ETW Event Monitoring

• File system operations and permission tracking
• Registry access and modification monitoring
• Process lifecycle and crash detection
• Network connections and DNS queries
• Custom filtering and event correlation
• Configurable collection modes for performance tuning

Collection Modes

Health Only Mode

• Baseline monitoring with minimal overhead
• 30-second health check intervals
• CPU and memory metrics only
• Low resource usage

On-Demand Collection

• Reproduce-to-diagnose scenarios
• User-controlled start/stop
• Configurable ETW provider selection
• Moderate overhead when active

Full Monitoring

• Continuous audit trails
• All configured providers active
• Production monitoring capability
• Performance-tuned for minimal impact

Health Monitoring

• Real-time CPU and memory metrics
• 30-second health check intervals
• Historical health data retention
• Color-coded status indicators
• Agent online/offline tracking
• Low overhead monitoring mode

Desktop Deployment

• Simple installer download
• Windows 10/11 support
• User-mode application
• No administrator privileges required
• Automatic updates

Agent Deployment

Standard Installation

• Organization-specific installer
• Built-in authentication tokens
• Windows Service deployment
• Automatic registration with cloud
• Agent appears in dashboard within 30 seconds

Silent Installation

• Command-line installation support
• Mass deployment ready
• No user interaction required
• Suitable for enterprise deployment tools

System Requirements

Agent Systems

• Windows 10/11 or Windows Server 2016+
• Administrator/SYSTEM privileges
• 50-200 MB RAM depending on collection mode
• 100 MB disk space for agent
• HTTPS outbound access to etducky.com

Dashboard Access

• Modern web browser
• Internet connection
• JavaScript enabled

Web Dashboard

• Monitor all agents from anywhere
• Real-time status and health metrics
• Remote agent configuration
• Usage analytics and quota tracking
• Billing management and invoices
• Team member management

Organization Management

• Multi-organization support for MSPs and enterprises
• Query quota pooling across team members
• Team collaboration and shared resources
• Centralized billing and usage tracking
• Organization-wide analytics
• Switch between organizations instantly

Remote Configuration

• Cloud-managed agent updates
• Remote collection mode switching
• ETW provider configuration from dashboard
• Live query session management
• Agent lifecycle management

Usage Tracking

• Real-time query quota monitoring
• Organization-wide usage analytics
• Agent count and billing projections
• Historical usage data
• Per-member quota visibility

Scale

• Support for large-scale agent deployments
• Volume pricing discounts
• Dedicated infrastructure for Enterprise tier
• Performance optimized for thousands of agents

Security

• Secure authentication with Clerk
• Organization-specific agent tokens
• HTTPS encryption for all communication
• Events correlated locally before transmission
• Minimal data transmission footprint

Support

• Priority support channels for paid tiers
• Dedicated support for Enterprise customers
• SLA guarantees for Enterprise tier
• Email and dashboard-based support

Deployment Tools

• Silent installation support
• Command-line deployment options
• Organization-specific installer generation
• Automated agent registration

Agent Types

Managed Agents ($8/month each)

• Purpose: Servers, production systems, critical workstations requiring full monitoring capabilities
• Deployment: Windows Service (runs as SYSTEM), auto-start with Windows
• Features:
  • Full ETW event collection with configurable providers
  • Real-time health metrics (CPU, Memory, Disk, Network)
  • Advanced filtering and event suppression
  • On-demand and continuous monitoring modes
  • Interactive live query sessions
  • AI-powered diagnostics and correlation
  • Remote configuration management
  • Alert evaluation and notification
• Billing: $8/month per agent, prorated daily
• Resource Usage: 50-200 MB RAM, 1-15% CPU depending on workload

Desktop Agents (Free, Unlimited)

• Purpose: Personal workstations, development machines, non-critical systems
• Deployment: User-mode application, starts with user session
• Features:
  • Real-time health metrics monitoring
  • Basic status and uptime tracking
  • Dashboard visibility and management
  • No ETW event collection capability
  • No AI diagnostics
• Billing: Free (unlimited agents)
• Resource Usage: ~30-50 MB RAM, <1% CPU

Collection Modes

Health Only (Default)

• Purpose: Continuous baseline monitoring with minimal overhead
• Data Collected: CPU usage, memory usage, disk space, network statistics
• Update Frequency: Every 30 seconds
• ETW Events: None collected
• Resource Impact: <1% CPU, ~50 MB RAM
• Use Case: Always-on production monitoring, baseline health checks

On-Demand Collection

• Purpose: Time-limited diagnostic sessions for specific incidents
• Data Collected: Health metrics plus configured ETW providers
• Duration: 5-60 minutes (configurable)
• Auto-Stop: Returns to Health Only after duration expires
• Resource Impact: 5-10% CPU, 50-150 MB RAM
• Use Case: Troubleshooting specific issues, scheduled diagnostics, maintenance windows

Full Monitoring

• Purpose: Continuous comprehensive diagnostics for critical systems
• Data Collected: Health metrics plus all enabled ETW providers continuously
• Duration: Indefinite (until manually stopped)
• Auto-Stop: None - requires manual intervention
• Resource Impact: 8-15% CPU, 100-200 MB RAM
• Use Case: Production issue investigation, performance analysis, security monitoring
• Warning: Higher resource consumption - use judiciously on production systems

ETW Event Providers

ET Ducky supports comprehensive Event Tracing for Windows (ETW) providers across multiple categories. Providers can be enabled individually or in preset configurations.

