Windows Agent Overview

Windows Agent

The ITM On-Prem Windows Agent (ObserveIT Windows Agent) is a software component that is installed on any Windows-based operating system (server or desktop) that you want to record.

The Windows Agent is a user-mode executable that binds to every user session. As soon as a user logs into a monitored endpoint, the Agent begins recording based on the configured recording policy. From the moment a user logs on, the Windows Agent starts capturing user activity data logs and, if configured, screen video. All captured user activity data can be searched for, reported on, configured for alerts, and integrated with SIEM systems. The Agent sends all screen capture video and textual activity logs to the ITM On-Prem (ObserveIT) Application Server for processing and storage.

The diagram below shows the Windows Agent architecture.

By default, the Agent records the screen only when actual user activity is detected at the keyboard or mouse; during idle time (when there is no user activity on the machine), the Agent does not generate logs of screen capture data. However, optional time-based recording allows the recording of everything that appears on the screen even when the user is idle or not present – which can be useful, for example, to record the output of lengthy scripts run by IT users.

In cases when the recorded data cannot be stored on the Application Server or SQL Server (for example, the network or Application Server is down, or there is no connectivity to the database), the Windows/Linux/Unix/Mac OS Agent maintains an offline buffer to temporarily collect data. The buffer size is customizable. Once connectivity is restored, the buffered data is delivered to the Application Server.

ObserveIT allows customers to monitor their users in stealth mode by deploying the Windows Agent with obfuscated names for its Agent components. To prevent innovative IT administrators or developers from discovering that the ITM On-Prem Agent (ObserveIT Agent) is installed and running, ObserveIT can hide the Windows Agent by renaming processes, files and other resources, that might otherwise enable advanced users to uncover the Agent.