Collector overview

Nexthink Collector is a lightweight agent based on patented technology. It captures and reports network connections, program executions, web requests, and many other activities and properties from employee devices on which it runs. It is implemented as a kernel driver and accompanying services, offering remote and automated silent installations with negligible impact on system performance while minimizing network traffic.

CPU usageTypical memory usageNetwork traffic

Less than 0.15% (on average)

  • 11-12KB non-paged kernel memory

  • 1.1-1.4MB paged kernel memory

  • 44-52MB user space memory (temporary memory spikes are possible during campaigns)

~ 3kbps on average (dependent on campaigns, remote actions and updates)

Collector components

The capability of Collector for gathering user activity data is shared by the kernel driver and the helper service (or daemon) components (list of the components). Running as a kernel driver close to the operating system allows reporting information only visible at this level.



Collector is available for both Windows and macOS operating systems. A lightweight version of Collector optimized for desktop virtualization use cases is also available for thin clients powered by IGEL OS.


Since the Windows driver is a kernel-mode component, any error in its internals or its interaction with a misbehaving third-party driver can lead to system instabilities. Even with Nexthink striving as hard as possible to deliver bug-free software, the principle of precaution holds. The CrashGuard feature available for Windows platforms detects every system crash and, by default, disables the Collector driver if the system crashes more than three times in a row after installation. Refer to Installing Collector on Windows documentation for more information.

Kernel-mode traffic interception

Some Windows applications may send and receive data to and from the network using kernel-mode components, actually hiding their network traffic from user-space monitoring applications. Being a kernel driver itself, Collector is nevertheless able to detect and report such traffic.

Paths aliasing

Collector identifies commonly used paths and other special mount locations with path aliases. For example, when you assign drive letter D to the DVD-ROM, Collector reports an application executed from that media as %RemovableDrive%\application.exe.

Reliable connectivity

Nexthink Collector relies on the connection-oriented features of the Transmission Control Protocol (TCP) to ensure that the information reaches the data processing layer.

In addition, when the connection between Collector and the Nexthink instance is lost or not yet established, Collector is able to buffer up to 15 minutes of data (a maximum of 2500 packets not older than 15 minutes) to send at a later time, once the connection is successful.

Network switching

A change of the network interface is transparent, except when it invalidates the DNS resolution of the Nexthink instance. In that case, the process of adjusting to a different network may take a few minutes and Collector resends the whole context.

Event logging

The appropriate system logs of the operating system record details regarding when and how Collector connects to the Nexthink instance and any potential errors.

On-the-fly configuration

Applying changes to the configuration or updating Collector does not require a restart of the operating system. Changes take effect without interrupting the employee’s work.

Code signed software

To be able to load and run on Windows devices, the kernel components of Collector for Windows are signed with an official Microsoft certificate. User-space components are signed with a valid Nexthink certificate.

Collector for macOS is signed with the Developer ID certificate of Nexthink and follows the Apple notarization process to ensure that it can be installed and run seamlessly on macOS devices.

Last updated