Kernel Providers

Low-level Windows kernel events with minimal overhead:

• File System I/O: File creation, deletion, read, write, rename operations
• File System Initialization: Volume mount, file system load events
• Process & Thread: Process creation, termination, thread lifecycle
• Image Load: DLL and executable loading
• Registry: Registry key and value operations
• Network TCP/IP: TCP connection, send, receive events
• Network UDP: UDP datagram events
• Memory Management: Page faults, memory allocation
• Driver Operations: Driver load and unload events
• Object Handles: Handle creation and destruction
• Process Counters: Performance counter snapshots

User-Mode Providers

Application-level events for specific Windows subsystems:

• .NET Runtime: CLR events, JIT compilation, garbage collection
• .NET Exceptions: Managed exception tracking
• DNS Client: DNS queries and responses
• WinHTTP: HTTP request and response events
• TCP/IP (User): User-mode network stack events
• Windows Error Reporting: Application crashes and hangs
• Shell Core: Windows Explorer and shell events
• LDAP Client: Active Directory queries
• Group Policy: Policy processing events
• Windows Firewall: Firewall rule evaluations
• SQL Server: SQL Server provider events (if installed)
• PowerShell: PowerShell script execution
• Task Scheduler: Scheduled task execution
• Certificate Services: Certificate operations
• Print Service: Print job events

Performance & Diagnostics

Specialized providers for performance analysis:

• Performance Counters: System-wide performance metrics
• Diagnostic Policy Service: Windows troubleshooting events
• Timer Events: High-precision timing information
• Wait Analysis: Thread wait and contention tracking

Dashboard Overview

The ET Ducky dashboard provides centralized visibility into your entire Windows infrastructure through an intuitive web interface.

Key Components

• Agents View: Real-time status of all deployed agents with health indicators
• Alerts View: Active and historical alerts with AI analysis
• Health Metrics: Visual charts and graphs for system performance
• Live Sessions: Interactive query interface for agent diagnostics
• Team Management: Organization and user access control
• Billing: Usage tracking and subscription management

Agents Page

Central hub for managing and monitoring all deployed agents.

Agent List Features

• Real-Time Status: Online/offline indicators updated every 30 seconds
• Health Metrics: At-a-glance CPU, memory, disk usage
• Quick Actions: Start live session, view properties, configure agent
• Sorting & Filtering: Find specific agents quickly
• Bulk Operations: Apply configuration to multiple agents simultaneously

Agent Details

Click any agent name to access comprehensive details:

• System Information: Hostname, OS version, domain, last seen timestamp
• Current Health: Real-time CPU, memory, disk, network metrics
• Disk Information: All volumes with usage bars and space remaining
• Collection Status: Current mode (Health Only, On-Demand, Full Monitoring)
• Configuration: Enabled providers and filtering settings

Agent Properties

Access comprehensive agent configuration through the Properties interface.

Available Actions

• View Configuration: Review current agent settings and enabled providers
• Modify Settings: Enable/disable providers, adjust collection parameters
• Reload from Agent: Fetch current configuration from the agent
• Restart Agent: Remotely restart the agent service
• Delete Agent: Remove agent from dashboard (agent continues running until uninstalled)

Event Filtering

Reduce event volume and focus on relevant data:

• Enable Filtering: Toggle event filtering on/off
• Exclude System Processes: Filter out System, Idle, and Registry processes
• Exclude High-Frequency Events: Suppress known noisy event patterns
• Process Exclusion List: Specify processes to ignore (one per line)
• Path Pattern Exclusion: Exclude events matching specific file paths
• Process Inclusion List: Whitelist mode - collect only from specified processes

Remote Management

Control agents remotely without direct system access.

Collection Control

• Start Collection: Begin ETW event capture with configured providers
• Stop Collection: End event capture, return to Health Only mode
• Duration Control: Set time-limited collection periods (On-Demand mode)
• Mode Selection: Choose between On-Demand (timed) and Full Monitoring (continuous)

Service Management

• Restart Agent: Restart agent service to apply configuration changes
• Status Monitoring: Track agent uptime and connectivity
• Configuration Push: Send new settings to agent automatically

Bulk Configuration

Apply consistent settings across multiple agents efficiently.

Bulk Operations

• Multi-Select: Choose multiple agents from the agents list
• Configuration Presets: Apply standard, comprehensive, or maximum configurations
• Provider Templates: Enable common provider groups across all selected agents
• Batch Deployment: Push configurations to all selected agents simultaneously

Configuration Presets

• Standard (Baseline): Core providers for general monitoring with minimal overhead
• Comprehensive: Extended provider set for detailed diagnostics
• Maximum: All providers enabled (high resource usage - diagnostic use only)
• Custom: Save your own preset configurations for reuse

Real-Time Metrics

Continuous monitoring of critical system resources with 30-second updates.

