4.5 KiB
iSphere Live Probe Recorder
Date: 2026-07-10 Purpose: collect read-only runtime evidence from a machine where iSphere / IMPlatformClient can actually log in.
Why this recorder exists
The current development machine cannot log in because the current network has no reachable server. Simulating login would only prove window rendering and would not prove the real logged-in runtime state required by the B-route sidecar connector.
Therefore the selected path is to carry a dedicated recorder executable to a working environment, run it after manual login, and bring the generated JSON evidence back.
Built artifact
Package directory:
runs/live-probe-recorder-package/
Executable:
runs/live-probe-recorder-package/ISphereLiveProbeRecorder.exe
Zip package:
runs/live-probe-recorder-package.zip
Compatibility layout:
ISphereLiveProbeRecorder.exe # top-level x86 build, use this first
variants/ISphereLiveProbeRecorder-x86.exe # same x86 fallback copy
variants/ISphereLiveProbeRecorder-anycpu.exe # AnyCPU fallback
variants/ISphereLiveProbeRecorder-x64.exe # x64 fallback
check-and-run.bat # prints environment and tries the top-level recorder
run-recorder.bat # runs the top-level recorder
run-x86-fallback.bat # runs the x86 fallback
The top-level executable is intentionally x86 because it can start on both 32-bit and 64-bit Windows and is more compatible with older enterprise desktop clients.
The package is generated by:
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\package-live-probe-recorder.ps1
Operator steps
- Copy
runs/live-probe-recorder-package.zipto the machine/network where iSphere can connect to its server. - Extract the zip.
- Manually open and log in to iSphere /
IMPlatformClient.exe. - Manually open one direct-contact chat window and one group-chat window if possible. Keep the editor/send/attachment area visible, but do not send anything.
- Keep the client window open.
- Double-click
ISphereLiveProbeRecorder.exe. - The program writes a folder under:
probe-output/isphere-live-probe-<timestamp>/
- Compress that generated folder and return it.
If Windows shows System.BadImageFormatException, delete the extracted folder, re-extract the latest zip package, and run check-and-run.bat. The previous package used an AnyCPU top-level executable; the current package uses x86 at the top level and keeps other builds under variants/.
What it records
The recorder writes:
manifest.json
probe_client_runtime.json
process_details.json
network_inventory.json
filesystem_inventory.json
send_entrypoints_preflight.json
send_uia_controls_preflight.json
services_registry_shortcuts.json
scan_windows.json
uia_summary.json
uia/*.json
feasibility_summary.json
README.txt
NEXT_STEP.txt
The important evidence is:
- target process PID/name/title/path;
- process bitness;
- loaded module list;
- command-line metadata with basic secret redaction;
- key module presence, including
smack.dll,IMPP.Interface.dll,IMPP.ServiceBase.dll,IMPP.Service.dll,TcpFileTransfer.dll; - visible window metadata;
- UIA tree for target windows, useful if route A UI/RPA is needed later.
- install/cache/config/log/database candidate metadata;
- version and SHA256 for important binaries;
- send-message and send-file entrypoint metadata preflight for
IMPlatformClient.exe,smack.dll, andIMPP.Service.dll; - UIA send-control classifier output for search/edit/send/file controls and offline-send blocker state;
- redacted text samples for small config/log files;
- uninstall registry entries;
- related services and shortcuts;
- target-process TCP connections;
- related named pipes.
What it does not do
The recorder does not:
- send messages;
- send or upload files;
- click UI;
- type text;
- inject hooks;
- attach instrumentation;
- modify client files or data.
Decision after returned evidence
If probe_client_runtime.json proves the loaded modules and bitness match the static evidence, continue with B-route sidecar design.
If the running client cannot be inspected, or the expected modules are absent, switch to the A-route constrained UI/RPA fallback.
If send_entrypoints_preflight.json reports b_route_entrypoint_preflight="pass" and send_uia_controls_preflight.json reports the controls/offline state clearly, continue to R6b preview/dry-run contract design. Production send still requires a later online sandbox send gate.