Agent Types

Managed Agents (Starting at $5/month each)

Managed agents run as a Windows Service under the Local System account, starting automatically with Windows. They are the full-featured agent type designed for servers, production systems, and critical workstations.

• Deployment: Windows Service (runs as SYSTEM), auto-start with Windows
• Full ETW Event Collection with 30+ configurable kernel and user-mode providers
• Real-Time Health Metrics — CPU, memory, disk, network reported every 30 seconds
• Live Query Sessions with AI-powered diagnostics, approved script execution, and file transfers
• Browser-Based Remote Desktop — DXGI screen capture with WebSocket relay for one-click remote control from the dashboard
• Remote Configuration Management — push provider, metrics, and performance settings from the dashboard
• Alert Evaluation — health metrics evaluated against your alert rules on every heartbeat
• Multi-Agent Correlation — participate in cross-fleet diagnostic sessions
• Billing: $5/month per agent on shared infrastructure, with volume discounts at scale. 20 free per subscribed user on paid plans.
• Resource Usage: ~50 MB RAM in Health Only mode; 50–200 MB during active collection; 1–15% CPU depending on providers

Desktop Agents (Free, Unlimited)

Desktop agents run as a user-mode application that starts with the user session. They provide a lightweight footprint for on-demand diagnostic sessions.

• Deployment: User-mode application, starts with user login session
• Basic Status and Uptime Tracking with online/offline indicators
• On-Demand Diagnostics when you need deeper troubleshooting
• Billing: Free and unlimited on all tiers
• Resource Usage: ~30–50 MB RAM, <1% CPU

Collection Modes

Managed agents operate in one of three collection modes, controlled from the agent Properties modal or automatically via live sessions.

Health Only (Default)

• Data: CPU, memory, disk space, network statistics every 30 seconds
• ETW Events: None collected
• Resource Impact: <1% CPU, ~50 MB RAM, <100 MB total footprint

On-Demand Collection

• Data: Health metrics plus configured ETW providers for a time-limited window (5–60 minutes)
• Auto-Stop: Returns to Health Only when timer expires
• Resource Impact: 5–10% CPU, 50–150 MB RAM

Full Monitoring

• Data: Health metrics plus all enabled ETW providers running continuously until manually stopped
• Resource Impact: 8–15% CPU, 100–200 MB RAM

Tip: Live Sessions automatically start ETW collection when opened and stop it when ended.

ETW Event Providers

ET Ducky supports 30+ ETW providers organized into three categories. Enable them individually through Remote Configuration or via presets.

Kernel Providers

• File System I/O: File creation, deletion, read, write, rename
• File System Initialization: Volume mount, file system load
• Process & Thread: Process creation, termination, thread lifecycle
• Image Load: DLL and executable loading
• Registry: Key and value operations
• Network TCP/IP: TCP connection, send, receive
• Network UDP: UDP datagram events
• Memory Management: Page faults, memory allocation
• Driver Operations: Driver load and unload
• Object Handles: Handle creation and destruction
• Process Counters: Performance counter snapshots

User-Mode Providers

• .NET Runtime / .NET Exceptions: CLR events, JIT, GC, managed exception tracking
• DNS Client: DNS queries and responses
• WinHTTP: HTTP request and response events
• TCP/IP (User): User-mode network stack events
• Windows Error Reporting: Application crashes and hangs
• Shell Core: Windows Explorer and shell events
• LDAP Client: Active Directory queries
• Group Policy: Policy processing events
• Windows Firewall: Firewall rule evaluations
• SQL Server / PowerShell / Task Scheduler / Certificate Services / Print Service

Performance & Diagnostics

• Performance Counters: System-wide performance metrics
• Diagnostic Policy Service: Windows troubleshooting events
• Timer Events: High-precision timing
• Wait Analysis: Thread wait and contention tracking