Windows Agent¶
The SentriKat Windows Agent collects installed software inventory from Windows systems and reports it to your SentriKat instance.
Prerequisites¶
- Windows 10/11 or Windows Server 2016+
- PowerShell 5.1 or later
- Network access to your SentriKat server (HTTPS recommended)
- An API key from SentriKat (see Agent API Keys)
Installation¶
Download¶
Download the agent from your SentriKat instance:
- Log into SentriKat as an admin
- Go to Admin > Agents > Downloads
- Download the Windows agent (MSI or PowerShell script)
MSI Installer¶
Run the MSI installer and follow the wizard:
- Double-click
sentrikat-agent.msi - Enter your SentriKat server URL (e.g.,
https://sentrikat.example.com) - Enter your API key
- Choose the installation directory (default:
C:\Program Files\SentriKat\) - Click Install
Verify Installation¶
# Check the service is running
Get-Service SentriKatAgent
# View agent status
& "C:\Program Files\SentriKat\sentrikat-agent.exe" status
Expected output:
SentriKat Agent v1.2.0
Status: Running
Server: https://sentrikat.example.com
Last Check-in: 2024-12-01 14:30:00 UTC
Products Reported: 142
Configuration¶
The agent configuration file is located at C:\ProgramData\SentriKat\agent.conf:
[server]
url = https://sentrikat.example.com
api_key = sk_agent_xxxxxxxxxxxx
verify_ssl = true
[agent]
hostname_override =
scan_interval = 86400
log_level = INFO
log_file = C:\ProgramData\SentriKat\agent.log
[scan]
include_updates = false
include_store_apps = true
exclude_patterns = Microsoft Visual C++ Redist*,KB*
| Setting | Description | Default |
|---|---|---|
url | SentriKat server URL | Required |
api_key | Agent API key | Required |
verify_ssl | Validate server certificate | true |
scan_interval | Seconds between scans | 86400 (24h) |
include_updates | Report Windows updates as products | false |
include_store_apps | Include Microsoft Store applications | true |
exclude_patterns | Glob patterns for software to skip | None |
After modifying the configuration, restart the service:
Windows Service¶
The agent runs as a Windows service named SentriKatAgent:
# Start the service
Start-Service SentriKatAgent
# Stop the service
Stop-Service SentriKatAgent
# Set to start automatically
Set-Service SentriKatAgent -StartupType Automatic
The service runs under the LOCAL SYSTEM account by default. If your environment requires a service account, configure it in services.msc.
Firewall Rules¶
The agent needs outbound HTTPS access to your SentriKat server:
# Allow outbound HTTPS to SentriKat
New-NetFirewallRule -DisplayName "SentriKat Agent" `
-Direction Outbound `
-Action Allow `
-Protocol TCP `
-RemotePort 443 `
-RemoteAddress "sentrikat.example.com" `
-Program "C:\Program Files\SentriKat\sentrikat-agent.exe"
Note
No inbound firewall rules are required. The agent initiates all connections outbound to the SentriKat server.
What the Agent Collects¶
The Windows agent scans the following sources:
| Source | Data Collected |
|---|---|
Registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) | Installed programs |
| Registry (WOW6432Node) | 32-bit programs on 64-bit systems |
| Windows Package Manager | Store apps (if enabled) |
WMI Win32_Product | MSI-installed products (optional) |
The agent reports:
- Software name and vendor
- Installed version
- Installation date
- Architecture (x86/x64)
- Hostname and OS version
Warning
The agent does not collect user data, file contents, browsing history, or any personally identifiable information. Only software inventory metadata is transmitted.
Group Policy Deployment¶
For large-scale deployment via GPO:
- Place the MSI on a network share accessible to target machines
- Create a new GPO and navigate to Computer Configuration > Software Installation
- Add the MSI package with the following transform properties:
- Link the GPO to the target OU
Uninstallation¶
Troubleshooting¶
Agent Not Reporting¶
# Check service status
Get-Service SentriKatAgent
# View agent logs
Get-Content "C:\ProgramData\SentriKat\agent.log" -Tail 50
# Test connectivity
Test-NetConnection -ComputerName sentrikat.example.com -Port 443
SSL Certificate Errors¶
If your SentriKat instance uses a self-signed certificate:
Or import the CA certificate into the Windows certificate store.
Proxy Configuration¶
Sprint 4+5 additions¶
Delta scans with SHA-256 fingerprinting¶
Windows agents now perform delta scans: on each scheduled run, the agent computes a SHA-256 hash of the full inventory (Registry uninstall keys + Windows Installer product list + browser extensions + IDE extensions + container images) and compares it against the previous run. Matching hashes skip the full payload and send a small "no change" heartbeat instead.
Typical Windows workstations see package changes only on patch Tuesday and occasional user installs, so delta scans cut scheduled traffic by ~90% for desktops and ~95% for servers.
Gzip compression¶
All inventory uploads are gzipped before transmission. No configuration needed.
Store-and-forward spool¶
If the agent cannot reach the SentriKat server (company VPN down, server maintenance), it spools inventory payloads to C:\ProgramData\SentriKat\spool\ and retries on exponential backoff. The spool has a 100 MB cap and drops the oldest entries when full. When connectivity is restored, the spool drains to the server in order.
Spool location is configurable via the spool_path field in the agent's config.yml.
Next Steps¶
- Agent management for monitoring agent status
- Products to see imported inventory
- Linux Agent for Linux systems