CPU Monitoring

• Overall Usage: System-wide CPU utilization percentage
• Per-Core Breakdown: Individual core utilization (multi-core systems)
• Historical Trends: CPU usage graphs over time
• Alerting: Configurable thresholds for high CPU conditions

Memory Monitoring

• Physical Memory: Total and available RAM
• Memory Usage Percentage: Percentage of physical memory in use
• Committed Bytes: Virtual memory allocation
• Page File Usage: Virtual memory file utilization
• Memory Pressure: System memory stress indicators

Disk Monitoring

• Volume Information: All mounted drives and network shares
• Space Utilization: Used and available space per volume
• Usage Percentage: Visual indicators with color-coding
• File System Type: NTFS, ReFS, FAT32 identification
• Low Space Alerts: Notifications when space thresholds reached

Network Monitoring

• Bytes Sent/Received: Network throughput metrics
• Connection Count: Active TCP/UDP connections
• Interface Statistics: Per-adapter metrics
• Bandwidth Utilization: Network usage patterns

Historical Data

Health metrics are stored for analysis and trending.

Data Retention

• Raw Metrics: 30 days of detailed data points
• Aggregated Data: 90 days of hourly averages
• Long-Term Trends: 1 year of daily summaries

Visualization

• Time-Series Charts: Interactive graphs for each metric
• Zoom Controls: Focus on specific time periods
• Comparison Views: Compare metrics across multiple agents
• Export Options: Download data as CSV for external analysis

Intelligent Monitoring

Automated alert system with AI-powered analysis monitors your infrastructure 24/7, detecting issues before they impact users.

Key Features

• Real-Time Evaluation: Alert rules evaluated every time agents report health metrics
• Flexible Rules: Create custom rules with complex conditions and thresholds
• Multi-Channel Notifications: Deliver alerts via email, Slack, Microsoft Teams, webhooks, or PagerDuty
• AI Analysis: Every alert automatically analyzed by Claude AI for root cause and recommendations
• Auto-Resolution: Alerts automatically resolve when conditions return to normal
• Alert Lifecycle: Track alerts from trigger through acknowledgment to resolution

Alert Dashboard

Centralized view of all active and historical alerts with powerful filtering and management capabilities.

Dashboard Components

• Statistics Cards: Count of critical, warning, and info alerts at a glance
• Alert Timeline: Chronological list of all alerts with severity indicators
• Filtering Controls: Filter by status (active, acknowledged, resolved) and severity
• Real-Time Updates: Dashboard refreshes automatically every 30 seconds
• Instant Notifications: Browser notifications for new critical alerts

Alert Details

Each alert provides comprehensive information:

• Basic Information: Severity, status, triggered time, affected agent
• Triggering Metrics: Exact metric values that caused the alert
• AI Analysis: Claude AI-generated root cause analysis with recommendations
• Action History: Acknowledgment and resolution timestamps
• Quick Actions: Acknowledge or resolve alerts directly from detail view

Alert Rules

Define what conditions should trigger alerts and at what severity level.

Rule Components

• Condition Logic: Combine multiple conditions with AND/OR operators
• Metric Selection: Choose from CPU, memory, disk, network, or custom metrics
• Comparison Operators: Greater than, less than, equals, between ranges
• Threshold Values: Set specific numeric thresholds for each metric
• Evaluation Interval: How frequently to check the condition (30s-300s)
• Severity Assignment: Critical, warning, or informational

Rule Templates

Pre-built templates for common monitoring scenarios:

• High CPU Usage: Alert when CPU exceeds 80% for 5 minutes
• High Memory Usage: Alert when memory exceeds 85% for 5 minutes
• Low Disk Space: Alert when any disk has less than 10% free space
• Agent Offline: Alert when agent stops reporting for 10 minutes
• High Network Traffic: Alert when network exceeds 100 MB/s sustained
• Custom Templates: Save your own rules as templates for reuse

Notification Channels

Configure where and how alerts are delivered to your team.

Supported Channels

Channel Type	Use Case	Configuration
Webhook	Custom integrations, ITSM tools, automation workflows	URL, HTTP method, authentication, custom headers
Email	Individual notifications, management reports	Recipient addresses, subject template, SMTP settings
Slack	Team chat notifications, DevOps channels	Webhook URL, channel, mention settings
Microsoft Teams	Enterprise team collaboration	Webhook URL, adaptive card formatting
PagerDuty	On-call management, incident escalation	Integration key, service mapping, severity mapping

Channel Features

• Test Functionality: Send test notifications to verify configuration
• Enable/Disable: Temporarily mute channels without deleting
• Multiple Channels: Assign multiple notification channels to each rule
• Channel Reuse: Use same channel across multiple rules
• Retry Logic: Automatic retry on delivery failures

AI-Powered Analysis

Every alert receives automatic analysis from Claude AI, providing context and actionable recommendations.

Analysis Components

• Root Cause: AI identifies the likely underlying cause of the alert condition
• Impact Assessment: Understanding of what systems or users are affected
• Immediate Actions: Steps to take right now to mitigate the issue
• Long-Term Recommendations: Preventive measures to avoid recurrence
• Related Context: Relevant system information and metric trends
• Confidence Level: AI confidence score for the analysis

Analysis Caching

• Pattern Recognition: Similar alerts reuse cached analysis for instant results
• Cost Optimization: Reduces AI API costs by avoiding duplicate analyses
• Cache Duration: Analysis cached for 24 hours
• Freshness: Cache automatically expires to ensure current recommendations

Alert Management

Lifecycle management for alerts from detection through resolution.

