Skip to content

EmptyCode0x86/Web-Remote-Control-System

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

21 Commits
Β 
Β 

Repository files navigation

OffCode Web Remote Control System 0.9 🌐

The Web Remote Control System is a high-performance, completely free, and self-hosted platform that lets you manage Windows devices directly from any web browser. Combining a lightweight Windows Agent with a modern Blazor-based control panel, you can monitor and control remote computers in real-time securely.

✨ Features

  • AES-256 GCM Encryption: Sensitive hub payloads (commands, device lists, file metadata, screenshots, etc.) are encrypted at the application layer; transport should use HTTPS/WSS in production.
  • Live Stream & Interactive Control: View the remote desktop and interact with the mouse/keyboard in real time.
  • Chat: Real-time two-way chat window between the dashboard administrator and the remote agent's user, complete with customizable administrator nickname and message history.
  • Share Screen (Public Viewer): Generate a public, anonymous link to securely share the live stream of the remote device with others without giving them dashboard access. Choose a custom expiry (hours + minutes) or No time limit; expired links show a clear message to viewers and stop relaying frames automatically.
  • Streaming File Manager: Transfer large files efficiently without hitting memory limits; browse all ready drives (fixed, removable, network) and jump to common folders (e.g. Desktop, Documents, Downloads, Program Files, AppData); click-to-open navigation with upload target following the current path; optional Upload and run toggle to open uploaded files automatically on the agent; File Search by name with wildcard and recursive subdirectory support.
  • Desktop Screenshot: Capture preview in the control panel; Close Image dismisses the preview without leaving the page.
  • Task Manager & Process Blocker: View active processes and manage them directly from the web interface. Block specific applications by name so the remote agent instantly kills them upon startup. Setting persists even if the browser dashboard is closed.
  • Power Controls: Shut down or restart the remote device from the Task Manager panel.
  • Software Manager: List installed applications and uninstall them remotely using Windows Registry data.
  • Remote Process Execution: Instantly run commands, open files, or launch software on the remote machine.
  • Remote Terminal & Script Manager: Interactive PowerShell/CMD terminal directly in the browser, plus a built-in script editor. Write, save, and execute Python, PowerShell, Batch, and VBScript files securely on the remote agent. Advanced features include:
    • Stop Script: Safely and asynchronously terminate currently running scripts.
    • Download Output: Save script execution outputs directly to a local file.
    • Scheduled Script Execution: Set an exact date and time for scripts to run automatically on the agent, managed by the backend server even if the browser dashboard is closed.
  • System Telemetry: Monitor detailed hardware and software metrics (CPU, RAM, OS version, network info) through the Computer Info dashboard. Startup Programs panel now includes a Remove button on each row β€” deletes the entry directly from the Windows Registry (HKCU / HKLM) or the startup folder. The agent must run as Administrator to remove HKLM entries; the result is reported back with a toast notification.
  • Device History: Track and manage previously connected devices for quicker reconnection.
  • Real-time Device Ping: Connected devices list shows live round-trip latency (ms) between the backend and each online agent, updated every ~10 seconds with color-coded indicators.
  • Telegram Notifications (Optional): Receive a Telegram message when any device comes online. Configure bot token and chat ID from Agent settings (global setting); includes in-modal setup help and a test message button.
  • Telegram Bot Commands: Send /Get_info in the configured Telegram chat to fetch Computer Info from an online device (device selection prompt when multiple devices are connected). Only messages from the configured chat ID are processed.
  • Agent Settings (Auto Startup Name): In Agent settings, enabling Windows auto startup now opens a modal where you can set a custom startup name (default: RemoteControlAgent).
  • Dashboard Lock (Optional): Password gate for the admin panel (/authentication/login) with settings at /authentication/settings. The password is stored only as a secure hash on the server. The Blazor app uses a cookie session; successful verification also issues a short-lived JWT (Bearer) for SignalR and protected REST APIs (DashboardAccess). Agent file-transfer HTTP endpoints (agent-download / agent-upload) stay anonymous so agents can pull/push files. Lock configure requires either an authenticated dashboard session or DASHBOARD_LOCK_ADMIN_SECRET. With lock on, unauthenticated users are not shown dashboard pages. With lock off, /authentication/continue can establish the session without a password. Lock settings include a Dashboard shortcut to the devices page (/devices).
  • Remove Agent: Disconnect a device from the dashboard and trigger remote uninstall of the agent executable on the target PC; if the agent is offline, the request is queued in SQLite and runs when it reconnects.
  • Server Manager: Configure ports, start the backend and frontend independently (stopping Frontend does not stop Backend, and vice versa), generate secure client agents (stubs), toggle optional file logging, and view the latest project changelog directly within the application.

