# Understanding Collector

You must install an endpoint agent on all devices you want to connect to the Nexthink platform and allow the collection of relevant metrics.

The following sections explain the features of endpoint agents in detail. See the [](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector "mention") documentation to learn which endpoint agent applies to your infrastructure scale and type, and how to configure and deploy it.

## VDI Client Extension

The Nexthink VDI Client Extension is a lightweight agent for endpoint devices connected to virtual desktop environments (VDIs). The extension sends only relevant data to the Nexthink instance from devices on which Nexthink Collector cannot be installed.

The Nexthink VDI Client Extension only sends relevant data while the device is connected to a VDI environment with Nexthink Collector running on it. No data is collected or sent when you are not connected or connected to a VDI environment without a Nexthink Collector running on it.

Any necessary configuration is done on the connector that is installed on the VM. The connector communicates all configuration changes to the extension that is running on the client device.

See the [vdi-experience-faq](https://docs.nexthink.com/platform/user-guide/vdi-experience/vdi-experience-faq "mention") to find answers to common questions regarding VDI, for example, deployment scenarios.

### Metrics collected by the VDI Client Extension

The VM might expose some client information, such as `client device name`, `local ip`, `client app version`, and `client platform`. Installing the VDI Client Extension improves the reliability and accessibility of these fields.

Furthermore, the extension provides the following performance metrics:

* `network bytes/s in/out`
* `network packets in/out`
* `network errors in/out`
* `normalized cpu usage`
* `wifi signal strength`
* `wifi transmission rate`
* `wired link speed`
* `wan latency` — This metric is available if a ping server is specified for the Collector running in the VM.

## Nexthink Collector

Nexthink Collector is a lightweight agent based on patented technology that gathers hardware, software and activity data from the devices within your organization. It captures and reports network connections, program executions, installations, and many other activities and properties from employee devices on which it runs. Collector also enables employee engagement through feedback retrieval, as well as remotely acting on the device when required.

It is implemented as a kernel driver and accompanying services, offering remote and automated silent installations with negligible impact on system performance while minimizing network traffic.

See the following pages to learn how to deploy Collector to all corporate devices that run a supported version of the following operating systems:

* [installing-collector-on-windows](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/installing-collector-on-windows "mention")
* [installing-collector-on-macos](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/installing-collector-on-macos "mention")

Once deployed and connected, the cloud platform applies the default auto-update policy. The system updates those devices categorized as `pilot` as soon as a new version is available. After two weeks, the system automatically pushes the update to all devices. To change the automatic update period, contact [Nexthink Support](https://support.nexthink.com/) and choose a period ranging from 1 to 8 weeks.

On this page, you will find the following descriptions:

* [#collectoroverview-features](#collectoroverview-features "mention")
* [#componentsofcollector-windowscollector](#componentsofcollector-windowscollector "mention")
* [#componentsofcollector-maccollector](#componentsofcollector-maccollector "mention")

{% hint style="info" %}
The [Nexthink VDI Client Extension](#download-the-extension) is included as a component in Nexthink Collector, therefore you do not need to install it separately on company-managed devices accessing virtual environments.

For **company-managed devices**, see the [installing-collector-on-windows](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/installing-collector-on-windows "mention") documentation to learn how to install Collector.
{% endhint %}

### Collector features <a href="#collectoroverview-features" id="collectoroverview-features"></a>

#### Multiplatform <a href="#collectoroverview-multiplatform" id="collectoroverview-multiplatform"></a>

Collector is available for both Windows and macOS operating systems.

#### CrashGuard <a href="#collectoroverview-crashguard" id="collectoroverview-crashguard"></a>

Since the Windows driver is a kernel-mode component, any error in its internals or its interaction with a misbehaving third-party driver can lead to system instabilities. Even with Nexthink striving as hard as possible to deliver bug-free software, the principle of precaution holds. The CrashGuard feature available for Windows platforms detects every system crash and, by default, disables the Collector driver if the system crashes more than five times in a row after installation. Refer to [Installing Collector on Windows documentation](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/installing-collector-on-windows) for more information.

