// MCP TOOL REFERENCE

WINDOWS FORENSICS MCP SERVER TOOLS

61 tools from the Windows Forensics MCP Server MCP Server, categorised by risk level.

View the Windows Forensics MCP Server policy →
// ALL 61 WINDOWS FORENSICS MCP SERVER TOOLS
READ 58 tools
Read apmx_parse Parse Rohitab API Monitor capture file (.apmx64/.apmx86). Read build_timeline Build comprehensive forensic timeline from multiple artifact sources (MFT, USN Journal, Prefetch, Amcache, ... Read disk_parse_amcache Parse Amcache.hve to extract program execution evidence with SHA1 hashes, file paths, and timestamps. Prove... Read disk_parse_mft Parse $MFT (Master File Table) for file metadata, NTFS alternate Read disk_parse_prefetch Parse Windows Prefetch files to determine program execution history, run counts, and last execution times. ... Read disk_parse_srum Parse SRUDB.dat for application resource usage including CPU time, network bytes sent/received, and foregro... Read disk_parse_usn_journal Parse $UsnJrnl:$J (USN Journal) for file system change history. Records file creation, deletion, modificati... Read investigate_execution Comprehensive execution analysis. Correlates Prefetch, Amcache, and SRUM to prove or disprove binary execut... Read investigate_user_activity Comprehensive user activity investigation. Correlates Browser History, ShellBags, LNK files, and RecentDocs... Read user_parse_lnk_files Parse Windows shortcut (.lnk) files to determine target paths, access times, and volume information. Answer... Read user_parse_shellbags Parse ShellBags from UsrClass.dat to reveal folder navigation history. Shows which folders a user browsed i... Read api_analyze_imports Detailed PE import analysis with pattern detection and API enrichment. Read api_detect_patterns Detect injection/evasion/persistence API patterns from PE imports. Read api_lookup Look up Windows API definition (signature, params, DLL, category) Read api_search_category Browse/search Windows APIs by category. Categories are hierarchical Read apmx_calls_around Get a context window of API calls around a specific record index. Read apmx_correlate_handles Track handle values across API calls to reconstruct operation chains. Read apmx_detect_patterns Detect injection/evasion/persistence patterns in APMX captured API calls. Read apmx_get_call_details Extract detailed API call records with parameter values, return values, Read apmx_get_calls Extract API call records from an APMX capture with filtering and pagination. Read apmx_injection_info Extract enriched injection chain details from an APMX capture. Read apmx_search_params Search API calls by parameter value in an APMX capture. Read browser_get_history Parse browser history and downloads from Edge, Chrome, or Firefox. Answers: What URLs did the user visit? W... Read die_get_packer_info Get information about a packer/protector including Read die_scan_directory Scan directory for executables and analyze with DiE. Read evtx_attack_summary Compact TSV summary of security events for rapid triage. Returns one tab-separated line per event with only... Read evtx_explain_event_id Get description of a Windows Event ID. Read evtx_get_stats Get statistics about an EVTX file: event counts, time range, Event ID distribution. Read evtx_list_files List all EVTX (Windows Event Log) files in a directory. Read evtx_search Search events from EVTX file. Filter by time, Event ID, keywords, provider. Supports pagination with offset. Read evtx_security_search Search for security events by type: logon, failed_logon, process_creation, etc. Supports pagination with of... Read file_analyze_pe Perform static analysis on Windows PE files (EXE/DLL/SYS). Extracts headers, imports, exports, sections, ca... Read forensics_list_important_events List important Event IDs for a log channel. Read forensics_list_registry_keys List forensically important registry keys. Read hunt_ioc Hunt for IOC (hash, filename, IP, domain) across all forensic artifacts. Searches Prefetch, Amcache, SRUM, ... Read hunt_ioc_pack Hunt behavioral IoCs from a metadata pack across exported logs, text artifacts, filenames, and PCAP payload... Read ingest_parsed_csv Import pre-parsed CSV from Eric Zimmerman tools (MFTECmd, PECmd, AmcacheParser, SrumECmd) for querying. Aut... Read ioc_pack_list List bundled and optional external behavioral IoC packs, including license metadata and rule counts. Read pcap_find_suspicious Detect suspicious network activity in PCAP. Read pcap_get_conversations Extract network conversations (TCP/UDP flows) from PCAP. Read pcap_get_dns Extract DNS queries and responses from PCAP. Read pcap_get_http Extract HTTP requests from PCAP. Read pcap_get_stats Get statistics from a PCAP/PCAPNG file including packet counts, Read pcap_search Search for pattern in packet payloads. Read registry_get_key Get registry key and values from a hive file. Read registry_get_network Get network configuration from SYSTEM hive. Read registry_get_persistence Get persistence mechanisms (Run keys, services) from registry. Read registry_get_system_info Get OS version, computer name, timezone from registry. Read registry_get_usb_history Get USB device history from SYSTEM hive. Read registry_get_users Get user accounts from SAM hive. Read registry_search Search registry values by pattern. Read remote_get_system_info Get system info from remote Windows via WinRM. Supports password or pass-the-hash authentication. Read vt_lookup_domain Look up domain reputation on VirusTotal. Read vt_lookup_file Calculate file hash and look up on VirusTotal. Read vt_lookup_hash Look up file hash (MD5/SHA1/SHA256) on VirusTotal for threat intelligence. Read vt_lookup_ip Look up IP address reputation on VirusTotal. Read yara_list_rules List available YARA rules. Shows bundled rules or custom rules from specified paths. Read yara_scan_directory Scan directory for malware with YARA rules. Returns only files with matches. Uses bundled signature-base ru...
EXECUTE 3 tools
Execute die_analyze_file Analyze file with Detect It Easy (DiE). Execute remote_collect_artifacts Collect forensic artifacts from remote Windows system via WinRM. Supports password or pass-the-hash authent... Execute yara_scan_file Scan a file with YARA rules for malware detection. Uses bundled signature-base rules by default (Mimikatz, ...

Route Windows Forensics MCP Server through PolicyLayer and every one of its 61 tools is checked against your policy before it runs.

CHECK YOUR STACK →

See every tool, the dangerous ones, and the token cost across your stack.

// FAQ
How many tools does the Windows Forensics MCP Server MCP server have? +

The Windows Forensics MCP Server MCP server exposes 61 tools across 2 categories: Read, Execute.

How do I enforce policies on Windows Forensics MCP Server tools? +

Route the Windows Forensics MCP Server server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Windows Forensics MCP Server tools fall into? +

Windows Forensics MCP Server tools are categorised as Read (58), Execute (3). Each category has a recommended default policy.

Enforce policy on every Windows Forensics MCP Server tool call.

Start from Windows Forensics MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.