πŸ” Security Architecture

πŸ›‘οΈ Request Protection

Layer Protection
1 Request timeout β€” 30s global, 10 min for file transfers, ∞ for SignalR (Slowloris protection)
2 Security headers β€” CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, COOP
3 Request audit trail β€” All authentication events logged with IP, UserAgent, risk level and PII masking
4 Kestrel hardening β€” RequestHeadersTimeout: 15s, KeepAliveTimeout: 120s, HTTP/2 stream limit: 100
5 Login rate limiting β€” 8 attempts per minute per IP+UserAgent (dashboard lock)
6 API rate limiting β€” 10 requests per minute per client (SecurityService)

πŸ”’ Server-Level Security

Component Implementation
Transport encryption AES-256-GCM (SignalR payload E2E), TLS via reverse proxy (Cloudflare/Nginx)
Password storage (Dashboard) ASP.NET Identity IPasswordHasher β†’ PBKDF2-SHA256 with random salt
JWT tokens HS256 (HMAC-SHA256), configurable expiry (5–240 min), mandatory strong key in production
JWT signing key Enforced minimum 32 chars; weak/default keys blocked at startup in production mode
API authentication JWT Bearer token with DashboardAccess claim required for all admin endpoints
SignalR hub auth DashboardHubAuthorizationFilter β€” admin hub methods require dashboard_access: true JWT claim; agent methods (ConnectAsDevice, ReceiveEncryptedFromAgent, Pong) and anonymous share viewer method (JoinShare) are explicitly allow-listed
AES key validation App refuses to start if AES_MASTER_KEY_HEX is missing or not exactly 256 bits (enforced identically on BackEnd, FrontEnd, and RemoteAgent β€” no insecure development fallback)
Per-agent encryption keys Each Remote Agent stub built via Server Manager gets its own randomly generated AES-256 key + AgentKeyId, registered in BackEnd/AgentKeys.json (hot-reloaded, no restart needed). Leaking a single agent binary no longer exposes the traffic of every other connected device β€” the shared AES_MASTER_KEY_HEX remains only for the BackEnd↔FrontEnd Dashboard channel, which is never distributed externally. Legacy agents without AgentKeyId keep working via automatic fallback to the shared key when allowed by config.
Per-stub connect token Each new stub also receives a unique AGENT_CONNECT_TOKEN (256-bit random hex) embedded in the trailer/.env and registered in BackEnd/AgentKeys.json alongside AgentKeyId. The BackEnd validates this token on ConnectAsDevice before registering the device β€” preventing identity spoofing on the open hub method. Validation activates per registry entry (legacy AgentKeys.json rows without connectToken stay allowed until updated). AgentSecurity:RequireConnectToken (false in dev, true in production) blocks legacy agents without tokens. When true, agents sending an unknown agentKeyId (not found in the registry) are also rejected β€” closing a bypass where an attacker could skip token validation by sending any unrecognized ID. Token comparison uses CryptographicOperations.FixedTimeEquals on decoded hex bytes. Use HTTPS/WSS in production so the connect token is not visible on the wire.
Encrypted hub tunnel Sensitive admin↔BackEnd and agent↔BackEnd payloads travel as AES-GCM inside generic hub targets (ReceiveEncryptedFromAdmin, ReceiveEncryptedFromAgent, ReceiveEncryptedPacket) so method names and ciphertext β€” not business JSON β€” appear on the network.
Replay protection In-memory ReplayCache tracking packet fingerprints (SHA-256 of the GCM nonce/tag slice) combined with a 60-second packet.Timestamp validation window. Stale or duplicate packages are discarded on both BackEnd and RemoteAgent sides to prevent replay attacks. Max age is configurable via ReplayProtection:MaxAgeSeconds in appsettings.json.
SQL injection Entity Framework Core parameterized queries only
Error handling Internal exception details never exposed to HTTP clients; full details in server logs only
Audit logging SQLite event log β€” action, IP, UserAgent, risk level (Low/Medium/High/Critical), PII-masked
Brute force detection Automatic suspicious pattern detection (>10 failed logins or >5 rate-limit hits per hour)
Timing-safe comparison FixedTimeEquals used for admin secret verification and per-stub connect token validation (constant-time byte comparison)
CORS Configurable ALLOWED_ORIGINS; wildcard * blocked in production by default

