Log In

Troubleshooting the Windows Agent

Checking the Agent:

Once the agent is installed, two services are installed:

  • PMService: This service performs updates for the agent.

  • ICSFAgentService: This service executes all agent functions. When this service is restarted, the agent re-initiates artifact collection policies and registers itself to the server.

The below files and folders can be used for Troubleshooting:

  • C:\Program Files\ICSFAgentService\logs\<>.txt: This is the main file used by the agent to write any exception.

  • C:\Program Files\ICSFAgentService\logs\<folder>: Every module and major artifact collector of the agent creates separate log files, which could be needed for Troubleshooting.

  • C:\Program Files\ICSFAgentService\debug.txt: When set to true and the ICSFAgentService is restarted, more detailed logging is enabled.

  • C:\Program Files\ICSFAgentService\ICSFAgentService.url.txt: The main URL agent-server communicates is written here if it needs to be checked for Troubleshooting.

  • C:\Program Files\ICSFAgentService\files\collector\<Collector Name>_<Logs/Results/Settings>.txt: Every artifact collection type creates three files under this folder. The settings, log and the last result are available for Troubleshooting.

  • C:\ProgramData\ICSFAgentService\PolicyExecutionTime.json: When LastExecutionTime set to "", the collection can be initiated instantly.

  • C:\ProgramData\ICSFAgentService\Event Logs Collections: Security logs to be sent to server is stored in this folder.

  • C:\ProgramData\ICSFAgentService\Sysmon Logs Collections: Sysmon logs to the server are stored in this folder.

  • C:\ProgramData\ICSFAgent\Thor\ThorPolicyExecutionTime.json: When LastExecutionTime is set to "", Thor collections can be started immediately.

  • C:\ProgramData\ICSFAgent\Sysmon Settings: Sysmon settings are stored in this folder.

  • C:\ProgramData\ICSFPackageManager: Software deployments are managed through this folder.

  • C:\ProgramData\PMService: Package manager settings are stored in this folder. The file is encrypted.

Also, please check the machine and server communication with ping, curl, or other tools.

Checking the Portal:

Please check the Windows policies, the rules should be assigned below by default. The users can customize the policy rules according to their requirements.

Uninstalling the Agent:

There are two ways to delete the agent and package manager.

  1. Delete the agent with the parameter:

    On the cmd please run the agent with --uninstall --silent parameter.

PreviousThe Agent TroubleshootingNextTroubleshooting the Linux Agent

Last updated