Follow

Editing the Agent installer MSI

Created by: Michael Olig
Created date:
Last Updated date:

Various properties of the Agent installer MSI can be changed using an MSI editor.  This can be done to make pre-modified Agent installers for pushing Agents, rather than having to manual install the Agent to specify the parameters.

The following steps assume the use of Orca (attached), a free MSI editor from Microsoft, but any MSI editor should work.

 

Notes:

  •  The Windows Agent MSIs can typically be found in "%ProgramFiles%\AccessData\Forensic Toolkit\<version>\bin\Agent\x86" and "%ProgramFiles%\AccessData\Forensic Toolkit\<version>\bin\Agent\x64"
  • We recommend backing up the original Agent installer prior to editing it.

 

To change the Agent executable's name:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select File
  5. Find the "agentcore.exe" row.
  6. In the FileName column, double-click "u4jwdc7h.exe|agentcore.exe".
  7. Replace the entire string with your desired executable name.
  8. Press Enter.
  9. Click File > Save.

To change the Agent service's name:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select ServiceControl.
  5. Find the "AgentServiceConfig" row.
  6. In the Name column, double-click "AgentService".
  7. Replace the entire string with your desired service name and press Enter.
  8. In the Tables list, select ServiceInstall.
  9. Find the "AgentServiceInstall" row.
  10. In the Name column, double-click "AgentService".
  11. Replace the entire string with the same service name as used in step 6 and press Enter.
  12. In the DisplayName column, double-click "AgentService".
  13. Replace the entire string with the same service name as used in step 6 and press Enter.
  14. Click File > Save.
  15. Click File > Close.

To make the Agent transient/temporary:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select Property
  5. Find the "TRANSIENT" row.
  6. In the Value column, double-click "0".
  7. Replace the "0" with the number "1".
  8. Press Enter.
  9. Find the "LIFETIME" row.
  10. In the Value column, double-click "0".
  11. Replace the "0" with a number denoting the desired lifetime.  A negative value is used to denote minutes (eg. -30 denotes 30 minutes), and a positive value is used to denote days (eg. 30 denotes 30 days).
  12. Press Enter.
  13. Click File > Save.

To make the Agent use Folder Storage rather than Protected Storage:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select Property
  5. Find the "FOLDER_STORAGE" row.
  6. In the Value column, double-click "0".
  7. Replace the "0" with the number "1".
  8. Press Enter.
  9. Click File > Save.

To make the Agent able to check-in to a Public Site Server:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select Property.
  5. Right-click in the list on the right, and click Add Row.
    2020-08-27_13_31_13-mRemoteNG_-_confCons.xml_-_Bart.png
  6. Set the Property to PUBSS and the Value to the external address of your Public Site Server, followed by 54545, and click OK.
    2020-08-27_13_35_38-mRemoteNG_-_confCons.xml_-_Bart.png
  7. Click File > Save.

To make the Agent able to check-in to a Root/Private Site Server:

  1. Install and run Orca.
  2. Click File > Open.
  3. Browse to the folder containing the Agent MSI and open the MSI.
  4. In the Tables list, select Property.
  5. Right-click in the list on the right, and click Add Row.
    2020-08-27_13_31_13-mRemoteNG_-_confCons.xml_-_Bart.png
  6. Set the Property to MAMA and the Value to the address of your Root/Private Site Server, followed by 54545, and click OK.
  7. Click File > Save.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk