// SCAN REPORT

Windows Forensics MCP Server

61 tools. 3 can modify or destroy data without limits.

3 write tools that can modify data. Rate limits recommended.

Last updated:

3 can modify or destroy data
58 read-only
61 tools total

Community server · catalogue entry verified 11/06/2026

How to control Windows Forensics MCP Server ↓

TOOL MAP

What Windows Forensics MCP Server exposes to your agents

Read (58) Write / Execute (3) Destructive / Financial (0)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
High Risk

The most dangerous Windows Forensics MCP Server tools

Execute · Medium die_analyze_file This tool runs an external analysis tool (Detect It Easy) against a file, which constitutes executing an external program/operation. Execute · Critical remote_collect_artifacts This tool remotely connects to a Windows system via WinRM and executes operations to collect artifacts. Execute · High yara_scan_file This tool executes YARA scanning operations against files, which involves running a pattern-matching engine over file contents.

3 of Windows Forensics MCP Server's 61 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Windows Forensics MCP Server

PolicyLayer is an MCP gateway — it sits between your AI agents and Windows Forensics MCP Server, and nothing reaches the server without passing your rules. These are the rules we recommend:

Cap read operations
{
  "apmx_parse": {
    "limits": [
      {
        "counter": "apmx_parse_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Windows Forensics MCP Server — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON WINDOWS FORENSICS →

Free to start. No card required.