#### Kernel-mode traffic interception <a href="#collectoroverview-kernel-modetrafficinterception" id="collectoroverview-kernel-modetrafficinterception"></a>

Some Windows applications may send and receive data to and from the network using kernel-mode components, actually hiding their network traffic from user-space monitoring applications. Being a kernel driver itself, Collector is nevertheless able to detect and report such traffic.

#### Paths aliasing <a href="#collectoroverview-pathsaliasing" id="collectoroverview-pathsaliasing"></a>

Collector identifies commonly used paths and other special mount locations with path aliases. For example, when you assign drive letter D to the DVD-ROM, Collector reports an application executed from that media as `%RemovableDrive%\application.exe`.

#### Reliable connectivity <a href="#collectoroverview-reliableconnectivity" id="collectoroverview-reliableconnectivity"></a>

Nexthink Collector relies on the connection-oriented features of TCP to ensure that the information reaches the data processing layer.

In addition, when the connection between Collector and the Nexthink instance is lost or not yet established, Collector is able to buffer up to 15 minutes of data (a maximum of 2500 packets not older than 15 minutes) to send at a later time, once the connection is successful.

#### Network switching <a href="#collectoroverview-networkswitching" id="collectoroverview-networkswitching"></a>

A change of the network interface is transparent, except when it invalidates the DNS resolution of the Nexthink instance. In that case, the process of adjusting to a different network may take a few minutes and Collector resends the whole context.

#### Event logging <a href="#collectoroverview-eventlogging" id="collectoroverview-eventlogging"></a>

The appropriate system logs of the operating system record details regarding when and how Collector connects to the Nexthink instance and any potential errors.

#### On-the-fly configuration <a href="#collectoroverview-on-the-flyconfiguration" id="collectoroverview-on-the-flyconfiguration"></a>

Applying changes to the configuration or updating Collector does not require a restart of the operating system. Changes take effect without interrupting the employee’s work.

#### Code signed software <a href="#collectoroverview-codesignedsoftware" id="collectoroverview-codesignedsoftware"></a>

To load and run Nexthink Collector on Windows devices, kernel components are signed with an official Microsoft certificate. User-space components are also signed with a valid Nexthink certificate.

To run Nexthink Collector on macOS devices, the macOS Collector is signed with Nexthink's Developer ID certificate and follows the Apple notarization process.

#### Collector components <a href="#collectoroverview-collectorcomponents" id="collectoroverview-collectorcomponents"></a>

The capability of Collector for gathering user activity data is shared by the kernel driver and the helper service (or daemon) components. Running as a kernel driver close to the operating system allows reporting information only visible at this level.

Nexthink Collector comprises a set of services and libraries that gather information about the devices in your corporate network and their activity. Collector sends all the gathered information to a Nexthink instance, where the system processes and stores it. Additional Collector components deal with the features provided by optional Nexthink products. Other components help you with the installation and configuration process.

Find in this document the description of all the different components and the filesystem paths where to find them on the devices after installation. This article details as well the registry keys and the additional files created or modified during installation.

### Windows Collector components <a href="#componentsofcollector-windowscollector" id="componentsofcollector-windowscollector"></a>

The Windows version of Collector includes the following set of components:

#### Windows Collector binaries <a href="#componentsofcollector-windowscollectorbinaries" id="componentsofcollector-windowscollectorbinaries"></a>

For all versions of Windows, the system installs the following components:

* **Main driver**: A kernel mode driver that gathers valuable information from employee devices
* **Network specific driver**: A kernel mode driver that detects network connections
* **Helper service**: A Windows service that complements the main driver by collecting additional information
* **Printing info library**: A dynamic link library that is responsible for detecting printing activity
* **Automatic updates**: A component of Collector that is responsible for downloading new versions and updating the installed components
* **Coordinator**: Coordinator is responsible for establishing and maintaining a network connection with the Nexthink instance. Other components share that connection for the purpose of communication with the instance.
* **Nexthink Engage**: Components for presenting campaign questions and getting answers from employees
* **Nexthink Act**: Components that manage the execution of remote actions
* **Nexthink Reporter** (deprecated): A troubleshooting tool that creates debug reports for specific support cases
* **Nexthink Event Log Provider**: A component for logging events in the Windows Event Log
* **Nexthink Application Experience**: A component for monitoring business applications
* **VDI Client Extension** : A component that sends VDI-specific data to the Nexthink instance
* **Command line configuration tool** (optional): A [tool to configure ](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/windows-collector-references/collector-configuration-tool-for-windows)Collector from the command line

