WitnessAI Documentation
List
Quick Start
Quick Start
User Guide
User Guide
Policies & GuardRails
Policies & GuardRails
Witness Anywhere: Remote Device Security
Witness Anywhere: Remote Device Security
Witness Attack
Witness Attack
Administrator Guide
Administrator Guide
Windows Binary Installation
Download Windows binary installer here.
Required Config from PEAS API
- Root CA Cert (Base64)
Parameters required for the Executable
Parameter | Description |
-tenant [Mandatory] | Tenant identifier (e.g., '1234.use1.witness.ai') - required |
-token [Mandatory] | JWT token for authentication (required) |
-domain-join | Domain join status: true for AD-joined (default), false for non-AD-joined |
-flush | Run flush operation to clean up device registration |
-force-arch | Force stunnel architecture: '32' for 32-bit, '64' for 64-bit |
-log-file | Log file path (default "C:\Windows\Temp\WitnessAI\WitnessAnywhere-Reg.log") |
-mdm [Mandatory] | MDM vendor type: 'windowsgpo', 'crowdstrike', 'sentinelone', 'intune' |
-proxy-lock | Prevent users from changing proxy settings |
-static-domain | Static domain override (leave empty for Azure AD detection) |
-stunnel | Deploy Stunnel |
Support Matrix
MDM | AD Joined | Non-AD Joined | Stunnel | Static Domain | Proxy Lock | Supported |
Crowdstrike | Yes | Yes | Yes | Yes | Yes | ✅ |
SentinelOne | Yes | Yes | Yes | Yes | Yes | ✅ |
Windows GPO | Yes | Yes | Yes | Yes | Yes | ✅ |
Sample Registration Log
2025/09/29 12:33:11 ╔══════════════════════════════════════════════════════════════════════════════╗ 2025/09/29 12:33:11 DEVICE REGISTRATION 2025/09/29 12:33:11 ╠══════════════════════════════════════════════════════════════════════════════╣ 2025/09/29 12:33:11 Starting device registration process... 2025/09/29 12:33:11 ╚══════════════════════════════════════════════════════════════════════════════╝ 2025/09/29 12:33:11 [INFO] Tenant: dev.witness.ai 2025/09/29 12:33:11 [INFO] Detected logged-in user: WITNESS\vine.dev 2025/09/29 12:33:11 [INFO] Got SID for user WITNESS\vine.dev: S-1-5-21-1462450737-1988320055-1392028470-1105 2025/09/29 12:33:11 [INFO] Phase 1: Validating configuration with backend... 2025/09/29 12:33:12 [INFO] Certificate retrieved successfully (Request ID: 302fda68-0100-0000-0000-0000572c7f15) 2025/09/29 12:33:12 [INFO] Phase 2: Collecting device information... 2025/09/29 12:33:12 [SUCCESS] Auto-Detection: Found proper domain via WMI: witness.lab - system IS domain joined 2025/09/29 12:33:12 [WARNING] Azure AD Detection: Registry key not found: Device is not Azure AD Joined. 2025/09/29 12:33:12 [SUCCESS] Domain Join Logic: Using auto-detected domain: witness.lab 2025/09/29 12:33:12 [INFO] User email: vine.dev@witness.lab 2025/09/29 12:33:12 [INFO] MDM Vendor: windowsgpo (domain-join: true) 2025/09/29 12:33:12 [INFO] Vendor Info: windowsgpo (ID: S-1-5-21-1462450737-1988320055-1392028470-1105) 2025/09/29 12:33:12 [INFO] PAC_URL: https://api.dev.witness.ai/v1/peas/pac/e945ffaf0f70.pac?enableStunnel=true 2025/09/29 12:33:12 [INFO] STATIC_FQDN: e945fa2fafaf0f7 2025/09/29 12:33:12 [INFO] DEVICE_FINGERPRINT: fedddc557979e 2025/09/29 12:33:13 [INFO] Phase 3: Applying system configurations... 2025/09/29 12:33:13 [CERT] Certificate validated: CN=WitnessAI,O=WitnessAI,C=US (432 bytes) 2025/09/29 12:33:13 [INFO] Root certificate installed successfully (Serial: 00f90f2f311) 2025/09/29 12:33:13 [INFO] Registration data stored in user registry successfully 2025/09/29 12:33:13 [INFO] System proxy settings configured with PAC URL 2025/09/29 12:33:13 ╔══════════════════════════════════════════════════════════════════════════════╗ 2025/09/29 12:33:13 DEVICE REGISTRATION 2025/09/29 12:33:13 ╠══════════════════════════════════════════════════════════════════════════════╣ 2025/09/29 12:33:13 Device successfully registered with PAC service 2025/09/29 12:33:13 ╚══════════════════════════════════════════════════════════════════════════════╝ 2025/09/29 12:33:13 ╔══════════════════════════════════════════════════════════════════════════════╗ 2025/09/29 12:33:13 STUNNEL DEPLOYMENT 2025/09/29 12:33:13 ╠══════════════════════════════════════════════════════════════════════════════╣ 2025/09/29 12:33:13 Deploying 64-bit stunnel for user: vine.dev 2025/09/29 12:33:13 ╚══════════════════════════════════════════════════════════════════════════════╝ 2025/09/29 12:33:13 ┌─ Step 1/5: DIRECTORY SETUP 2025/09/29 12:33:13 │ Creating: C:\Users\vinectiv.dev\AppData\Local\Programs\WitnessAnywhere 2025/09/29 12:33:13 └─ ✓ Complete 2025/09/29 12:33:13 ┌─ Step 2/5: FILE EXTRACTION 2025/09/29 12:33:13 │ Extracting embedded 64-bit stunnel files 2025/09/29 12:33:13 └─ ✓ Complete 2025/09/29 12:33:13 ┌─ Step 3/5: CONFIGURATION 2025/09/29 12:33:13 │ Creating stunnel.conf with proxy settings 2025/09/29 12:33:13 └─ ✓ Complete 2025/09/29 12:33:13 ┌─ Step 4/5: AUTO-START SETUP 2025/09/29 12:33:13 │ Adding Windows registry auto-start entry 2025/09/29 12:33:13 └─ ✓ Complete 2025/09/29 12:33:13 ┌─ Step 5/5: SERVICE LAUNCH 2025/09/29 12:33:13 │ Starting stunnel tunnel service 2025/09/29 12:33:13 └─ ✓ Complete 2025/09/29 12:33:13 [INFO] Verifying stunnel service startup... 