Components of the Collector

Contents

Components of the Collector

Overview

The Collector is mainly composed of a couple of kernel drivers, along with a small set of services and libraries, that gather information about the devices in your corporate network and their activity. The Collector periodically sends all the gathered information to an Engine, where it is processed and stored. Other tools that are delivered with the Collector help you with its installation and configuration.

Find in this document the description of all the different components of the Collector and the filesystem paths where to find them in the devices of the end-users after installation. This article details as well the registry keys and the additional files created or modified during the installation of the Collector.

Windows Collector

The Windows version of the Collector includes several features in addition to the gathering of user activity. These extra features require a comprehensive set of components.

Applies to platforms: PlatformWindows.png

Windows Collector binaries

For all versions of Windows, the following components are installed:

  • Main driver: A kernel mode driver that gathers valuable information from the device of the end-user.
  • Network specific driver: A kernel mode driver that detects network connections.
  • Helper service: A Windows service that complements the main driver by collecting additional information.
  • Printing info library: A dynamic link library that is responsible for detecting printing activity.
  • Optional Command line configuration tool: A tool to configure the Collector from the command line.
  • Optional Control Panel extension: A tool to control the behaviour of the Collector that is added to the Control Panel of Windows.
  • Automatic updates: A component of the Collector that is responsible for downloading new versions and updating the installed components.
  • Coordinator: Coordination of the Collector with the Appliance for detecting new updates and communicating end-user feedback.
  • End-user feedback: Components for presenting the questions of campaigns and getting answers from the end-users.
Component File Path
Main driver nxtrdrv.sys C:\Windows\System32\drivers
Network specific driver nxtrdrv5.sys C:\Windows\System32\drivers
Helper service nxtsvc.exe C:\Windows\System32
Printing info
helper library
nxtdll.dll
Command line
configuration tool
nxtcfg.exe
Control Panel
extension
nxtpanel.cpl
Automatic updates nxtupdater.exe
Coordinator nxtcoordinator.exe
End-user feedback
  • nxteufb.exe
  • nxtray.exe
  • nxtray.exe.config

Starting from Windows 8, these additional binaries are also installed:

  • Metro apps helper library: A dynamic link library that detects the execution of Metro apps.
Component File Path
Metro apps helper library nxtwrt.dll C:\Windows\System32

Registry keys of the Windows Collector

On installation, the Collector creates the following keys in the Registry of Windows:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\Updater
  • HKEY_LOCAL_MACHINE\SYSTEM\Nexthink\Updater
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\EndUserFeedback
  • HKEY_USERS\S-1-5-21-2281471460-584676728-3927365163-1676\SOFTWARE\NEXThink\NxTray
  • HKEY_CLASSES_ROOT\nxtrayproto

On Windows 10, this additional key is created, used and maintained by the Action Center:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Current\NexThink.NxTray.Messages

Additional files of the Windows Collector

Find the log files of the Collector here:

  • C:\Windows\nxtsvc.log
  • C:\Windows\nxtsvc.log.bk
  • C:\Windows\nxtupdater.log
  • C:\Windows\nxtupdater.log.bk
  • C:\Windows\nxtcoordinator.log
  • C:\Windows\nxtcoordinator.log.bk
  • C:\Windows\nxteufb.log
  • C:\Windows\nxteufb.log.bk
  •  %temp%\nxtray.log
  •  %temp%\nxtray.log.<timestamp>

Finally, Windows creates a cached copy of the kernel drivers in two folders whose names start with the name of the drivers (nxtrdrv and nxtrdrv5, respectively) followed by an unique identifier that depends on the version of the driver itself. Find the folders here:

  • C:\Windows\System32\DRVSTORE

Mac Collector

The Mac version of the Collector has just the necessary components to report user activity.

Applies to platforms: PlatformMac.png

Mac Collector binaries

  • Driver: A kernel mode driver that gathers valuable information from the device of the end-user.
  • Helper service: A Mac Os daemon that complements the driver by collecting additional information.
Component File Path
Driver nxtdrv.kext /Library/Extensions
Helper service nxtsvc /Library/Application Support/Nexthink

Configuration files of the Mac Collector

Component File Path
Daemon registration file com.nexthink.collector.driver.nxtsvc.plist /Library/LaunchDaemons/
Daemon configuration file config.plist /Library/Application Support/Nexthink
CrashGuard file crashguard


Additional files of the Mac Collector

Find the log files of the Mac Collector here:

  • /var/log/kernel.log
  • /Library/Logs/nxtsvc.log
  • /Library/Logs/nxtsvc.log.bk (when previous log is rotated)
  • /Library/Logs/CrashReporter