<table data-full-width="true"><thead><tr><th width="329">Component</th><th width="292">File</th><th>Path</th></tr></thead><tbody><tr><td>Helper service for automated updates</td><td>nxtcssu.exe</td><td><code>%ProgramFiles%/Nexthink/Collector/Coordinator/</code></td></tr><tr><td>Main driver</td><td>nxtrdrv.sys</td><td><code>%Windows%\System32\drivers</code></td></tr><tr><td>Network specific driver</td><td>nxtrdrv5.sys</td><td><code>%Windows%\System32\drivers</code></td></tr><tr><td>Helper service</td><td>nxtsvc.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Collector</code></td></tr><tr><td>Printing info helper library</td><td>nxtdll.dll</td><td><code>%ProgramFiles%\Nexthink\Collector\Collector</code></td></tr><tr><td>Nexthink Event Log Provider</td><td>nxteventprovider.dll</td><td><code>%ProgramFiles%\Nexthink\Collector\Collector</code></td></tr><tr><td>Immersive apps</td><td>nxtwrt.dll</td><td><code>%ProgramFiles%\Nexthink\Collector\Collector</code></td></tr><tr><td>Application start time</td><td>nxtwpm.dll</td><td><code>%ProgramFiles%\Nexthink\Collector\Collector</code></td></tr><tr><td>Coordinator service</td><td>nxtcoordinator.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Coordinator</code></td></tr><tr><td>Campaigns coordinator</td><td>nxteufb.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Coordinator</code></td></tr><tr><td>Remote actions coordinator</td><td>nxtcod.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Coordinator</code></td></tr><tr><td>Updates coordinator</td><td>nxtupdater.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Coordinator</code></td></tr><tr><td>OpenSSL</td><td><ul><li>libcrypto-1_1-x64.dll</li><li>libssl-1_1-x64.dll</li></ul></td><td><code>%ProgramFiles%\Nexthink\Collector\Coordinator</code></td></tr><tr><td>Campaigns</td><td><ul><li>nxtray.exe</li><li>nxtray.exe.config</li></ul></td><td><code>%ProgramFiles%\Nexthink\Collector\Engage</code></td></tr><tr><td>Remote actions</td><td><ul><li>Google.Protobuf.dll</li><li>nxtcampaignaction.dll</li><li>nxtremoteactions.dll</li></ul></td><td><code>%ProgramFiles%\Nexthink\Collector\RemoteActions</code></td></tr><tr><td>Reporter (deprecated)</td><td>nxtreporter.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\Reporter</code></td></tr><tr><td>VDI Client Extension</td><td><ul><li>nxtdvc64.dll</li><li>nxtdvc32.dll (for Citrix)</li></ul></td><td><code>%ProgramFiles%\Nexthink\Collector\Plugins</code></td></tr><tr><td>Web application monitoring</td><td>nxtbsm.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\BSM</code></td></tr><tr><td></td><td>nxthostapp.exe</td><td><code>%ProgramFiles%\Nexthink\Collector\BSM\hostapp\</code></td></tr><tr><td>Command line<br>configuration tool</td><td>nxtcfg.exe</td><td><code>%Windows%\System32</code></td></tr></tbody></table>

#### Registry keys <a href="#componentsofcollector-registrykeys" id="componentsofcollector-registrykeys"></a>

During installation, Collector creates the following keys in the Registry of Windows:

```
HKEY_CLASSES_ROOT\nxtrayproto
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AppStartTime
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\DN
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\RebootMarker
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\RemoteActions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Nexthink Collector
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\params
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\COD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\EndUserFeedback
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\Updater
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service\runtime_stats
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv\params
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5\Parameters\Wdf
HKEY_LOCAL_MACHINE\SYSTEM\Nexthink\Updater
HKEY_USERS\S-1-5-21-[X-X-X-X]\SOFTWARE\NEXThink\NxTray
```