2025/09/29 12:33:16 ╔══════════════════════════════════════════════════════════════════════════════╗ 2025/09/29 12:33:16 STUNNEL DEPLOYMENT SUCCESS 2025/09/29 12:33:16 ╠══════════════════════════════════════════════════════════════════════════════╣ 2025/09/29 12:33:16 Stunnel service active for: vine.dev 2025/09/29 12:33:16 Tunnel endpoint: 127.0.0.1:9411 2025/09/29 12:33:16 Auto-start: Enabled 2025/09/29 12:33:16 Architecture: 64-bit 2025/09/29 12:33:16 ╚══════════════════════════════════════════════════════════════════════════════╝ 2025/09/29 12:33:16 ╔══════════════════════════════════════════════════════════════════════════════╗ 2025/09/29 12:33:16 REGISTRATION COMPLETE 2025/09/29 12:33:16 ╠══════════════════════════════════════════════════════════════════════════════╣ 2025/09/29 12:33:16 Device registration completed successfully 2025/09/29 12:33:16 ╚══════════════════════════════════════════════════════════════════════════════╝
Error Logs
Invalid Registration Token
2025/11/05 20:26:11 ╔════════════════════════════════╗ 2025/11/05 20:26:11 WITNESS ANYWHERE REGISTRATION 2025/11/05 20:26:11 ╠════════════════════════════════╣ 2025/11/05 20:26:11 Starting device registration process... 2025/11/05 20:26:11 ╚════════════════════════════════╝ 2025/11/05 20:26:11 [INFO] Tenant: dev.witness.ai 2025/11/05 20:26:11 [INFO] Phase 1: Validating configuration with backend... 2025/11/05 20:26:12 ╔═════════════════════════════════╗ 2025/11/05 20:26:12 ERROR: REGISTRATION FAILED 2025/11/05 20:26:12 ╠═════════════════════════════════╣ 2025/11/05 20:26:12 failed to fetch configuration: authentication failed (HTTP 401): {"message":"Invalid signature"} 2025/11/05 20:26:12 ╚═════════════════════════════════╝
Expired Registration Token
════════════════════════════════════════════════ DEVICE REGISTRATION FAILED ════════════════════════════════════════════════ REGISTRATION ERROR Details: failed to fetch configuration: authentication failed (HTTP 401): {"exp":"token expired"} Please check the log file for more information: C:\Windows\Temp\WitnessAI\WitnessAnywhere-Reg.log Contact your administrator if the issue persists. ════════════════════════════════════════════════
MDM Agent not Installed
════════════════════════════════════════════════ DEVICE REGISTRATION FAILED ════════════════════════════════════════════════ REGISTRATION ERROR Details: MDM Agent Check Failed: SentinelOne Agent not found Please check the log file for more information: C:\Windows\Temp\WitnessAI\WitnessAnywhere-Reg.log Contact your administrator if the issue persists. ════════════════════════════════════════════════
Username/Email Mismatch
════════════════════════════════════════════════ DEVICE REGISTRATION FAILED ════════════════════════════════════════════════ REGISTRATION ERROR Details: registration request failed: API request failed with status 403: {"errors": [{"source":"peas","message":"something unexpected went wrong, please try again later: preparing the device registration failed"}]} Please check the log file for more information: C:\Windows\Temp\WitnessAI\WitnessAnywhere-Reg.log Contact your administrator if the issue persists. ════════════════════════════════════════════════
Pending Work
Linked list:
Future Improvements
- https://docs.google.com/document/d/1QwJIH-mEkivy-M6bRAZfzge6vA_UJJdaORIt5VxuIaM/edit?usp=sharing
Proxy Lock value has to be configured from the console and obtained using the /config API endpoint.
Local Execution Command
.\witness_anywhere.exe -token "eyJhbGc.............InR5cCI" -tenant dev.witness.ai -mdm crowdstrike -local local-test-user@192.168.4.157
Crowdstrike RTR Policy Config
Crowdstrike RTR - Register Command
put-and-run witness_anywhere.exe -CommandLine= "-token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..qGjP7QZQIwGCd -tenant dev.witness.ai -mdm crowdstrike"
Crowdstrike RTR - Flush Command
put-and-run witness_anywhere.exe -CommandLine="-flush"
Windows Binary InstallationRequired Config from PEAS APIParameters required for the ExecutableSupport MatrixSample Registration LogError LogsInvalid Registration Token
Expired Registration Token MDM Agent not InstalledUsername/Email MismatchPending WorkFuture ImprovementsLocal Execution CommandCrowdstrike RTR Policy ConfigCrowdstrike RTR - Register CommandCrowdstrike RTR - Flush Command
Made with Bullet