AETHER_01 MCP Server
AETHER_01 is an MCP (Model Context Protocol) server written in Rust that gives AI assistants full control over Windows 10/11 via standard input/output. From process management to GUI automation, from registry to WMI queries — everything a system administrator needs.
Documentation
AETHER_01 — Full-Spectrum Windows Management MCP Server
10 tools. 99% Windows coverage. Zero security compromises.
AETHER_01 is an MCP (Model Context Protocol) server written in Rust that gives AI assistants full control over Windows 10/11 via standard input/output. From process management to GUI automation, from registry to WMI queries — everything a system administrator needs.
Features
| # | Tool | Actions |
|---|---|---|
| 1 | process_control | list, kill, create, priority, threads, affinity, modules, DLL injection* |
| 2 | file_system | read/write/delete, ACL, symlinks, ADS streams, EFS, volumes, network shares |
| 3 | registry_editor | read/write/delete, all hives, security, monitoring, offline mounting* |
| 4 | service_manager | list, start/stop/restart, config, triggers, drivers |
| 5 | gui_automation | mouse, keyboard, windows, screenshots, clipboard, display, audio |
| 6 | system_info | CPU, memory, disk, OS, power, devices, BIOS, NTP, software, updates, BCD* |
| 7 | network_manager | adapters, connections, DNS, firewall, proxy, routing, WiFi, VPN, Bluetooth |
| 8 | user_management | users, groups, sessions, policies, certificates, credentials, tokens* |
| 9 | security_audit | audit, UAC, Defender, AppLocker, BitLocker, TPM, Secure Boot, exploit protection |
| 10 | system_automation | Event Log, Scheduled Tasks, WMI queries |
* = disabled by default, enabled via .env feature gates.
Installation
AETHER_01 provides 5 installation methods — pick the one that works best for you.
Method 1: npm global install (easiest)
npm install -g @foursecondfivefour/aether-mcp-server
The postinstall script automatically downloads the latest Windows x64 binary from GitHub Releases and places it in your PATH.
Method 2: One-click PowerShell install
Run this in PowerShell 7+ (Administrator):
irm https://raw.githubusercontent.com/foursecondfivefour/aether-mcp-server/main/install.ps1 | iex
The script automatically:
- Downloads the latest AETHER_01 binary
- Creates
.envwith safe default settings - Registers the server in all detected AI environments: Cursor, Claude Desktop, Windsurf, VS Code, and more
Method 3: One-click editor integration
Click the badge for your editor:
| Editor | Install |
|---|---|
| Cursor | |
| VS Code | |
| VS Code Insiders |
Method 4: Selective install with install.ps1
# Cursor only
.\install.ps1 -Targets cursor
# Claude Desktop + Windsurf
.\install.ps1 -Targets claude,windsurf
# Custom binary path
.\install.ps1 -BinaryPath target\release\aether-mcp-server.exe
# Specific release version
.\install.ps1 -ReleaseTag v1.0.1
Method 5: Build from source
git clone https://github.com/foursecondfivefour/aether-mcp-server
cd aether-mcp-server
Copy-Item .env.example .env
cargo build --release
.\install.ps1 -BinaryPath target\release\aether-mcp-server.exe
Manual configuration (without install script)
Cursor — %USERPROFILE%\.cursor\mcp.json
{
"mcpServers": {
"aether-01": {
"command": "d:\\path\\to\\aether-mcp-server.exe",
"env": { "RUST_LOG": "info" }
}
}
}
Claude Desktop — %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"aether-01": {
"command": "d:\\path\\to\\aether-mcp-server.exe",
"env": { "RUST_LOG": "info" }
}
}
}
Windsurf — %USERPROFILE%\.codeium\windsurf\mcp_config.json
{
"mcpServers": {
"aether-01": {
"command": "d:\\path\\to\\aether-mcp-server.exe",
"env": { "RUST_LOG": "info" }
}
}
}
VS Code (Claude MCP) — %APPDATA%\Code\User\globalStorage\anthropic.claude-mcp\mcp.json
{
"mcpServers": {
"aether-01": {
"command": "d:\\path\\to\\aether-mcp-server.exe",
"env": { "RUST_LOG": "info" }
}
}
}
After configuring, restart your editor. The MCP panel will show 10 AETHER_01 tools.
Feature Gates (.env)
Dangerous operations are disabled by default and enabled by the system administrator:
AETHER_BCD_EDIT=0 # Windows boot configuration editing
AETHER_HAL_CONFIG=0 # HAL and memory dump configuration
AETHER_OFFLINE_REGISTRY=0 # Offline registry hive mounting
AETHER_DLL_INJECT=0 # DLL injection into processes
AETHER_TOKEN_MANIPULATION=0 # Access token manipulation
AETHER_LSA_SECRETS=0 # LSA secret reading
Security
The only vulnerability is human error. AETHER_01 is a system administrator tool — like
sudo,regedit, orservices.msc. If you enable all feature gates, disableforcechecks, and blindly execute AI commands — the server does exactly what you tell it. That's not a bug. That's the nature of an administrative tool. Full threat analysis: SECURITY.md
Threat Model
Your computer (trusted environment)
│
├── Cursor / Claude / VS Code (AI client) ─── same user, same machine
│ │
│ └── AETHER_01 (stdio subprocess) ← SERVER
│ │
│ └── Windows API (system calls) — same machine, kernel
│
└── Internet ← AETHER_01 has NO network access
AETHER_01 has no network access. It is a pure stdio process. It does not make HTTP requests, open ports, or listen for connections. All communication is through stdin/stdout with the local AI client.
What the server CANNOT do
| Capability | Status | Reason |
|---|---|---|
| Network connections | Impossible | No HTTP/TCP/UDP code |
| Shell execution | Impossible | Direct Win32 API only, no cmd.exe |
| Remote access | Impossible | stdio only, no HTTP/SSE/TCP |
| Data exfiltration | Impossible | No network path at all |
| Auto-start / persistence | Impossible | No installer, no service, no autorun |
| Auto-update | Impossible | No network request code |
Defense mechanisms
| Mechanism | Protection Level | Description |
|---|---|---|
| Feature Gates | Maximum | BCD Edit, DLL Injection, LSA Secrets, Token Manipulation, Offline Registry, HAL Config — disabled by default in .env. Operations are unavailable without explicit admin enablement. |
force: true | High | Every dangerous operation requires explicit confirmation in parameters. Without "force": true the server refuses. |
| Input validation | High | Every parameter is validated before Win32 API calls. Invalid types, empty strings, invalid PIDs — immediate rejection. |
| No shell injection | High | Zero cmd.exe / powershell.exe calls. All operations through direct Win32 API. No command injection path. |
| WMI SELECT only | Medium | WMI queries restricted to SELECT. DELETE/INSERT/UPDATE — rejected. 30s timeout, 1000 row limit. |
| Path canonicalization | Medium | All file paths go through canonicalize to prevent path traversal. |
| Full audit logging | Medium | Every tool call logged to stderr: tool, action, parameters, result. |
Binary hardening
| Technology | Effect |
|---|---|
Control Flow Guard (/GUARD:CF) | Checks every indirect call — blocks ROP/JOP attacks |
ASLR (/DYNAMICBASE + /HIGHENTROPYVA) | Random load address — can't predict code location |
DEP/NX (/NXCOMPAT) | Stack and heap non-executable — no shellcode injection |
Static CRT (+crt-static) | No external DLL dependency — can't swap the library |
Fat LTO + codegen-units=1 | Full dead code removal — smaller attack surface |
| Symbol stripping | No function names in binary — harder reverse engineering |
| Panic=abort | No unwind tables — smaller binary, no stack leaks |
Standards compliance
AETHER_01 follows:
- IETF draft: MCP Security Considerations — all tool parameters treated as untrusted (originate from LLM susceptible to prompt injection)
- OWASP LLM Top 10 — LLM06 (Excessive Agency) mitigated via
force: true+ feature gates; LLM02 (Insecure Output Handling) mitigated via parameter validation - Anthropic MCP Security Best Practices — stdio transport (isolated), least privilege via gates, audit logging
Prompt injection resistance
AETHER_01 tool parameters come from an LLM that is susceptible to prompt injection. Therefore:
- Every string parameter is escaped before use in Win32 API
- No eval-like operations — cannot "execute arbitrary code" through a parameter
- No format strings in Win32 API — parameters are never interpreted as code
- WMI WQL is escaped — single quotes in query strings are transformed
- Paths are canonicalized —
..\..\windows\system32is normalized to a checkable path
Known CVEs and inapplicability
| CVE | Applicable to AETHER? | Why not |
|---|---|---|
| CVE-2025-54136 (MCPoison) | No | AETHER is a native .exe, not via npx/npm. MCP config contains no executable code — only a binary path. |
| CVE-2025-54135 (CurXecute) | No | AETHER does not process MCP configs from repositories. Config is written once via install.ps1. |
| CVE-2025-64106 (TrustFall) | No | AETHER does not load workspace-level configs. |
| Command Injection | No | AETHER does not use shell. All Win32 API calls with typed parameters. |
Bottom line: if you don't enable feature gates without understanding them, don't disable
forcechecks, and don't run the binary from an untrusted source — AETHER_01 is safe. Likesudoon Linux: a powerful tool requiring conscious use.
Report a vulnerability
SECURITY.md — disclosure process, supported versions, supply chain audit.
Performance
opt-level = 3(all LLVM optimizations)lto = true(fat LTO across all crates)codegen-units = 1(full dead code elimination)panic = "abort"(no unwind tables)strip = "symbols"(minimal binary)target-cpu = native(AVX2, BMI2, FMA, POPCNT)
Project Structure
src/
├── main.rs # tokio::main, stdio transport
├── server.rs # AetherServer + tool_router
├── config.rs # FeatureGates from .env
├── error.rs # AetherError + FormatMessageW
├── audit.rs # Structured audit logging
└── tools/
├── process.rs # process_control
├── filesystem.rs # file_system
├── registry.rs # registry_editor
├── service.rs # service_manager
├── gui.rs # gui_automation
├── sysinfo.rs # system_info
├── network.rs # network_manager
├── user.rs # user_management
├── security.rs # security_audit
└── automation.rs # system_automation
License
MIT