Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt

Use this file to discover all available pages before exploring further.

The Windows agent captures LLM usage metadata using a Windows Filtering Platform (WFP) kernel-mode callout driver. It observes outbound TLS connections by extracting SNI hostnames — it never blocks traffic and never inspects content.

Requirements

  • Windows 10 (version 1809 / build 17763) or later, 64-bit
  • Administrator privileges for installation
  • Intune, SCCM, or local msiexec for deployment

How it works

The agent has three components that work together:
  • WFP callout driver (toktra-wfp.sys) — A KMDF kernel-mode driver that registers WFP callouts at the FWPM_LAYER_ALE_AUTH_CONNECT_V4 and V6 layers. When an outbound TLS connection is established, the sni_inspector extracts the SNI hostname from the TLS ClientHello. The driver always permits the connection — it only observes and records. Traffic is never blocked or modified.
  • Windows Service (ToktraAgent.exe) — A user-mode Windows Service that polls the driver, batches events, and transmits telemetry securely to Toktra over mTLS.
  • Edge extension — A Manifest V3 browser extension included with the MSI installer that captures browser-based LLM usage. See Browser Extensions for details.
The WFP driver operates in observe-only mode. It calls FwpsCompleteOperation with FWP_ACTION_PERMIT on every connection — traffic is never delayed, blocked, or modified.

Installation

MSI properties

The following properties can be passed on the msiexec command line or set via Intune app configuration:
PropertyDescriptionDefault
INGEST_URLToktra ingest URLhttps://ingest.toktra.io
ORG_IDToktra organization identifier
DEVICE_IDDevice identifier (auto-generated if omitted)
CERT_SUBJECTCertificate CN for mTLS client certificate lookupToktra Device
LOG_LEVELLog verbosity: 0=Error, 1=Warn, 2=Info, 3=Debug2
The MSI installs:
  • ToktraAgent.exe and supporting libraries to %ProgramFiles%\Toktra\Agent\
  • toktra-wfp.sys to %SystemRoot%\System32\drivers\
  • Registry configuration at HKLM\SOFTWARE\Toktra\Agent

Configuration

All agent configuration is stored in the Windows Registry at HKLM\SOFTWARE\Toktra\Agent. The MSI writes initial values during installation. You can update them with reg add or via Group Policy / Intune registry CSP. 
HKLM\SOFTWARE\Toktra\Agent
├── IngestUrl        REG_SZ     https://ingest.toktra.io
├── OrgId            REG_SZ     your-org-id
├── DeviceId         REG_SZ     d-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
├── CertSubject      REG_SZ     Toktra Device
├── LogLevel         REG_DWORD  2
├── EventBatchSize   REG_DWORD  50
├── FlushIntervalMs  REG_DWORD  30000
├── DriverDevicePath REG_SZ     \\.\ToktraWFP
└── Version          REG_SZ     1.0.0
Update a value from an elevated command prompt: 
reg add "HKLM\SOFTWARE\Toktra\Agent" ^
  /v IngestUrl ^
  /t REG_SZ ^
  /d "https://ingest.toktra.io" ^
  /f
After changing registry values, restart the service for changes to take effect: 
net stop ToktraAgent && net start ToktraAgent

Device certificate (mTLS)

The Windows agent uses the Windows Certificate Store for mTLS client certificates — not the filesystem. On first run, the Windows Service generates an Ed25519 key pair, sends a CSR to the Toktra enrollment endpoint, and installs the signed device certificate into the Local Machine certificate store under the My (Personal) container. The certificate subject matches the CertSubject registry value. The service looks up the certificate by subject at startup. Device certificates are valid for 90 days and renew automatically.

Budget enforcement

When department budget hard caps are enabled, the agent displays native budget status in the system tray. Over-budget requests are reported through the tray icon with a notification. Server-side enforcement acts as the authoritative gate.

Service management

The ToktraAgent Windows Service is installed with Start=Auto and DelayedAutoStart=Yes. It starts automatically at boot. 
# Check service status
sc query ToktraAgent

# Restart the service
net stop ToktraAgent && net start ToktraAgent

# View recent logs (Event Viewer)
eventvwr.msc
The service registers events in the Windows Application Event Log under the ToktraAgent source.

Uninstall

To remove the agent: 
msiexec /x ToktraAgent.msi /quiet
The uninstall sequence stops and removes the WFP driver (ToktraWFP), stops and deletes the Windows Service, and removes all files and registry keys created during installation.