FULL CATALOGUE

All 61 Windows Forensics MCP Server tools

EXECUTE 3 tools
Execute die_analyze_file Analyze file with Detect It Easy (DiE). Execute remote_collect_artifacts Collect forensic artifacts from remote Windows system via WinRM. Supports password or pass-the-hash authentica Execute yara_scan_file Scan a file with YARA rules for malware detection. Uses bundled signature-base rules by default (Mimikatz, Cob
READ 58 tools
Read apmx_parse Parse Rohitab API Monitor capture file (.apmx64/.apmx86). Read build_timeline Build comprehensive forensic timeline from multiple artifact sources (MFT, USN Journal, Prefetch, Amcache, EVT Read disk_parse_amcache Parse Amcache.hve to extract program execution evidence with SHA1 hashes, file paths, and timestamps. Proves a Read disk_parse_mft Parse $MFT (Master File Table) for file metadata, NTFS alternate Read disk_parse_prefetch Parse Windows Prefetch files to determine program execution history, run counts, and last execution times. Can Read disk_parse_srum Parse SRUDB.dat for application resource usage including CPU time, network bytes sent/received, and foreground Read disk_parse_usn_journal Parse $UsnJrnl:$J (USN Journal) for file system change history. Records file creation, deletion, modification, Read investigate_execution Comprehensive execution analysis. Correlates Prefetch, Amcache, and SRUM to prove or disprove binary execution Read investigate_user_activity Comprehensive user activity investigation. Correlates Browser History, ShellBags, LNK files, and RecentDocs to Read user_parse_lnk_files Parse Windows shortcut (.lnk) files to determine target paths, access times, and volume information. Answers: Read user_parse_shellbags Parse ShellBags from UsrClass.dat to reveal folder navigation history. Shows which folders a user browsed in W Read api_analyze_imports Detailed PE import analysis with pattern detection and API enrichment. Read api_detect_patterns Detect injection/evasion/persistence API patterns from PE imports. Read api_lookup Look up Windows API definition (signature, params, DLL, category) Read api_search_category Browse/search Windows APIs by category. Categories are hierarchical Read apmx_calls_around Get a context window of API calls around a specific record index. Read apmx_correlate_handles Track handle values across API calls to reconstruct operation chains. Read apmx_detect_patterns Detect injection/evasion/persistence patterns in APMX captured API calls. Read apmx_get_call_details Extract detailed API call records with parameter values, return values, Read apmx_get_calls Extract API call records from an APMX capture with filtering and pagination. Read apmx_injection_info Extract enriched injection chain details from an APMX capture. Read apmx_search_params Search API calls by parameter value in an APMX capture. Read browser_get_history Parse browser history and downloads from Edge, Chrome, or Firefox. Answers: What URLs did the user visit? What Read die_get_packer_info Get information about a packer/protector including Read die_scan_directory Scan directory for executables and analyze with DiE. Read evtx_attack_summary Compact TSV summary of security events for rapid triage. Returns one tab-separated line per event with only at Read evtx_explain_event_id Get description of a Windows Event ID. Read evtx_get_stats Get statistics about an EVTX file: event counts, time range, Event ID distribution. Read evtx_list_files List all EVTX (Windows Event Log) files in a directory. Read evtx_search Search events from EVTX file. Filter by time, Event ID, keywords, provider. Supports pagination with offset. Read evtx_security_search Search for security events by type: logon, failed_logon, process_creation, etc. Supports pagination with offse Read file_analyze_pe Perform static analysis on Windows PE files (EXE/DLL/SYS). Extracts headers, imports, exports, sections, calcu Read forensics_list_important_events List important Event IDs for a log channel. Read forensics_list_registry_keys List forensically important registry keys. Read hunt_ioc Hunt for IOC (hash, filename, IP, domain) across all forensic artifacts. Searches Prefetch, Amcache, SRUM, MFT Read hunt_ioc_pack Hunt behavioral IoCs from a metadata pack across exported logs, text artifacts, filenames, and PCAP payloads. Read ingest_parsed_csv Import pre-parsed CSV from Eric Zimmerman tools (MFTECmd, PECmd, AmcacheParser, SrumECmd) for querying. Auto-d Read ioc_pack_list List bundled and optional external behavioral IoC packs, including license metadata and rule counts. Read pcap_find_suspicious Detect suspicious network activity in PCAP. Read pcap_get_conversations Extract network conversations (TCP/UDP flows) from PCAP. Read pcap_get_dns Extract DNS queries and responses from PCAP. Read pcap_get_http Extract HTTP requests from PCAP. Read pcap_get_stats Get statistics from a PCAP/PCAPNG file including packet counts, Read pcap_search Search for pattern in packet payloads. Read registry_get_key Get registry key and values from a hive file. Read registry_get_network Get network configuration from SYSTEM hive. Read registry_get_persistence Get persistence mechanisms (Run keys, services) from registry. Read registry_get_system_info Get OS version, computer name, timezone from registry. Read registry_get_usb_history Get USB device history from SYSTEM hive. Read registry_get_users Get user accounts from SAM hive. Read registry_search Search registry values by pattern. Read remote_get_system_info Get system info from remote Windows via WinRM. Supports password or pass-the-hash authentication. Read vt_lookup_domain Look up domain reputation on VirusTotal. Read vt_lookup_file Calculate file hash and look up on VirusTotal. Read vt_lookup_hash Look up file hash (MD5/SHA1/SHA256) on VirusTotal for threat intelligence. Read vt_lookup_ip Look up IP address reputation on VirusTotal. Read yara_list_rules List available YARA rules. Shows bundled rules or custom rules from specified paths. Read yara_scan_directory Scan directory for malware with YARA rules. Returns only files with matches. Uses bundled signature-base rules
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
automation
Mcp Afip 1300 tools
automation
Mcp Ap2 1300 tools
automation
BNB Chain MCP 1240 tools
automation
Nodebench 824 tools
automation
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
automation
Amazon Data Processing MCP Server 805 tools
automation
Amazon ECS MCP Server 805 tools
automation
FAQ

Questions about Windows Forensics MCP Server

Is the Windows Forensics MCP Server MCP server safe to use without restrictions? +

The Windows Forensics MCP Server server is primarily read-only with 58 read tools. While it cannot modify data, an agent in a retry loop can make thousands of API calls per minute, exhausting rate limits and running up costs. Rate limiting is still recommended.

How many tools does the Windows Forensics MCP Server MCP server expose? +

61 tools across 2 categories: Execute, Read. 58 are read-only. 3 can modify, create, or delete data.

How do I enforce a policy on Windows Forensics MCP Server? +

Register the Windows Forensics MCP Server MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Windows Forensics MCP Server tool call.

Deterministic rules across all 61 Windows Forensics MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON WINDOWS FORENSICS →

Free to start. No card required.

61 Windows Forensics MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.