Components of the Collector

Contents

Components of the Collector

Overview

The Collector is mainly composed of a couple of kernel drivers, along with a small set of services and libraries, that gather information about the devices in your corporate network and their activity. The Collector periodically sends all the gathered information to an Engine, where it is processed and stored. Other tools that are delivered with the Collector help you with its installation and configuration.

Find in this document the description of all the different components of the Collector and the filesystem paths where to find them in the devices of the end-users after installation. This article details as well the registry keys and the additional files created or modified during the installation of the Collector.

Windows Collector

The Windows version of the Collector includes several features in addition to the gathering of user activity. These extra features require a comprehensive set of components.

Applies to platforms: PlatformWindows.png

Windows Collector binaries

For all versions of Windows, the following components are installed:

  • Main driver: A kernel mode driver that gathers valuable information from the device of the end-user.
  • Network specific driver: A kernel mode driver that detects network connections.
  • Helper service: A Windows service that complements the main driver by collecting additional information.
  • Printing info library: A dynamic link library that is responsible for detecting printing activity.
  • Optional Command line configuration tool: A tool to configure the Collector from the command line.
  • Optional Control Panel extension: A tool to control the behaviour of the Collector that is added to the Control Panel of Windows.
  • Automatic updates: A component of the Collector that is responsible for downloading new versions and updating the installed components.
  • Coordinator: Coordination of the Collector with the Appliance to detect new updates, engage with end-users, and execute remote actions.
  • Nexthink Engage: Components for presenting the questions of campaigns and getting answers from the end-users.
  • Nexthink Act: Components that manage the execution of remote actions.
Component File Path
Main driver nxtrdrv.sys  %windir%\System32\drivers
Network specific driver nxtrdrv5.sys  %windir%\System32\drivers
Helper service nxtsvc.exe  %windir%\System32
Printing info
helper library
nxtdll.dll
Command line
configuration tool
nxtcfg.exe
Control Panel
extension
nxtpanel.cpl
Automatic updates nxtupdater.exe
Coordinator nxtcoordinator.exe
Nexthink Engage
  • nxteufb.exe
  • nxtray.exe
  • nxtray.exe.config
Nexthink Act nxtcod.exe
  • Google.Protobuf.dll
  • nxtcampaignaction.dll
  • nxtremoteactions.dll
 %ProgramFiles%\Nexthink\RemoteActions

Starting from Windows 8, these additional binaries are also installed:

  • Metro apps helper library: A dynamic link library that detects the execution of Metro apps.
Component File Path
Metro apps helper library nxtwrt.dll  %windir%\System32

Registry keys of the Windows Collector

On installation, the Collector creates the following keys in the Registry of Windows:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nxtrdrv5
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Nexthink Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\Updater
  • HKEY_LOCAL_MACHINE\SYSTEM\Nexthink\Updater
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\EndUserFeedback
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nexthink Coordinator\Modules\COD
  • HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\RemoteActions
  • HKEY_USERS\S-1-5-21-2281471460-584676728-3927365163-1676\SOFTWARE\NEXThink\NxTray
  • HKEY_CLASSES_ROOT\nxtrayproto

Additional files of the Windows Collector

Find the log files of the Collector here:

  •  %windir%\nxtsvc.log
  •  %windir%\nxtsvc.log.bk
  •  %windir%\nxtupdater.log
  •  %windir%\nxtupdater.log.bk
  •  %windir%\nxtcoordinator.log
  •  %windir%\nxtcoordinator.log.bk
  •  %windir%\nxteufb.log
  •  %windir%\nxteufb.log.bk
  •  %windir%\nxtcod.log
  •  %windir%\nxtcod.log.bk
  •  %temp%\nxtray.log
  •  %temp%\nxtray.log.<timestamp>

Finally, Windows creates a cached copy of the kernel drivers in two folders whose names start with the name of the drivers (nxtrdrv and nxtrdrv5, respectively) followed by an unique identifier that depends on the version of the driver itself. Find the folders here:

  •  %windir%\System32\DRVSTORE

Mac Collector

The Mac version of the Collector has just the necessary components to report user activity.

Applies to platforms: PlatformMac.png

Mac Collector binaries

  • Main service: A Mac daemon that gathers valuable information from the device of the end-user.
  • Coordination service: A Mac daemon that synchronizes with the appliances to provide services such as automatic updates, end-user engagement and execution of remote actions in the near future.
Component File Path
Main service nxtsvc /Library/Application Support/Nexthink
Coordination service nxtcoordinator

Configuration files of the Mac Collector

Component File Path
Daemon configuration file config.plist /Library/Application Support/Nexthink
Coordinator configuration file tcp_config.json

At the end of the file tcp_config.json, find the exact version of the installed Collector and the status of the TCP connection.

Additional files of the Mac Collector

Find the log files of the Mac Collector here:

  • /Library/Logs/nxtsvcgen.log
  • /Library/Logs/nxtsvcgen.n.log (n positive, when previous log is rotated)
  • /Library/Logs/nxtcoordinator.log