Understanding Collector

Nexthink Collector is a lightweight agent based on patented technology. It captures and reports network connections, program executions, installations, and many other activities and properties from employee devices on which it runs. It is implemented as a kernel driver and accompanying services, offering remote and automated silent installations with negligible impact on system performance while minimizing network traffic.

Collector features

Multiplatform

Collector is available for both Windows and macOS operating systems. A lightweight version of Collector optimized for desktop virtualization use cases is also available for thin clients powered by IGEL OS.

CrashGuard

Since the Windows driver is a kernel-mode component, any error in its internals or its interaction with a misbehaving third-party driver can lead to system instabilities. Even with Nexthink striving as hard as possible to deliver bug-free software, the principle of precaution holds. The CrashGuard feature available for Windows platforms detects every system crash and, by default, disables the Collector driver if the system crashes more than five times in a row after installation. Refer to Installing Collector on Windows documentation for more information.

Kernel-mode traffic interception

Some Windows applications may send and receive data to and from the network using kernel-mode components, actually hiding their network traffic from user-space monitoring applications. Being a kernel driver itself, Collector is nevertheless able to detect and report such traffic.

Paths aliasing

Collector identifies commonly used paths and other special mount locations with path aliases. For example, when you assign drive letter D to the DVD-ROM, Collector reports an application executed from that media as %RemovableDrive%\application.exe.

Reliable connectivity

Nexthink Collector relies on the connection-oriented features of TCP to ensure that the information reaches the data processing layer.

In addition, when the connection between Collector and the Nexthink instance is lost or not yet established, Collector is able to buffer up to 15 minutes of data (a maximum of 2500 packets not older than 15 minutes) to send at a later time, once the connection is successful.

Network switching

A change of the network interface is transparent, except when it invalidates the DNS resolution of the Nexthink instance. In that case, the process of adjusting to a different network may take a few minutes and Collector resends the whole context.

Event logging

The appropriate system logs of the operating system record details regarding when and how Collector connects to the Nexthink instance and any potential errors.

On-the-fly configuration

Applying changes to the configuration or updating Collector does not require a restart of the operating system. Changes take effect without interrupting the employee’s work.

Code signed software

To load and run Nexthink Collector on Windows devices, kernel components are signed with an official Microsoft certificate. User-space components are also signed with a valid Nexthink certificate.

To run Nexthink Collector on macOS devices, the macOS Collector is signed with Nexthink's Developer ID certificate and follows the Apple notarization process.

Collector components

The capability of Collector for gathering user activity data is shared by the kernel driver and the helper service (or daemon) components. Running as a kernel driver close to the operating system allows reporting information only visible at this level.

Nexthink Collector comprises a set of services and libraries that gather information about the devices in your corporate network and their activity. Collector sends all the gathered information to a Nexthink instance, where the system processes and stores it. Additional Collector components deal with the features provided by optional Nexthink products. Other components help you with the installation and configuration process.

Find in this document the description of all the different components and the filesystem paths where to find them on the devices after installation. This article details as well the registry keys and the additional files created or modified during installation.

Windows Collector

The Windows version of Collector includes the following set of components:

Windows Collector binaries

For all versions of Windows, the system installs the following components:

• Main driver: A kernel mode driver that gathers valuable information from employee devices

• Network specific driver: A kernel mode driver that detects network connections

• Helper service: A Windows service that complements the main driver by collecting additional information

• Printing info library: A dynamic link library that is responsible for detecting printing activity

• Automatic updates: A component of Collector that is responsible for downloading new versions and updating the installed components

• Coordinator: Coordinator is responsible for establishing and maintaining a network connection with the Nexthink instance. Other components share that connection for the purpose of communication with the instance.

• Nexthink Engage: Components for presenting campaign questions and getting answers from employees

• Nexthink Act: Components that manage the execution of remote actions

• Nexthink Reporter: A troubleshooting tool that creates debug reports for specific support cases

• Nexthink Event Log Provider: A component for logging events in the Windows Event Log

• Nexthink Application Experience: A component for monitoring business applications

• Command line configuration tool (optional): A tool to configure Collector from the command line

Registry keys

During installation, Collector creates the following keys in the Registry of Windows:

HKEY_CLASSES_ROOT\nxtrayproto
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AppStartTime
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\DN
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\RebootMarker
HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\RemoteActions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Nexthink Collector
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\params
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\COD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\EndUserFeedback
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\Updater
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service\runtime_stats
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv\params
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5\Parameters\Wdf
HKEY_LOCAL_MACHINE\SYSTEM\Nexthink\Updater
HKEY_USERS\S-1-5-21-[X-X-X-X]\SOFTWARE\NEXThink\NxTray

Additional files

Find the Collector log files here:

• %windir%\nxtsvc.log

• %windir%\nxtsvc.1.log

• %windir%\nxtsvc.2.log

• %windir%\nxtupdater.log

• %windir%\nxtupdater.1.log

• %windir%\nxtupdater.2.log

• %windir%\nxtcoordinator.log

• %windir%\nxtcoordinator.1.log

• %windir%\nxtcoordinator.2.log

• %windir%\nxteufb.log

• %windir%\nxteufb.1.log

• %windir%\nxteufb.2.log

• %windir%\nxtcod.log

• %windir%\nxtcod.1.log

• %windir%\nxtcod.2.log

• %temp%\nxtray.log

• %temp%\nxtray.log.<timestamp>

Finally, Windows creates a cached copy of the kernel drivers in two folders whose names start with the name of the drivers (nxtrdrv and nxtrdrv5, respectively) followed by a unique identifier that depends on the version of the driver itself. Find the folders here:

• %windir%\System32\DRVSTORE

The Nexthink Reporter tool creates its logs and reports here:

• %temp%\nxtreporter[reportID].log

• %temp%\nxtreport-[hostname]-[reportID].zip

Mac Collector

The macOS version of Collector includes the following set of components:

Files

Main service

A macOS daemon that gathers valuable information from employee devices

Coordination service

A macOS daemon that synchronizes with the appliances to provide services such as automatic updates, employee engagement and execution of remote actions in the near future

Application monitoring

A macOS daemon that is in charge of gathering specific data for business applications

Additional files

In the config.json file, find the exact version of the installed Collector and the status of the TCP connection.

Find the log files here:

• /Library/Logs/nxtsvcgen.log

• /Library/Logs/nxtsvcgen.log

• /Library/Logs/nxtcoordinator.log

• /Library/Logs/nxtbsm.log

• /Library/Logs/nxtcod.log

• /Library/Logs/nxtcsi.log

• /Library/Logs/nxteufb.log

• /Library/Logs/nxtextension.log

• /Library/Logs/nxtupdater.log

Also under each user folder:

• /Users/{username}/Library/Logs/nxthostapp.{userSID}.log

• /Users/{username}/Library/Logs/nxtray.{userSID}.log

• /Users/{username}/Library/Logs/nxtusm.{userSID}.log

Multiple options can be selected.