πŸ–₯️ FrontEnd-Level Security

Component Implementation
Session cookie RemoteControl.DashboardAuth, SameSite=Strict, 8h expiry
Blazor Server WebSocket-based β€” not vulnerable to traditional CSRF
Return URL validation All returnUrl values validated β€” must start with /, no // open redirects
XSS prevention Blazor renders via DOM β€” no raw innerHTML injection
Content Security Policy Strict CSP on all pages; no unsafe-eval; limited external origins

πŸ› οΈ Prerequisites

To run the Server Manager and compile the remote agent, you must have the .NET SDK installed on your system. πŸ‘‰ Download .NET 9.0 SDK


πŸš€ Getting Started

Follow these steps to set up your self-hosted remote control server and create your first client agent:

  1. Extract the files: Extract the downloaded .zip file completely into a folder.

  2. Configure Server Details: Open the Server Manager application. In the configuration settings, set the following:

    • Server Address: Your server's IP address or domain name (committed templates often use 127.0.0.1 for local development only).
    • Frontend Port: The port for the web dashboard (e.g., 5000).
    • Backend Port: The port for the API and SignalR communication (e.g., 5001).
    • Encryption key: Ensure AES_MASTER_KEY_HEX is set (64 hex chars) on BackEnd, FrontEnd, and agents before real use β€” repository samples may ship with an empty placeholder so secrets are not baked into the repo.
  3. Generate the Agent (Stub): Click the "Create remote agent file" button in the Server Manager. This will compile a custom .exe file (stub) embedded with your server details, a unique per-agent AES-256 key (AgentKeyId), and a per-stub connect token (AGENT_CONNECT_TOKEN). Both are registered automatically in BackEnd/AgentKeys.json (hot-reloaded by the running BackEnd).

    • Note: Running this generated agent file on a target Windows computer will establish the secure remote connection back to your web dashboard. Rebuild stubs after security updates so they include the latest connect-token flow.

⚠️ IMPORTANT WARNING

To ensure the system functions correctly, DO NOT rename any folders or delete any files within the extracted directory. The Server Manager relies on specific file paths and structures to compile the agent and run the backend/frontend servers. Any modifications to the directory structure will break the application.


🌐 Connectivity & Port Forwarding

If you intend to control devices over the internet (outside your local home network), you must expose your server so the agents can connect to it. You have several options:

  1. Cloudflare Tunnels (Highly Recommended): The most secure and easiest method. No router port forwarding is required. Cloudflare Zero Trust connects your local ports to a domain name and automatically provides HTTPS/WSS.
  2. Port Forwarding (Router): Manually configure your router to forward the Backend Port (and Frontend Port if you want dashboard access) to your server computer. You will need a public IP or Dynamic DNS (DDNS).
  3. Mesh VPNs (Tailscale / ZeroTier): Create a secure virtual local network. Install the VPN on both the server and the target devices. No public internet exposure is needed.
  4. VPS Deployment: Run the entire BackEnd and FrontEnd on a rented Ubuntu/Linux VPS with a reverse proxy like Nginx.

