Downloads
Choose what you need
ET Ducky ships in two main flavors. The Desktop App runs locally on a single Windows machine and gives you the full diagnostics dashboard, ETW monitoring, and AI live sessions without deploying anything else. The Endpoint Agent is installed on the machines you want to monitor remotely — one binary handles inventory, behavioral-security rules, ransomware kill-chain detection, and live root-cause analysis. The same dashboard, the same AI, on Windows or Linux. A third category, Standalone Tools, holds open-source utilities that work without a tenant or an agent.
All binaries below are signed and version-pinned. The SHA256SUMS file at the bottom of this page covers every download on this page; verify any of them before installing.
Desktop App
ET Ducky Desktop App v1.8.1
The standalone client. Runs a local ETW collector, correlates kernel-level events, and gives you the full AI live-session experience on your own machine — no agent deployment required. Auto-updates when a new release ships.
Endpoint Agent
Install on the endpoints you want to monitor. Same agent code on every OS; same dashboard, alerts, and AI live sessions.
Windows Agent Installer v2.0.1.5
ETW-based kernel monitoring with behavioral-security rules and ransomware kill-chain detection. Installs as a Windows service and registers itself with your tenant on first start.
Linux Agent (.deb) v2.0.1.5
eBPF-based kernel diagnostics for Debian, Ubuntu, and derivatives. Installs as a systemd service via apt. amd64.
Linux Agent (.rpm) v2.0.1.5
eBPF-based kernel diagnostics for RHEL, Fedora, CentOS Stream, AlmaLinux, and Rocky Linux. Install with dnf or rpm -i. x86_64.
Linux Agent (universal .run) v2.0.1.5
Self-extracting installer for distros without first-class .deb / .rpm support — Arch, openSUSE, Alpine (with glibc compatibility), or custom builds. Run with sudo sh etducky-agent-2.0.1.5.run.
Standalone Tools
Open-source utilities with no tenant or agent dependency. Source available on GitHub under Apache License 2.0.
ET Ducky Provider Explorer v1.0.0
Standalone WinForms tool for enumerating, profiling, and learning about ETW providers. Three tabs: browse every published provider on the host, sniff one for cost and event shape with an educational drill-down, and a built-in Help primer on ETW concepts. No cloud, no agent, no telemetry.
Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.
ET Ducky ProcDelta v1.0.0
Differential environmental diagnosis for Windows app failures. Record a known-good baseline of an app on a working machine, capture the same action on a broken one, and get a deterministic report of every registry, file, network, or runtime difference that could explain the failure. Open-source under Apache License 2.0.
Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.
ET Ducky AvProfiler v1.0.0
Measure the antivirus tax on your file I/O. Pick a process (or capture system-wide), run a workload, and get a per-path / per-process breakdown of how much slower it ran versus your machine's baseline — plus ready-to-paste exclusion commands for Defender, CrowdStrike, SentinelOne, and Sophos. Open-source under Apache License 2.0.
Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.
ET Ducky NetPath v1.1.0
End-to-end network diagnosis. Capture every DNS, TCP, TLS, HTTP, and auth event during a workload window, grouped into per-destination “stories” with pattern-matched diagnoses for common failure modes (TLS-inspection proxies, Azure AD Conditional Access denials, Kerberos SPN problems, firewall drops). Recommends the right next-cheapest tool when ETW visibility ends at the browser. Open-source under Apache License 2.0.
Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.
Verify your download
Compare the SHA-256 hash of any download against the signed checksum file below before installing. On Linux, run sha256sum -c SHA256SUMS in the directory where you downloaded the file. On Windows, Get-FileHash <file> -Algorithm SHA256 in PowerShell, then compare to the matching row.
Loading checksums…
Windows installers are Authenticode-signed — right-click the downloaded .exe, choose Properties → Digital Signatures, and confirm the publisher before running.
Looking for source or self-hosted builds?
Self-hosted deployments and on-prem image bundles are documented in the self-hosted guide. Air-gapped customers can request signed offline installers through support — see deployment options for details.