Alert States

• Active: Alert currently triggered, condition still met
• Acknowledged: Team member has acknowledged awareness
• Resolved: Manually resolved by team member
• Auto-Resolved: Condition returned to normal automatically

Management Actions

• Acknowledge: Mark alert as seen and being worked on
• Resolve: Close alert with optional resolution notes
• View Details: Access full alert information and AI analysis
• Filter & Search: Find specific alerts quickly
• Export: Download alert history for reporting

Coming Soon: Rule Builder

Visual rule builder interface for creating complex alert conditions without manual configuration (planned for upcoming release).

AI-Powered Analysis

ET Ducky integrates Claude AI from Anthropic to provide intelligent correlation, root cause analysis, and actionable recommendations for system issues.

AI Capabilities

• Event Correlation: Automatically connect related events across processes and time
• Root Cause Analysis: Identify underlying causes of issues from event patterns
• Natural Language Queries: Ask questions in plain English about system behavior
• Context-Aware Responses: AI understands the full system context for better answers
• Actionable Recommendations: Specific steps to resolve identified issues
• Multi-Agent Analysis: Correlate events across multiple systems simultaneously

Query Examples

• "Why is the SQL Server service failing to start?"
• "What processes are accessing file X?"
• "Show me all failed authentication attempts in the last hour"
• "Why is the system slow right now?"
• "What changed before the application started crashing?"
• "Correlate these errors across all web servers"

Query Pool System

AI diagnostics are powered by a query-based consumption model. Each organization receives a monthly allocation of AI queries.

Query Allocation

• BYOK Tier: Unlimited queries using your own Anthropic API key
• Professional Tier: 1,000 queries per month
• Business Tier: 5,000 queries per month
• Enterprise Tier: 50,000 queries per month
• Rollover: Unused queries do not roll over to next month (paid tiers only)

Query Consumption

• Live Session Queries: 1 query per natural language question
• Alert AI Analysis: 1 query per alert (cached for 24 hours)
• Multi-Agent Analysis: 1 query per correlation request
• Batch Operations: Queries deducted based on number of questions asked

Usage Monitoring

• Dashboard Display: View current month usage and remaining queries
• Usage Alerts: Notifications when approaching quota limit
• Historical Tracking: Review past month's consumption patterns
• Team Visibility: All organization members share the same pool

Interactive Diagnostics

Live sessions provide real-time, interactive Q&A with remote agents. Start a session, ask questions in natural language, and receive AI-powered answers based on live ETW data.

Session Features

• Real-Time Communication: Direct WebSocket connection to agent for instant responses
• Natural Language: Ask questions in plain English, no query syntax required
• Continuous Dialog: Follow-up questions maintain context from previous queries
• Event Correlation: AI automatically correlates events to answer questions
• Automatic ETW Collection: Session starts ETW collection on agent automatically
• Session History: All questions and answers preserved during session

Starting a Session

1. Navigate to Agents page
2. Click "Live Session" button for target agent
3. Wait for connection establishment (typically 2-3 seconds)
4. ETW collection starts automatically on agent
5. Begin asking questions immediately

During a Session

• Ask Questions: Type natural language queries in the input box
• View Responses: AI analyzes events and provides formatted answers
• Follow Up: Ask additional questions to dig deeper
• Processing Time: Most queries return results in 3-10 seconds
• Session Duration: No time limit - sessions remain active until manually ended

Ending a Session

• Click "End Session" button in the session window
• ETW collection stops automatically on agent
• Agent returns to previous collection mode
• Session history is not retained after closing

Best Practices for Live Sessions

Effective Queries

• Be Specific: "Why can't user John access \\server\share?" vs "Why doesn't this work?"
• Include Context: Mention application names, file paths, user accounts
• Time Frames: Specify when the issue occurred if known
• Start Broad: Begin with overview questions, then narrow focus
• One Issue at a Time: Focus on single problem for better correlation

Common Use Cases

• Application Troubleshooting: "Why is application X crashing?"
• Performance Issues: "What is causing high CPU right now?"
• Access Problems: "Why can't users access network share Y?"
• Service Failures: "Why did service Z fail to start?"
• Change Tracking: "What changed in the registry recently?"

Resource Considerations

• Agent Impact: ETW collection during session uses 5-10% CPU
• Query Pool: Each question consumes one query from organization pool
• Network Bandwidth: Event streaming typically 100-500 KB/second
• Session Concurrency: One active session per agent at a time

Cross-System Correlation

Analyze events from multiple agents simultaneously to identify distributed issues, trace requests across tiers, and correlate failures spanning multiple systems.

Key Features

• Multi-System Selection: Choose 2-10 agents for simultaneous analysis
• Distributed Tracing: Follow requests through web servers, app servers, and databases
• Timing Correlation: Match events across systems by timestamp
• Cross-System Queries: Ask questions spanning multiple machines
• Unified Timeline: View events from all agents in single chronological order

Use Cases

• Distributed Applications: Trace request flow through multi-tier architecture
• Load Balanced Services: Identify which server in pool is causing issues
• Cluster Analysis: Diagnose problems in clustered environments
• Network Issues: Correlate client and server-side events
• Replication Problems: Compare events on primary and replica systems

Starting Multi-Agent Sessions

1. Navigate to Agents page
2. Select multiple agents (2-10) using checkboxes
3. Click "Multi-Agent Session" button
4. Wait for all agents to connect
5. ETW collection starts on all selected agents
6. Begin asking cross-system questions

Query Examples

• "Why are requests failing between web servers and database?"
• "Which server in the pool is returning errors?"
• "Show authentication failures across all domain controllers"
• "Trace this transaction ID through all tiers"
• "Compare file modifications on both servers"

Performance Considerations

• Agent Count: 2-5 agents recommended for best performance
• Query Complexity: Cross-system queries take longer (10-30 seconds)
• Resource Usage: Each agent uses 5-10% CPU during session
• Network Impact: Event streaming from multiple sources increases bandwidth

Configuration Management

ET Ducky provides comprehensive remote configuration capabilities, allowing you to adjust agent behavior without direct system access.

