The Collector is a light-weight agent based on patented technology. It captures and reports network connections, program executions, web requests, and many other activities and properties from the devices of the end-users on which it runs. It is implemented as a kernel driver and an accompanying service, offering remote and automated silent installations and negligible impact on the performance of local desktops, while minimizing network traffic.

CPU usage Memory usage Network traffic
  • Less than 0.015%
    (in average)
  • Kernel: Around 500 KB
  • User: Around 20 MB
  • UDP: 0.1 - 0.3 Kbps
    (in average)
  • TCP: Depending on
    • Campaigns
    • Updates

The following figure depicts the functioning of the Collector as part of the whole Nexthink solution.


Collector components

The capabililty of the Collector for gathering user activity data is shared by the kernel driver and the helper service (or daemon) components. By running close to the operating system, the kernel driver detects some kinds of user activities that are only visible at this level.

Because of its additional features, the Windows version of the Collector includes more components than its Mac OS counterpart. Click to see the detailed list of components of the Collector.



The Collector is available for both Windows and Mac OS operating systems. Originally developed for Windows, the Mac OS version of the Collector has some limitations with respect to its Windows counterpart. Besides Windows specific data, information on web requests and printing is not yet available in the Mac OS version of the Collector. Likewise, the automatic update of the Collector is only available in the Windows platform for the moment.


Since the Windows Collector driver is a kernel-mode component, any error in its internals or its interaction with a misbehaving third-party driver can lead to system instabilities. Even with Nexthink putting as much attention as possible towards delivering bug-free software, the principle of precaution holds. The Crash Guard feature detects every system crash and it disables the Collector driver itself if the system crashes more than three times in a row after installation.

Applies to platforms: PlatformWindows.png

Kernel traffic interception

Some applications may send and receive data to and from the network using kernel-mode components, actually hiding their network traffic from user-space monitoring applications. Being a kernel driver itself, the Windows Collector is nevertheless able to detect and report such traffic.

Applies to platforms: PlatformWindows.png

Paths aliasing

The Collector identifies commonly used paths (e.g. C:\WINDOWS\, C:\Program Files\) and other special mount locations (removable mount points, network drives) with paths aliases. For example, if the DVD-Rom drive is mounted under D:, the Collector reports an application setup.exe being launched from this media as %RemovableDrive%\setup.exe.

Detection of Engine

The Collector driver is able to detect when the Engine is not reachable in the local network. In this case, the Collector disables itself for 10 minutes.

Network interfaces supervision

The Collector dectects if a network interface appears on or disappears from the device where it is installed. In this case, the Collector driver resends the whole context to the Engine. The process of adapting to a different network interface may take the Collector a few minutes.

Event logging

Main events and errors are written to either the standard Windows event logs or Mac OS logs.

On-the-fly configuration

The Collector driver parameters can be changed through the Collector Control Panel extension or the Collector Configuration tool. There is no need to restart the computer for the changes to become effective.