Installed Remote Access Tool Audit
Purpose
The purpose of this solution is to identify a curated set of remote access tools using multiple detection methods, uninstall registry entries, running processes, running services, and common executable paths. It supports exclusions from both script variable and a Ninja custom field. The results are compiled into an HTML table and written to a Ninja custom field for easy visibility within the NinjaOne platform.
Tool display names supported by this script:
- AeroAdmin
- Ammyy Admin
- AnyDesk
- Atera
- Automate (ConnectWise Automate)
- BeyondTrust
- Chrome Remote Desktop
- CW RMM (ConnectWise RMM)
- DameWare
- Datto RMM
- DWService
- GoToAssist
- GoToMyPC
- ITSPlatform
- Kaseya
- Kaseya VSA (VSA)
- LiteManager
- LogMeIn
- Malwarebytes
- ManageEngine
- N-Able N-Central
- N-Able N-Sight
- Ninja RMM
- NoMachine
- Parsec
- Remote Utilities
- RemotePC
- ScreenConnect / ConnectWise Control (instance-based detection)
- Splashtop
- Supremo
- Syncro
- TeamViewer
- TightVNC
- UltraVNC
- VNC (generic detection)
- VNC Connect (RealVNC)
- Zoho Assist
Associated Content
| Content | Type | Function |
|---|---|---|
| cPVAL Enable Remote Tools Detection | Custom Field | Custom field to select the required platform to start detecting Unauthorized remote tools. |
| cPVAL Whitelisted Remote Access Tools | Custom Field | Custom filed to define an optional comma-separated list of remote access tool display names to exclude from detection. |
| cPVAL Installed Remote Access Tools | Custom Field | Custom field stores the remote management applications list gathered by the script Installed Remote Tools Audit. |
| Installed Remote Tool Audits | Automation | Script to audit Windows endpoint for known remote access tools using multiple detection methods. |
| Unauthorized Remote Tools | Ticket Template | This ticket template configures how a ConnectWise Manage ticket will be generated in response to the Audit Installed Remote Tools - Workstation and Audit Installed Remote Tools - Server compound conditions. |
| Audit Installed Remote Tools - Workstation | Compound Condition | Triggers the Installed Remote Tools Audit automation on Windows workstations where deployment is enabled. |
| Audit Installed Remote Tools (with Ticketing) - Workstation | Compound Condition | Triggers the Installed Remote Tools Audit automation on Windows workstations where deployment is enabled and creates tickets if Windows (with Ticketing), Windows Workstations (with Ticketing) is selected at cPVAL Enable Remote Tools Detection custom Field. |
| Audit Installed Remote Tools - Server | Compound Condition | Triggers the Installed Remote Tools Audit automation on Windows Servers where deployment is enabled. |
| Audit Installed Remote Tools (with Ticketing) - Servers | Compound Condition | Triggers the Installed Remote Tools Audit automation on Windows servers where deployment is enabled and creates tickets if Windows (with Ticketing), Windows Servers (with Ticketing) is selected at cPVAL Enable Remote Tools Detection custom Field. |
Implementation
- Create the below Custom Fields:
- Create the Automation - Installed Remote Tool Audits
- Create the Ticket template: Unauthorized Remote Tools
- Create the below Compound Conditions using the implementation instruction provided in the documents.
- Select
Windows,Windows Workstations, orWindows Serversfrom the custom field cPVAL Enable Remote Tools Detection to enable just auditing for remote tools. These options will enable the below compound conditions: - Select
Windows (with Ticketing),Windows Workstations (with Ticketing), orWindows Servers (with Ticketing)from the custom field cPVAL Enable Remote Tools Detection to enable the below compound conditions which will create a ticket if any unauthorized remote tool is detected:
Changelog
2026-06-24
- Initial version of the document