Configuration Options

• Provider Selection: Enable/disable specific ETW providers
• Event Filtering: Configure process and path exclusions
• Sampling Rates: Adjust collection frequency for high-volume providers
• Buffer Sizes: Configure local event buffer capacity
• Collection Modes: Set default behavior (Health Only, On-Demand, Full)

Configuration Presets

Quick-apply standard configurations for common scenarios.

Standard (Baseline) Configuration

• Purpose: General-purpose monitoring with minimal overhead
• Providers Enabled: File I/O, Process/Thread, Registry, Network, .NET Runtime, DNS
• Event Volume: 100-500 events/second typical
• Resource Impact: 2-5% CPU, 50-100 MB RAM
• Use Case: Production servers, routine monitoring

Comprehensive Configuration

• Purpose: Detailed diagnostics with moderate overhead
• Providers Enabled: All Standard providers plus Memory, Handles, Drivers, WER, Shell
• Event Volume: 500-2,000 events/second typical
• Resource Impact: 5-10% CPU, 100-150 MB RAM
• Use Case: Troubleshooting sessions, performance analysis

Maximum Configuration

• Purpose: Exhaustive data collection for complex issues
• Providers Enabled: All available providers
• Event Volume: 5,000-10,000+ events/second
• Resource Impact: 10-15% CPU, 150-200 MB RAM
• Use Case: Short-term diagnostic sessions only
• Warning: High resource consumption - not suitable for extended use

Advanced Filtering

Fine-tune event collection to focus on relevant data and reduce noise.

Process Filtering

• Exclusion List: Specify processes to ignore completely
• Inclusion List: Whitelist mode - collect only from specified processes
• System Process Filter: Automatically exclude System, Idle, and Registry processes
• Dynamic Updates: Modify filters without restarting agent

Path Pattern Filtering

• Wildcard Support: Use wildcards for flexible pattern matching
• Common Exclusions: Windows temp directories, prefetch, system cache
• Custom Patterns: Define application-specific exclusions

Noise Reduction

• High-Frequency Filter: Suppress known noisy events automatically
• Sampling: Collect subset of high-volume events (e.g., 1 in 10)
• Event Type Exclusion: Disable specific event types while keeping provider active

Configuration Deployment

Individual Agent

1. Open agent Properties from Agents page
2. Modify configuration settings as needed
3. Click "Save Configuration"
4. Configuration pushed to agent within seconds
5. Agent applies changes without restart (most settings)

Bulk Deployment

1. Select multiple agents from Agents page
2. Click "Bulk Configure"
3. Choose preset or configure custom settings
4. Apply to all selected agents simultaneously
5. Monitor deployment status per agent

Configuration Validation

• Syntax Checking: Validate configuration before deployment
• Compatibility Verification: Ensure settings match agent version
• Resource Estimation: Preview expected CPU/RAM impact
• Rollback Support: Reload previous configuration if needed

Subscription Tiers

Tier	Monthly Cost	AI Queries	Managed Agents	Features
BYOK (Bring Your Own Key)	$0	Unlimited (your API key)	0 included	Use your own Anthropic API key
Professional	$39	1,000	10 included	Cloud-hosted processing, no API key needed
Business	$99	5,000	10 included	Team collaboration, advanced correlation
Enterprise	$249	50,000	10 included	Enterprise-scale, SLA, white-glove support

BYOK (Bring Your Own Key) Tier

• Cost: Free - no monthly subscription fee
• API Key: Provide your own Anthropic API key for AI diagnostics
• AI Queries: Unlimited queries (you pay Anthropic directly based on your usage)
• Managed Agents: No managed agents included - must purchase separately starting at $8/agent/month
• Desktop Agents: Unlimited free desktop agents for health monitoring
• Features: Full access to all platform features
• Best For: Users who already have Anthropic API keys or want pay-as-you-go AI usage

Paid Tier Agent Inclusion

• Professional, Business, Enterprise: 10 managed agents included with subscription
• Additional Agents: Purchase more agents at volume-based pricing (starting at $8/agent/month)
• Volume Discounts: Apply to all agents beyond the included 10

Per-Agent Pricing

• Included Agents: Professional, Business, and Enterprise plans include 10 managed agents
• Additional Agents: Additional managed agents beyond the included 10 are billed based on volume pricing
• BYOK Tier: No agents included - all agents purchased at volume pricing starting at $8/agent/month
• Desktop Agents: Free and unlimited on all tiers
• Billing Cycle: Monthly, charged on signup anniversary (or annually with 15% discount)
• Agent Count: Based on highest count during billing period

Volume Discounts

Reduce per-agent costs with volume pricing tiers:

• 1-99 seats: $8 per seat per month
• 100-999 seats: $7 per seat per month (12.5% discount)
• 1,000-9,999 seats: $6 per seat per month (25% discount)
• 10,000-49,999 seats: $5 per seat per month (37.5% discount)
• 50,000+ seats: $4 per seat per month (50% discount)

Volume discounts apply automatically based on your total managed agent count. All agents in your organization count toward the volume tier.

