Labsco
foursecondfivefour logo

AETHER_01

from foursecondfivefour

AETHER_01 is an MCP (Model Context Protocol) server written in Rust that gives AI assistants full control over Windows 10/11 via standard input/output. From process management to GUI automation, from registry to WMI queries โ€” everything a system administrator needs.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeAdvanced setup

AETHER_01 โ€” Full-Spectrum Windows Management MCP Server

Rust License npm

Add AETHER_01 MCP server to Cursor Install in VS Code Install in VS Code Insiders

npm install PowerShell install

10 tools. 99% Windows coverage. Zero security compromises.

AETHER_01 is an MCP (Model Context Protocol) server written in Rust that gives AI assistants full control over Windows 10/11 via standard input/output. From process management to GUI automation, from registry to WMI queries โ€” everything a system administrator needs.


Features

#ToolActions
1process_controllist, kill, create, priority, threads, affinity, modules, DLL injection*
2file_systemread/write/delete, ACL, symlinks, ADS streams, EFS, volumes, network shares
3registry_editorread/write/delete, all hives, security, monitoring, offline mounting*
4service_managerlist, start/stop/restart, config, triggers, drivers
5gui_automationmouse, keyboard, windows, screenshots, clipboard, display, audio
6system_infoCPU, memory, disk, OS, power, devices, BIOS, NTP, software, updates, BCD*
7network_manageradapters, connections, DNS, firewall, proxy, routing, WiFi, VPN, Bluetooth
8user_managementusers, groups, sessions, policies, certificates, credentials, tokens*
9security_auditaudit, UAC, Defender, AppLocker, BitLocker, TPM, Secure Boot, exploit protection
10system_automationEvent Log, Scheduled Tasks, WMI queries

* = disabled by default, enabled via .env feature gates.


Feature Gates (.env)

Dangerous operations are disabled by default and enabled by the system administrator:

Copy & paste โ€” that's it
AETHER_BCD_EDIT=0          # Windows boot configuration editing
AETHER_HAL_CONFIG=0        # HAL and memory dump configuration
AETHER_OFFLINE_REGISTRY=0  # Offline registry hive mounting
AETHER_DLL_INJECT=0        # DLL injection into processes
AETHER_TOKEN_MANIPULATION=0 # Access token manipulation
AETHER_LSA_SECRETS=0       # LSA secret reading

Security

The only vulnerability is human error. AETHER_01 is a system administrator tool โ€” like sudo, regedit, or services.msc. If you enable all feature gates, disable force checks, and blindly execute AI commands โ€” the server does exactly what you tell it. That's not a bug. That's the nature of an administrative tool. Full threat analysis: SECURITY.md

Threat Model

Copy & paste โ€” that's it
Your computer (trusted environment)
โ”‚
โ”œโ”€โ”€ Cursor / Claude / VS Code (AI client) โ”€โ”€โ”€ same user, same machine
โ”‚   โ”‚
โ”‚   โ””โ”€โ”€ AETHER_01 (stdio subprocess) โ† SERVER
โ”‚       โ”‚
โ”‚       โ””โ”€โ”€ Windows API (system calls) โ€” same machine, kernel
โ”‚
โ””โ”€โ”€ Internet โ† AETHER_01 has NO network access

AETHER_01 has no network access. It is a pure stdio process. It does not make HTTP requests, open ports, or listen for connections. All communication is through stdin/stdout with the local AI client.

What the server CANNOT do

CapabilityStatusReason
Network connectionsImpossibleNo HTTP/TCP/UDP code
Shell executionImpossibleDirect Win32 API only, no cmd.exe
Remote accessImpossiblestdio only, no HTTP/SSE/TCP
Data exfiltrationImpossibleNo network path at all
Auto-start / persistenceImpossibleNo installer, no service, no autorun
Auto-updateImpossibleNo network request code

Defense mechanisms

MechanismProtection LevelDescription
Feature GatesMaximumBCD Edit, DLL Injection, LSA Secrets, Token Manipulation, Offline Registry, HAL Config โ€” disabled by default in .env. Operations are unavailable without explicit admin enablement.
force: trueHighEvery dangerous operation requires explicit confirmation in parameters. Without "force": true the server refuses.
Input validationHighEvery parameter is validated before Win32 API calls. Invalid types, empty strings, invalid PIDs โ€” immediate rejection.
No shell injectionHighZero cmd.exe / powershell.exe calls. All operations through direct Win32 API. No command injection path.
WMI SELECT onlyMediumWMI queries restricted to SELECT. DELETE/INSERT/UPDATE โ€” rejected. 30s timeout, 1000 row limit.
Path canonicalizationMediumAll file paths go through canonicalize to prevent path traversal.
Full audit loggingMediumEvery tool call logged to stderr: tool, action, parameters, result.

Binary hardening

TechnologyEffect
Control Flow Guard (/GUARD:CF)Checks every indirect call โ€” blocks ROP/JOP attacks
ASLR (/DYNAMICBASE + /HIGHENTROPYVA)Random load address โ€” can't predict code location
DEP/NX (/NXCOMPAT)Stack and heap non-executable โ€” no shellcode injection
Static CRT (+crt-static)No external DLL dependency โ€” can't swap the library
Fat LTO + codegen-units=1Full dead code removal โ€” smaller attack surface
Symbol strippingNo function names in binary โ€” harder reverse engineering
Panic=abortNo unwind tables โ€” smaller binary, no stack leaks

Standards compliance

AETHER_01 follows:

Prompt injection resistance

AETHER_01 tool parameters come from an LLM that is susceptible to prompt injection. Therefore:

  • Every string parameter is escaped before use in Win32 API
  • No eval-like operations โ€” cannot "execute arbitrary code" through a parameter
  • No format strings in Win32 API โ€” parameters are never interpreted as code
  • WMI WQL is escaped โ€” single quotes in query strings are transformed
  • Paths are canonicalized โ€” ..\..\windows\system32 is normalized to a checkable path

Known CVEs and inapplicability

CVEApplicable to AETHER?Why not
CVE-2025-54136 (MCPoison)NoAETHER is a native .exe, not via npx/npm. MCP config contains no executable code โ€” only a binary path.
CVE-2025-54135 (CurXecute)NoAETHER does not process MCP configs from repositories. Config is written once via install.ps1.
CVE-2025-64106 (TrustFall)NoAETHER does not load workspace-level configs.
Command InjectionNoAETHER does not use shell. All Win32 API calls with typed parameters.

Bottom line: if you don't enable feature gates without understanding them, don't disable force checks, and don't run the binary from an untrusted source โ€” AETHER_01 is safe. Like sudo on Linux: a powerful tool requiring conscious use.

Report a vulnerability

SECURITY.md โ€” disclosure process, supported versions, supply chain audit.


Performance

  • opt-level = 3 (all LLVM optimizations)
  • lto = true (fat LTO across all crates)
  • codegen-units = 1 (full dead code elimination)
  • panic = "abort" (no unwind tables)
  • strip = "symbols" (minimal binary)
  • target-cpu = native (AVX2, BMI2, FMA, POPCNT)

Project Structure

Copy & paste โ€” that's it
src/
โ”œโ”€โ”€ main.rs              # tokio::main, stdio transport
โ”œโ”€โ”€ server.rs            # AetherServer + tool_router
โ”œโ”€โ”€ config.rs            # FeatureGates from .env
โ”œโ”€โ”€ error.rs             # AetherError + FormatMessageW
โ”œโ”€โ”€ audit.rs             # Structured audit logging
โ””โ”€โ”€ tools/
    โ”œโ”€โ”€ process.rs       # process_control
    โ”œโ”€โ”€ filesystem.rs    # file_system
    โ”œโ”€โ”€ registry.rs      # registry_editor
    โ”œโ”€โ”€ service.rs       # service_manager
    โ”œโ”€โ”€ gui.rs           # gui_automation
    โ”œโ”€โ”€ sysinfo.rs       # system_info
    โ”œโ”€โ”€ network.rs       # network_manager
    โ”œโ”€โ”€ user.rs          # user_management
    โ”œโ”€โ”€ security.rs      # security_audit
    โ””โ”€โ”€ automation.rs    # system_automation

License

MIT