Faster, Quieter Windows Agents
April 25, 2026 · InfraScout Team
If you've watched an InfraScout sweep on a busy Windows server, you've probably seen it: a CPU core pegged for the duration of an event log query, a domain controller taking its time to return Security log entries, or an assessment that quietly returned "something failed" without telling you what. That ends today. The Windows agent now talks to the operating system directly for event log reads and WMI queries — no PowerShell wrapper in the middle — and the difference shows up immediately in collection time, CPU usage, and error clarity.
Why this matters
Until now, the Windows agent leaned on PowerShell to fetch event log entries and run WMI queries. That worked, but every collection paid for it: a fresh powershell.exe process per call, JSON serialization on the way out, and an interpreter sitting between InfraScout and the data it actually wanted. On quiet hosts the overhead was tolerable. On busy domain controllers, file servers, and inventory targets — exactly where assessments matter most — it was the slowest part of the run.
The agent now uses native Windows APIs for both of those collectors. There's no script process to spawn, no interpreter to warm up, and no JSON middleman. The agent reads what it needs and moves on.
What you'll notice
Three things change the moment you roll out the updated agent:
- Event log queries finish in a fraction of the previous time. Pulling recent Security or Application events on busy controllers — the kind of host where the old path could stall for many seconds — now returns in well under the time it used to take. Hourly and daily lookbacks on million-event channels feel responsive again.
- WMI-backed inventory and health checks no longer pin a CPU core. Service inventories, OS detail, installed-software sweeps, and the dozens of small WMI lookups that show up in a typical assessment now run with a noticeably smaller footprint. Scheduled overnight sweeps stop showing up as CPU spikes in your monitoring.
- Errors finally name what failed. When a WMI query has bad syntax, the response says so and includes the query. When a WMI class doesn't exist, the response names the class. When you ask for an event log channel that isn't there, the response references the channel by name. No more hunting through a wrapper script's last line of stderr to figure out whether it was the credentials, the query, or the host.
Together these add up to a meaningfully smaller, quieter agent on domain-joined hosts during scheduled sweeps — and to assessments that complete sooner and surface real problems sooner.
What stays the same
Nothing changes about how you run assessments. The same playbooks, the same MCP tools, the same agent install — you don't reconfigure anything. Event log entries come back with the same fields you're used to (and a few extras, like the originating computer and a populated message on every event). WMI results land in the same shape. If you've written custom playbooks against the existing tool surface, they keep working.
Roll the agent forward
To pick up the faster collectors, update your Windows agents to v0.2.1 or later. The server side stays compatible with older agents during the transition, but only updated agents get the speed and CPU wins.
Boxes Just in time for Inventory
This update lands on purpose. The Inventory rollout leans heavily on WMI for hardware, OS, service, and installed-software snapshots — exactly the workload that benefits most from skipping the PowerShell hop. By the time inventory snapshots start landing in your dashboards next week, they'll be riding on collectors that don't fight the host they're running on.
Tell us what you see
If you've been watching CPU graphs on your Windows fleet during InfraScout sweeps, we'd love to hear what changes after you roll out the updated agent. Drop us a note at info@infrascout.cloud — especially if you're running large domain controllers or busy file servers, where the difference is most visible.