Annual Billing Discount

• Monthly Billing: Standard pricing as listed above
• Annual Billing: 15% discount on base subscription tier (Professional, Business, Enterprise)
• Annual Professional: $398.10/year (normally $468) - save $69.90
• Annual Business: $1,009.80/year (normally $1,188) - save $178.20
• Annual Enterprise: $2,539.80/year (normally $2,988) - save $448.20
• Agent Billing: Agent seats can also be purchased annually with 15% savings

Usage Monitoring

Track your consumption and costs in real-time from the Billing dashboard.

Billing Dashboard

• Current Usage: Active managed agent count
• AI Query Pool: Remaining queries for current month
• Cost Projection: Estimated charges for current period
• Historical Usage: Past months' consumption patterns
• Invoice History: Download past invoices and receipts

Cost Control

• Agent Alerts: Notifications when approaching agent limit
• Query Alerts: Warnings when AI query pool running low
• Spending Limits: Set maximum monthly spend (Enterprise)
• Usage Reports: Detailed breakdown by agent and feature

Subscription Management

Upgrading

• Instant Upgrade: Changes take effect immediately
• Prorated Billing: Pay only for remainder of billing period
• Query Pool Increase: Additional queries available immediately
• Feature Access: Upgraded features unlocked instantly

Downgrading

• End of Period: Downgrade takes effect at next billing cycle
• Query Pool: Reduced allocation begins next month
• Agent Limits: May need to reduce agent count before downgrade
• Feature Access: Premium features remain until period end

Cancellation

• Access Retention: Full access until end of paid period
• Data Retention: Historical data retained for 30 days post-cancellation
• Reactivation: Reactivate within 30 days to restore full access
• Data Export: Export all data before cancellation if needed

Common Scenarios

Application Not Starting

1. Open Live Session with affected agent
2. Enable Process, File I/O, and Registry providers
3. Start ETW collection (On-Demand mode)
4. Attempt to start the application
5. Ask: "Why did [application name] fail to start?"
6. Review AI analysis for missing files, permission issues, or dependencies
7. Follow recommended remediation steps
8. Verify fix by attempting to start application again

Performance Degradation

1. Review Health metrics for CPU, memory, disk bottlenecks
2. Enable Process, Thread, and Performance Counter providers
3. Start Full Monitoring to capture sustained activity
4. Allow system to exhibit slow behavior
5. Ask: "What is causing high CPU/memory/disk usage?"
6. AI identifies resource-intensive processes and operations
7. Optimize or terminate problematic processes
8. Monitor health metrics to confirm improvement

Network Connectivity Issues

1. Enable Network TCP/IP, UDP, and DNS Client providers
2. Start ETW collection
3. Reproduce connectivity failure
4. Ask: "Why can't [application] connect to [destination]?"
5. Review connection attempts, failures, and error codes
6. Check DNS resolution, firewall rules, network path
7. Apply fixes based on AI recommendations
8. Verify connectivity restored

File Access Denied

1. Enable File System I/O and Registry providers
2. Start ETW collection before access attempt
3. Reproduce file access failure
4. Ask: "Why can't [user/application] access [file path]?"
5. Review ACCESS_DENIED events and permission checks
6. Identify missing permissions or ownership issues
7. Adjust NTFS permissions or ownership as recommended
8. Verify access granted

Service Start Failures

1. Enable Process, Registry, and WER (Windows Error Reporting) providers
2. Start ETW collection
3. Attempt to start service
4. Ask: "Why did [service name] fail to start?"
5. AI analyzes service startup sequence, dependencies, and errors
6. Address dependency issues, permission problems, or configuration errors
7. Start service successfully

The ET Ducky Diagnostic Method

A systematic approach to diagnosing and resolving Windows system issues efficiently.

1. Identify: What system? What specific problem? When does it occur?
2. Prepare: Enable relevant ETW providers for the issue type
3. Capture: Start collection BEFORE attempting to reproduce
4. Reproduce: Perform the action that causes the issue while ETW is collecting
5. Query: Ask AI specific, targeted questions about the captured events
6. Analyze: Review AI correlation, root cause, and recommendations
7. Remediate: Apply suggested fixes systematically
8. Verify: Test that issue is resolved
9. Document: Save query results and resolution steps for future reference
10. Monitor: Set up alerts to detect recurrence proactively

Multi-System Issues

Diagnosing problems spanning multiple machines.