πŸ”’ Security & Deployment

Because this is a self-hosted solution, you have full control over your data. For production deployment over the internet, it is highly recommended to use a reverse proxy (like Nginx or Cloudflare) to utilize HTTPS/WSS for transport security β€” this protects the dashboard JWT, the per-stub AGENT_CONNECT_TOKEN sent during agent registration, and all SignalR traffic β€” in addition to the built-in AES-256 application-layer payload encryption. Set AgentSecurity:RequireConnectToken to true in production (appsettings.Production.json) only after all deployed stubs have been rebuilt with connect tokens.

Nginx Configuration Example

If you are deploying behind Nginx on Windows or Linux, use the following template to properly route WebSocket (SignalR) and HTTP traffic. Ensure your ServerManager is set to use ports 8001 and 8081 so Nginx can listen on 8000 and 8080.

events {
    worker_connections 1024;
}

http {
    # FRONTEND (Nginx listens on 8000 -> Routes to C# FrontEnd on 8001)
    server {
        listen 8000;
        server_name _; 

        location / {
            proxy_pass http://127.0.0.1:8001;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    # BACKEND (Nginx listens on 8080 -> Routes to C# BackEnd on 8081)
    server {
        listen 8080;
        server_name _; 

        location / {
            proxy_pass http://127.0.0.1:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Note: The C# backend and frontend natively support X-Forwarded-For and X-Forwarded-Proto headers, so they will automatically log the true client IP even behind the proxy.

HTTPS over direct IP (self-signed)

For testing or deployment without a domain, use TLS on nginx with a self-signed certificate (IP in SAN). Full step-by-step guide, Server Manager sync checklist, and ready-made config:

βš–οΈ Legal Disclaimer & Terms of Use

Please read and understand these terms before proceeding:

  • Important Notice: This software is intended only for lawful, authorized use. Do not use it for illegal activity, unauthorized access, harassment, or any other criminal behavior.
  • User Responsibilities: You are solely responsible for how you use this application and must comply with all applicable laws, policies, and permissions in your jurisdiction.
  • Prohibited Uses:
    • Unauthorized access to systems or devices
    • Harassment, stalking, or intimidation
    • Any form of illegal surveillance
    • Disrupting business operations without permission
    • Violating privacy rights of others
    • Any activity that violates local, state, or federal laws
  • Liability Disclaimer: Use at your own risk. The author(s) and distributor(s) assume no liability for misuse or any resulting damages, legal consequences, or other issues arising from the use of this software.

By downloading and using this software, you acknowledge that you have read, understood, and agree to be bound by these terms and conditions.


πŸ“„ License

This project is provided as a free tool for personal and commercial use.

https://www.dev-offcode.com/RemoteControl.html


CHANGELOG:

