/yNpGLMhqCQ7FgF2dEDCm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zAy6BkpVaYa6xhgwuyS6" alt=""><figcaption></figcaption></figure>

## Uninstalling the Agent:

There are two ways to delete the agent and package manager.

1. Delete the agent with the parameter:

   On the cmd please run the agent with `--uninstall --silent` parameter.
2. The below script can be used to uninstall all components manually.

{% file src="/files/410527h1KvAkPFp2lBxU" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudcyte.com/troubleshooting/the-agent-troubleshooting/troubleshooting-the-windows-agent.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.