Distributed Application Failures

1. Select all affected tier agents (web, app, database)
2. Start Multi-Agent Session
3. Enable Network and Process providers on all
4. Reproduce failure scenario
5. Ask: "Trace this transaction/request through all tiers"
6. AI correlates events across systems chronologically
7. Identify which tier is failing and why
8. Apply targeted fix to specific tier

Load Balancer Issues

1. Select all servers in load balanced pool
2. Start Multi-Agent Session
3. Enable Network and Application providers
4. Monitor during load
5. Ask: "Which server is causing failures?"
6. AI identifies problematic server from error patterns
7. Remove faulty server from pool
8. Investigate and remediate specific server issues

Agent Deployment Strategy

Production Servers

• Deploy as managed agents for full monitoring capabilities
• Keep in Health Only mode by default to minimize overhead
• Enable Full Monitoring only during active incidents
• Use On-Demand for scheduled maintenance windows
• Configure alerts for critical metrics (CPU, memory, disk, services)
• Apply Standard (Baseline) provider configuration

Development/Test Systems

• Can use managed or desktop agents depending on diagnostics needs
• Full Monitoring acceptable during active development hours
• Turn off intensive collection during idle periods
• Use Comprehensive provider configuration for debugging
• Less restrictive event filtering for detailed diagnostics

User Workstations

• Desktop agents (free) for general health monitoring
• Managed agents only for VIP users or critical workstations
• On-Demand collection only when actively troubleshooting
• Minimal provider configuration to reduce user impact
• Aggressive event filtering to focus on application issues

Performance Optimization

CPU Impact Guidelines

• Health Only: <1% CPU - safe for all systems
• On-Demand (idle): 1-2% CPU - acceptable for most systems
• On-Demand (active): 5-10% CPU - use during maintenance windows
• Full Monitoring: 8-15% CPU - reserve for critical diagnostics only

Memory Impact Guidelines

• Health Only: ~50 MB - negligible on modern systems
• On-Demand: 50-150 MB - monitor on memory-constrained systems
• Full Monitoring: 100-200 MB - ensure adequate free memory

Network Impact

• Health metrics: <1 KB every 30 seconds - negligible bandwidth
• Event streaming: 100 KB - 10 MB/hour depending on activity and providers
• Live sessions: 100-500 KB/second during active querying
• Bandwidth planning: Budget 10-50 MB/hour per actively collecting agent

Provider Selection Strategy

• Start with Baseline: Enable only essential providers initially
• Add Incrementally: Enable additional providers as needed for specific issues
• Monitor Impact: Watch CPU/memory usage after enabling high-volume providers
• Disable When Done: Turn off diagnostic providers after troubleshooting
• Use Sampling: Enable sampling on high-volume providers to reduce load

Security Best Practices

• Deploy managed agents with least-privilege service accounts where possible
• Rotate organization authentication keys periodically (every 90 days recommended)
• Use separate organizations for production and non-production environments
• Review team member access regularly, remove departed employees promptly
• Delete agents from dashboard when systems are decommissioned
• Monitor agent offline events for unauthorized agent removals or tampering
• Configure alert notifications to security team for critical events
• Restrict ETW provider access to sensitive operations (e.g., audit logs) in production
• Use event filtering to exclude sensitive file paths or registry keys from collection
• Review exported data before sharing outside organization

Cost Optimization

• Use Desktop agents for non-critical systems and personal workstations
• Delete inactive or offline agents promptly to avoid unnecessary charges
• Keep managed agents in Health Only mode when not actively troubleshooting
• Right-size subscription tier to actual monthly query consumption
• Monitor monthly agent count in Billing dashboard
• Use agent-specific collection rather than organization-wide Full Monitoring
• Leverage AI analysis caching by grouping similar troubleshooting sessions
• Set up alerts to reduce reactive diagnostics and query consumption
• Export and archive historical data before downgrading retention tier
• Schedule diagnostic sessions during maintenance windows to batch query usage
• Take advantage of volume discounts: Consolidate agents in single organization to reach higher discount tiers
• Save 15% with annual billing: Pay annually for base subscription and agent seats to reduce costs
• Consider BYOK tier: If you have high AI usage, bring your own API key for unlimited queries

Alert Configuration Best Practices

• Start with high-severity thresholds, refine based on actual baselines
• Configure notification channels before creating rules
• Test notification channels immediately after configuration
• Use multiple notification channels for critical alerts (email + Slack + PagerDuty)
• Set appropriate evaluation intervals based on metric volatility
• Create informational alerts for trends, not just critical conditions
• Document alert response procedures in resolution notes
• Review and adjust alert rules monthly based on alert frequency
• Use auto-resolution to avoid alert fatigue
• Leverage AI analysis to continuously improve alert accuracy

Operational Excellence

Regular Maintenance

• Review agent health weekly for offline or unhealthy agents
• Update agent software when new versions are released
• Verify agent configurations match current operational standards
• Clean up test agents and old configurations
• Review and optimize alert rules based on actual trigger patterns

Documentation

• Document standard provider configurations for different system types
• Maintain runbooks for common diagnostic scenarios
• Save successful query examples for future reference
• Record alert response procedures
• Document organization-specific filtering patterns

Team Collaboration

• Share useful diagnostic queries with team members
• Cross-train team on common troubleshooting workflows
• Review AI analysis results in team meetings to build collective knowledge
• Establish escalation paths for complex issues
• Use shared notification channels for team visibility

Getting Help

Support Channels

• Email Support: Contact support team for technical assistance
• Documentation: Comprehensive guides available in this documentation
• Status Page: Check status.etducky.com for service health and incidents
• In-App Help: Contextual help available throughout the dashboard

When Contacting Support

To expedite resolution, please include:

• Your organization ID (found in Settings)
• Agent ID if issue is agent-specific
• Screenshots of error messages or unexpected behavior
• Detailed steps to reproduce the issue
• Agent version and Windows version
• Recent configuration changes if applicable
• Impact assessment (how many users/systems affected)

Response Times

• Professional: Email support, 24-hour response time
• Business: Priority email support, 8-hour response time
• Enterprise: Dedicated support contact, 2-hour response time, phone support

Roadmap & Upcoming Features

ET Ducky is continuously evolving. Here are features in development or planned for upcoming releases:

Near-Term (Next 3 Months)

• Visual alert rule builder with drag-and-drop interface
• Enhanced alert rule templates library
• Notification channel setup wizards
• Alert analytics dashboard with trend visualization
• Custom alert rule sharing within organization
• Agent group management for organized hierarchy
• Enhanced multi-agent session UI with visual timeline

Mid-Term (3-6 Months)

• Mobile application for iOS and Android
• Push notifications for critical alerts on mobile
• Extended data retention options (1 year+)
• Advanced reporting and analytics platform
• Custom dashboards with drag-and-drop widgets
• Agent auto-discovery in Active Directory
• Bulk agent deployment tools and scripts
• Integration marketplace for ITSM and DevOps tools

Long-Term (6-12 Months)

• Machine learning-based anomaly detection
• Predictive alerting for potential issues
• Automated remediation workflows
• Advanced compliance reporting (HIPAA, SOC 2, PCI-DSS)
• Linux and macOS agent support
• Container and Kubernetes monitoring
• API for custom integrations and automation
• On-premises deployment option for air-gapped environments

Feature availability and timelines are subject to change based on customer feedback and business priorities. We actively incorporate user suggestions into our development roadmap.

What Are Agent Seats?

Agent seats allow you to deploy ET Ducky monitoring agents across your Windows infrastructure. Each system running an agent requires one seat. Agent seats are priced separately from query subscriptions.

How Agents Use Queries

• Agents capture and correlate ETW events on remote systems
• Live query sessions use your organization's query subscription
• Agent seats provide the infrastructure, queries provide the diagnostics
• Multiple agents share the same query pool

Agent Features

• Deploy on unlimited Windows systems
• Real-time ETW event collection and monitoring
• Cloud-managed configuration and updates
• Health metrics tracking for all deployed systems
• Live query sessions for interactive troubleshooting

Volume Pricing

Agent seats use tiered volume pricing. The more seats you purchase, the lower your per-seat cost.

Billing Options

• Monthly Billing: Standard per-seat pricing
• Annual Billing: Save 15% with annual commitment
• Proration: Changes to seat count are prorated automatically
• Separate Billing: Agent seats billed separately from query subscriptions

Example Costs

Purchase Agent Seats

Interactive pricing calculator with real-time volume discounts

Query Subscriptions

What counts as a query?

Each request to process correlated ETW events through the ET Ducky API server counts as one query. This includes diagnostic requests from the Desktop app, live session queries from agents, and event correlation analysis.

Can I use queries with both the Desktop app and agents?

Yes. Your query subscription provides a shared pool that works with both the Desktop application and any deployed agents. All queries count against the same monthly quota regardless of source.

Can I use my own Anthropic API key?

Yes. The Free tier lets you bring your own Anthropic API key with no query limits. Paid tiers include cloud-hosted processing so you don't need your own key.

What happens if I exceed my quota?

Once your monthly quota is reached, cloud-based processing will be paused until the next billing cycle. You can upgrade at any time, or switch to BYOK mode.

Do queries reset monthly?

Yes. Your query quota resets at the start of each billing cycle. Unused queries do not roll over.

How does organization quota pooling work?

When multiple users join an organization, their individual query quotas combine into a shared pool. For example, if 3 users each have Professional plans (1,000 queries each), the organization gets a pool of 3,000 queries that any member can use from Desktop or agents.

Is the Desktop application free?

Yes. The Desktop application is a free download. You only pay for the query subscription tier that provides access to process events through the ET Ducky API.

Agent Seats

What are agent seats?

Agent seats allow you to deploy ET Ducky monitoring agents across multiple Windows systems. Each system running an agent requires one seat. Agent seats are priced separately from query subscriptions.

Do I need both a query subscription and agent seats?

It depends on your use case. If you only use the Desktop app on your local machine, you just need a query subscription. If you want to monitor remote servers with agents, you need both: a query subscription for processing and agent seats for deployment.

Do agents consume queries?

Yes. When you run live query sessions on agents, they use queries from your organization's shared pool. The agent seat provides the monitoring infrastructure, but diagnostic analysis uses your query quota.

Can I change my seat count?

Yes. You can add or remove seats at any time through the dashboard. Changes are prorated automatically and reflected in your next billing cycle.

What happens if I remove an agent seat?

When you reduce your seat count, the change takes effect immediately and your billing is adjusted. The agent will stop functioning and must be uninstalled from the system or reinstalled with a new seat allocation.

Are there any setup fees?

No. There are no setup fees, activation fees, or hidden costs. You only pay for your query subscription and the number of agent seats you use each month.

Billing

How am I billed?

Query subscriptions are billed monthly or annually. Agent seats are billed monthly based on your seat count, with optional 15% savings on annual commitments. All billing is handled through Stripe.

Can I switch plans?

Yes. You can upgrade or downgrade your query subscription at any time. Changes take effect immediately, and we'll prorate the billing difference.

What payment methods do you accept?

We accept all major credit cards through Stripe. Enterprise customers can request invoice billing.

Can I get a refund?

We offer prorated refunds for annual subscriptions if you cancel within the first 30 days. Monthly subscriptions can be canceled at any time and will not renew, but are not refundable.