10/07/2026 VER: 0.9

  • Added: Share Link Expiry β€” Live Stream share links can now have a configurable lifetime. In the stream toolbar, set Hours and Minutes or enable No time limit. The backend registers sessions in ShareSessionService; ShareExpiryService expires them and notifies viewers via ShareExpired. Admin UI shows a countdown while sharing. Server validates links on JoinShare and BroadcastSharedFrame (1 min – 7 days, or unlimited).
  • Added: Real-time Device Ping β€” DevicePingService pings connected agents every 10 s; agents respond with Pong; RTT is shown in the connected devices list (PingMs, color-coded). Cleartext ping IDs only (no sensitive payload).
  • Added: Telegram Notifications β€” Optional global setting in Agent settings: Telegram message when a device comes online. Settings persisted in telegram-settings.json (hot-reload); REST API api/telegram/settings + test endpoint; in-modal BotFather setup help.
  • Added: Telegram /Get_info Command β€” TelegramCommandService polls Bot API getUpdates; /Get_info requests Computer Info from an online agent (multi-device selection in chat). Responses routed via hub (SendComputerInfoRequestToAgentAsync, telegram- requestId prefix). Only the configured chat ID is accepted.
  • Fixed: Share Screen anonymous join β€” JoinShare added to hub anonymous allow-list so public viewers can connect without dashboard JWT.
  • Security: Replay Attack Protection (EncryptedPacket) β€” All incoming EncryptedPacket messages are now protected against replay attacks on both the BackEnd and RemoteAgent sides. A new ReplayCache (in-memory nonce-cache, BackEnd/Security/ReplayCache.cs and RemoteAgent/Security/ReplayCache.cs) registers the SHA-256 fingerprint of every received encrypted blob; an identical blob is rejected immediately. In addition, packet.Timestamp is validated against a configurable time window (default 60 seconds, tunable via ReplayProtection:MaxAgeSeconds in appsettings.json) β€” stale packets are dropped with a warning log. Validation runs in DeviceControlHub.ReceiveEncryptedFromAdmin, DeviceControlHub.ReceiveEncryptedFromAgent and SignalRService.HandleReceiveEncryptedPacketAsync. AES-GCM already guaranteed confidentiality and integrity; ReplayCache adds freshness so a captured valid ciphertext (e.g. a shutdown or kill-process command) cannot be replayed later.
  • Security: ConnectAsDevice bypass fix β€” Fixed a security vulnerability in DeviceControlHub.ConnectAsDevice. When AgentSecurity:RequireConnectToken was set to true, an attacker could bypass the enforcement by sending any unknown agentKeyId β€” TryGetConnectToken returned false for the unknown ID, causing the code to skip token validation and allow the connection as a legacy agent. Added an else if (requireToken) branch inside the agentKeyId block: if agentKeyId is provided but not found in the AgentKeys.json registry in strict mode, the connection is now rejected with HubException("Unauthorized") and a warning is logged (ConnectAsDevice: unknown agentKeyId rejected). The attacker would still need the shared AES_MASTER_KEY_HEX to communicate, but the RequireConnectToken enforcement now correctly covers all cases.

05/07/2026 VER: 0.8

  • Security: Agent encryption & identity (v2) β€” Server Manager now generates a unique AES-256 key, AgentKeyId, and AGENT_CONNECT_TOKEN (256-bit random hex) for each new stub. All three are embedded in the stub trailer/.env and registered in BackEnd/AgentKeys.json (hot-reloaded via AgentKeyStore, no BackEnd restart). Per-agent keys limit blast radius: leaking one stub no longer decrypts every agent's traffic (the shared AES_MASTER_KEY_HEX remains BackEnd↔FrontEnd dashboard only). Connect token closes identity spoofing on the anonymous ConnectAsDevice hub method: the BackEnd validates the token with constant-time hex comparison before registration; new agents call ConnectAsDevice directly over TLS. Validation activates per registry entry (legacy rows without connectToken still work until updated). The encrypted ReceiveEncryptedFromAgent β†’ ConnectAsDevice bypass is restricted when AgentSecurity:RequireConnectToken is true (false in dev, true in appsettings.Production.json). Production: rebuild all agent stubs after upgrading the BackEnd, then enable RequireConnectToken=true. Use HTTPS/WSS so the connect token is not visible on the wire. LoadTester supports direct token-based registration.
  • Fixed: FrontEnd Hardcoded Dev Fallback Key Removed β€” The FrontEnd's encryption service previously fell back to a hardcoded AES key when ASPNETCORE_ENVIRONMENT=Development and AES_MASTER_KEY_HEX was unset. It now fails fast and refuses to start without a valid key, matching the BackEnd and RemoteAgent behavior exactly.

