Account and process context
Inspect local users, suspicious processes, parent-child relationships, command lines, and service context.
Open Investigator · Windows host investigation
Use AI-assisted read-only investigation for Windows host triage.
Open Investigator covers Windows server investigation scenarios where responders need account, process, network, persistence, service, file, and history evidence before deciding containment or remediation.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like Windows host investigation tool, Windows incident response CLI, PowerShell history investigation, and AI Windows DFIR.
How it worksThe same investigation boundary applies on Windows: collect and correlate evidence, write case artifacts, and keep remediation decisions with humans and response procedures.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
Network and persistence
Review listeners, connections, scheduled tasks, services, Run and RunOnce keys, WMI persistence indicators, and startup paths.
Recent activity
Use recent files and PowerShell history as investigation signals tied to evidence records.
Common searches
Queries this page answers.
Windows host investigation toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Windows incident response CLIOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
PowerShell history investigationOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI Windows DFIROpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Use Open Investigator for first-pass Windows host evidence before any production-changing action.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.