windows-zombie

Windows Zombie adds a private, policy-gated AI Systems Administrator to Microsoft Windows 10 and 11. It installs a local chat daemon, a portable Python/Node agent runtime, Windows Service supervision, Defender Firewall rules, and ACL-protected state under C:\ProgramData\AiZombie\.

Why?

Running an AI agent that can actually administer your Windows host means giving it real privileges. Most "AI assistant" projects either sandbox themselves into uselessness or hand the model a root shell with no audit trail. Windows Zombie takes the middle path: full local capability, gated by an editable, auditable policy with explicit operator approval for anything mutating and a confirmation phrase for anything destructive. The chat UI is loopback-only; the only outbound traffic is to the provider you chose.

The project targets Windows 10 22H2 or Windows 11 22H2+ Pro or Enterprise. Windows 10/11 Home can run the agent, but Group Policy and some firewall profile controls are reduced. The service runs as LocalSystem by default, while the installer also creates a local Administrators account named zombie for operators who want a dedicated service identity.

Repository: https://github.com/japer-technology/windows-zombie

⚠️ Production checklist. Read docs/THREAT-MODEL.md and docs/OPERATIONS.md before installing on any machine you care about. The docs/INDEX.md landing page maps every operator/security/contributor task to the right doc.

What it installs

• WindowsZombie-Chat, an auto-starting Windows Service with restart on failure.
• WindowsZombie-Health, a Scheduled Task that runs Health-Check.ps1 as SYSTEM every 15 minutes.
• C:\ProgramData\AiZombie\ containing bin\, agent\, etc\, secrets\, logs\, state\, agent-env\, and pi\.
• A machine-wide windows-zombie.cmd shim on PATH that launches payload/bin/Zombie-Chat.ps1.
• A Windows Zombie Windows Defender Firewall rule group. The chat port (7878) binds to loopback only and is denied from other interfaces. RDP and optional OpenSSH should be restricted to Tailscale.
• An ACL-protected plaintext secrets file at C:\ProgramData\AiZombie\secrets\env.

There is no Linux privilege prompt, Linux service manager, Linux firewall frontend, Linux package manager, or external log-rotation daemon on Windows. The policy engine in payload/etc/policy.yaml is the sole privilege gate: read-only diagnostics may auto-run, mutating actions need operator approval, and destructive actions require an explicit confirmation phrase. The agent rotates JSONL audit logs itself under logs\.

Requirements

• Windows 10 22H2 or Windows 11 22H2+ Pro or Enterprise recommended.
• PowerShell 7+ (pwsh) for normal operation. Windows PowerShell 5.1 is supported only for bootstrap compatibility.
• WinGet / App Installer 1.6+.
• Python 3.12, Node.js 20, and optional Tailscale. The installer can use WinGet to install missing runtimes:

winget install --silent --accept-source-agreements --accept-package-agreements Python.Python.3.12
winget install --silent --accept-source-agreements --accept-package-agreements OpenJS.NodeJS.LTS
winget install --silent --accept-source-agreements --accept-package-agreements Tailscale.Tailscale

Quick start

Open PowerShell as Administrator and run:

git clone https://github.com/japer-technology/windows-zombie.git
cd windows-zombie
pwsh -File scripts/Install.ps1 install
pwsh -File scripts/Install.ps1 verify
windows-zombie.cmd

The helper prints the local chat URL. By default the web UI listens on http://127.0.0.1:7878/; use RDP or a Tailscale tunnel from a trusted operator machine rather than exposing the port directly.

Common lifecycle commands:

pwsh -File scripts/Install.ps1 doctor
pwsh -File scripts/Install.ps1 repair
Restart-Service WindowsZombie-Chat
Get-Service WindowsZombie-Chat
Get-WinEvent -LogName Application -ProviderName WindowsZombie-Chat -MaxEvents 50
Get-Content C:\ProgramData\AiZombie\logs\audit.log -Tail 50
pwsh -File scripts/Uninstall.ps1 -Archive -AssumeYes

To bring up Tailscale on Windows:

& 'C:\Program Files\Tailscale\tailscale.exe' up

Configuration

Primary configuration lives under C:\ProgramData\AiZombie\etc\:

• policy.yaml defines tool classes, approvals, budgets, and destructive confirmation rules.
• settings.json and APPEND_SYSTEM.md override agent behaviour.
• skills.d\ contains operator skill documents.
• secrets\env stores provider tokens and other secrets with inheritance disabled and FullControl granted only to Administrators, SYSTEM, and zombie.

Machine environment variables can be set with:

[System.Environment]::SetEnvironmentVariable('ZOMBIE_PROVIDER', 'openai', 'Machine')
[System.Environment]::SetEnvironmentVariable('AI_ZOMBIE_ROOT', 'C:\ProgramData\AiZombie', 'Machine')
Restart-Service WindowsZombie-Chat

Use payload/bin/Secrets-Edit.ps1 to edit secrets; it re-applies ACLs and logs a SHA-256 audit entry. DPAPI encryption is a planned stronger option, but ACL'd plaintext is the default for parity with the legacy 0640 file.

To run the service as the dedicated zombie account instead of LocalSystem:

sc.exe config WindowsZombie-Chat obj= .\zombie password= <password>
Restart-Service WindowsZombie-Chat

Trust model in one paragraph

The Windows policy engine in payload/etc/policy.yaml is the operating identity of the AI Systems Administrator: the service runs as LocalSystem by default, or as a dedicated local Administrators account named zombie if you reassign the service identity. The configured cloud LLM provider authenticates the administrator. The operator owns the machine, the secrets file, the API key, and (if Tailscale is enabled) the Tailscale account, and can rotate, revoke, or uninstall any of them at any time. Privileged actions pass through the local policy gate before they run: read-only diagnostics may auto-run, mutating actions need operator approval, and destructive actions require an explicit confirmation phrase. Every action is audit-logged to C:\ProgramData\AiZombie\logs\. The chat UI binds to 127.0.0.1:7878 only; reach it over RDP or a Tailscale tunnel from a trusted operator machine rather than exposing the port. Read SECURITY.md and docs/THREAT-MODEL.md before running the installer.

Development

Inspired by https://github.com/japer-technology/ubuntu-zombie

The repository uses PowerShell build targets and CI runs on windows-latest:

pwsh -File build.ps1 lint
pwsh -File build.ps1 test
pwsh -File build.ps1 package

Do not run the installer, uninstaller, or service helpers on a workstation you are not prepared to modify. Use Windows Sandbox, a disposable Hyper-V VM, or another throwaway Windows 10/11 test machine.

Inspiration

The Ubuntu version is the master concept and feature set: https://github.com/japer-technology/ubuntu-zombie See docs/QUICKSTART.md, docs/CONFIGURATION.md, docs/ARCHITECTURE.md, and SECURITY.md for deeper operational details.