#### Additional files <a href="#componentsofcollector-additionalfiles" id="componentsofcollector-additionalfiles"></a>

Find the Collector log files here:

* `%windir%\nxtsvc.log`
* `%windir%\nxtsvc.1.log`
* `%windir%\nxtsvc.2.log`
* `%windir%\nxtupdater.log`
* `%windir%\nxtupdater.1.log`
* `%windir%\nxtupdater.2.log`
* `%windir%\nxtcoordinator.log`
* `%windir%\nxtcoordinator.1.log`
* `%windir%\nxtcoordinator.2.log`
* `%windir%\nxteufb.log`
* `%windir%\nxteufb.1.log`
* `%windir%\nxteufb.2.log`
* `%windir%\nxtcod.log`
* `%windir%\nxtcod.1.log`
* `%windir%\nxtcod.2.log`
* `%temp%\nxtray.log`
* `%temp%\nxtray.log.<timestamp>`

Finally, Windows creates a cached copy of the kernel drivers in two folders whose names start with the name of the drivers (`nxtrdrv` and `nxtrdrv5`, respectively) followed by a unique identifier that depends on the version of the driver itself. Find the folders here:

* `%windir%\System32\DRVSTORE`

The Nexthink Reporter tool creates its logs and reports here:

* `%temp%\nxtreporter[reportID].log`
* `%temp%\nxtreport-[hostname]-[reportID].zip`

### macOS Collector <a href="#componentsofcollector-maccollector" id="componentsofcollector-maccollector"></a>

The macOS version of Collector includes the following set of components.

#### Files <a href="#componentsofcollector-files" id="componentsofcollector-files"></a>

* **Main service**\
  A macOS daemon that gathers valuable information from employee devices
* **Coordination service**\
  A macOS daemon that synchronizes with the appliances to provide services such as automatic updates, employee engagement and execution of remote actions in the near future
* **Application monitoring**\
  A macOS daemon that is in charge of gathering specific data for business applications

<table data-full-width="false"><thead><tr><th width="235">Component</th><th width="180.25">File</th><th>Path</th></tr></thead><tbody><tr><td>Main service, device level data acquisition</td><td>nxtsvc</td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>User level data acquisition</td><td>nxtusm</td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Coordination service</td><td>nxtcoordinator</td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Campaigns</td><td><ul><li>nxteufb</li><li>nxtray.app</li></ul></td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Automatic Updates</td><td>nxtupdater</td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Remote Actions</td><td><ul><li>nxtcod.app</li><li>nxtraoutput</li></ul></td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Web Application monitoring</td><td>nxtbsm</td><td><code>/Library/Application Support/Nexthink</code></td></tr><tr><td>Web Application monitoring</td><td>nxthostapp</td><td><code>/Library/Application Support/Nexthink</code></td></tr></tbody></table>

#### Additional files <a href="#componentsofcollector-additionalfiles.1" id="componentsofcollector-additionalfiles.1"></a>

| Component          | File        | Path                                    |
| ------------------ | ----------- | --------------------------------------- |
| Configuration file | config.json | `/Library/Application Support/Nexthink` |

In the *config.json* file, find the exact version of the installed Collector and the [status of the TCP connection](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/managing-collector-agents/querying-the-collector-tcp-connection-status#queryingthecollectortcpconnectionstatus-mac-collector).

`Find the log files here:`

* `/Library/Logs/nxtsvcgen.log`
* `/Library/Logs/nxtsvcgen.log`
* `/Library/Logs/nxtcoordinator.log`
* `/Library/Logs/nxtbsm.log`
* `/Library/Logs/nxtcod.log`
* `/Library/Logs/nxtcsi.log`
* `/Library/Logs/nxteufb.log`
* `/Library/Logs/nxtextension.log`
* `/Library/Logs/nxtupdater.log`

`Also under each user folder:`

* `/Users/{username}/Library/Logs/nxthostapp.{userSID}.log`
* `/Users/{username}/Library/Logs/nxtray.{userSID}.log`
* `/Users/{username}/Library/Logs/nxtusm.{userSID}.log`

`Multiple options can be selected.`