20/06/2026 VER: 0.7

  • Added: Reverse Proxy Support β€” Built-in support for Nginx and Cloudflare Tunnels utilizing X-Forwarded-For and X-Forwarded-Proto headers. The servers now seamlessly track real client IP addresses securely when placed behind a reverse proxy.
  • Added: Auto Startup Name modal β€” Enabling Windows auto startup from Agent settings now opens a modal where you can choose a custom startup name (or keep default RemoteControlAgent).
  • Improved: Live Stream Cursor Visibility β€” The real system cursor from the agent machine is now rendered directly into captured livestream frames, including scaled captures.
  • Improved: Live Stream Smoothness β€” Streaming lag/stutter has been significantly reduced with pipeline optimizations, resulting in much smoother playback and fewer frame hiccups.
  • Fixed: Remote Control Right Click β€” Right-click from dashboard now correctly executes as right-click on the agent side, and right mouse button no longer triggers left-button down/up drag events.

18/06/2026 VER: 0.6

  • Security: Request Timeout / Slowloris Protection β€” RequestTimeout middleware added (30s global, 10 min for file transfers, ∞ for SignalR). Kestrel hardened with RequestHeadersTimeout: 15s and KeepAliveTimeout: 120s. HTTP/2 stream limit set to 100 per connection.
  • Security: Error Message Hardening β€” Internal ex.Message no longer exposed in HTTP responses across UserController, DeviceController, and FileManagerController (12 locations fixed). All 500 responses now return a safe generic message; full exception details logged server-side only. Global fallback exception handler added to BackEnd/Program.cs with correlationId for log tracing.
  • Fixed: Script Execution Timeout Removed β€” Scripts now run indefinitely until manually stopped by the user. The previous 5-minute hard timeout (CancellationTokenSource(TimeSpan.FromMinutes(5))) has been removed from ScriptExecutionService. Output buffer size limit also removed.
  • Improved: UI Modernization (Glassmorphism) β€” The Blazor FrontEnd has been significantly upgraded with a sleek "glassmorphism" theme featuring emerald/teal accents. This applies to LiveStream, DeviceControl, AgentSettingsPanel, and authentication pages.
  • Fixed: Mobile Layout β€” Connected devices and history views are now fully responsive on mobile devices via a robust Flexbox layout, fixing overflowing text and stretched elements.
  • Improved: Live Stream Viewer β€” Added dynamic zoom controls allowing users to zoom in/out with the mouse wheel while tracking the cursor position. Added support for up to 240 FPS and dynamic quality settings (10-100%) for incredibly smooth playback, with 30 FPS set as the new default.
  • Fixed: Share Screen Link Copy β€” The "Copy Link" button in the Live Stream view now uses synchronous JavaScript logic for improved reliability across all environments.
  • Added: Stealth Mode β€” You can now hide the agent's tray icon directly from the "Agent settings" panel. When Stealth Mode is enabled, the agent runs silently in the background and is only visible in the Windows Task Manager.
  • Added: Chat β€” Real-time two-way chat window between the dashboard administrator and the remote agent's user, complete with customizable administrator nickname and message history.
  • Added: Script Manager Enhancements (Job-based) β€” The Remote Agent now tracks all running and completed scripts directly in its RAM. The dashboard automatically fetches this real-time status, ensuring you never lose track of a script's progress, even if you close the browser. Includes a new "Clear Recent" functionality, safe asynchronous script stopping, and the ability to download execution output.

13/06/2026 VER: 0.5

  • Added: Process Blocker β€” Prevent specific applications from running on the remote device. Enter the process name in the Task Manager section, and the background agent service will instantly kill it whenever it attempts to start. The blocking setting is saved directly to the Windows Registry and persists across reboots and network reconnects.
  • Added: Startup Programs β€” Remove β€” Each startup program entry in Computer Info now has a Remove button. Clicking it sends an encrypted RequestRemoveStartupProgram command through the hub to the agent, which deletes the registry key (HKCU\..\Run, HKLM\..\Run, or Wow6432Node) or the startup folder shortcut. The result is returned over the same encrypted channel and displayed as a toast notification (success / error). HKLM removal requires the agent to be running as Administrator.
  • Added: File Manager β€” Search β€” Search for files by name in the current directory (including subdirectories) directly from the web dashboard. Results are capped at 500 items for safety and use the encrypted SignalR tunnel for communication.

17/05/2026 VER: 0.4

  • Added: Script manager tab / Scheduled Script Execution - which allows setting a specific date and time for a script to run automatically, independently managed by the backend server.
  • Added: Server Manager Changelog - In-app changelog viewer that fetches and parses the latest release notes automatically, along with a quick link to download new versions.

14/05/2026 VER: 0.3

  • Added: Share Screen - Share the agent's live stream with anyone via a secure, public link without requiring a dashboard login. The public viewer connects anonymously while your dashboard acts as the decryption relay.
  • Added: Remote Terminal - Fully interactive PowerShell and Command Prompt terminal directly in the web dashboard.
  • Added: Script Manager - Built-in code editor to write, save, and execute scripts (Python, PowerShell, Batch, VBScript) on remote agent machines. Includes

09/05/2026 VER: 0.2

  • Added: Software Manager - Remotely list and uninstall applications via Windows Registry.
  • Added: Power Controls - Shutdown and Restart devices remotely from the Task Manager panel.
  • Added: Device History - Track and manage previously connected devices.
  • Added: File Manager β€” dynamic drives β€” Quick-access buttons for all ready drives (fixed, removable, network) fetched from the agent over the encrypted SignalR channel.
  • Added: File Manager β€” quick folders β€” Program Files, Program Files (x86), and Roaming AppData shortcuts (resolved on the agent via shell folder tokens, same pattern as Desktop/Documents/Downloads).
  • Improved: File Manager UX β€” Open folders with a single click on the row; upload target automatically follows the current browse path (no separate β€œSet as Target” step).
  • Added: File Manager β€” upload and run β€” Optional checkbox to open uploaded files automatically on the agent after transfer completes.
  • Added: Desktop Screenshot β€” Close Image β€” Dismiss the screenshot preview from the device control UI.
  • Added: Server Manager β€” log toggle β€” Checkbox to turn application logging on or off.
  • Fixed: Server Manager β€” Stopping or restarting the frontend no longer stops the backend (independent service controls).
  • Added: Dashboard Lock (optional) β€” Cookie session for the Blazor UI, lock-aware redirects, /authentication/continue when lock is disabled, safe returnUrl handling; backend stores the dashboard password as a secure hash; short-lived JWT for admin SignalR and protected REST (DeviceController, admin FileManager routes); agent HTTP file endpoints (agent-download / agent-upload) remain reachable without JWT; configure requires auth or DASHBOARD_LOCK_ADMIN_SECRET.
  • Config samples: AES_MASTER_KEY_HEX default empty and example URLs use 127.0.0.1 in committed .env / appsettings templates (set real values for production).
  • Added: Remove Agent β€” Remote uninstall flow with confirmation; offline queue in SQLite (PendingAgentCommands) until the agent reconnects.
  • Added: Lock settings UI β€” Dashboard button on /authentication/settings opens the devices page (/devices).

08/05/2026 VER: 0.1

  • Fixed: Empty secret key generation issue in Server Manager.
  • Fixed: Auto-detect project path and Server Manager crashing issues.

About

The Web Remote Control System is a high-performance, completely free, and self-hosted platform that lets you manage Windows devices directly from any web browser. Combining a lightweight Windows Agent with a modern Blazor-based control panel.

Topics

Resources

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors