Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Windows Forwarder Troubleshooting

This guide covers common Windows forwarder issues and how to resolve them. For log file locations and registry paths, see What to Check First.

Forwarder service is not running

Symptoms: The forwarder appears installed but is not uploading files. Stairwell shows the asset as inactive or stale.

Steps:

  1. Open Services (services.msc) and check the status of StairwellForwarder and SWAgent (v1.6+), or InceptionForwarder and SWAgent (v1.5.1 and earlier).
  2. If either service is stopped, right-click and select Start.
  3. If the service fails to start, check the event log: open Event Viewer → Windows LogsApplication, and filter by source StairwellForwarder or InceptionForwarder.
  4. If the service starts but immediately stops, review the forwarder logs at C:\ProgramData\Stairwell\SwellService\logs (v1.6+) or C:\ProgramData\Stairwell\Inception\logs (earlier versions).

Common cause: A prior upgrade left a stale service registration. Uninstall the forwarder completely, reboot, then reinstall using the latest installer.

Asset is not checking in to the platform

Symptoms: The asset appears in Stairwell but the last-seen timestamp is stale, or no sightings are arriving.

Steps:

  1. Verify network connectivity from the host to Stairwell endpoints. The forwarder requires outbound HTTPS (port 443) to *.app.stairwell.com, *.api.stairwell.com, downloads.stairwell.com, and storage.googleapis.com. See Connectivity Requirements.
  2. If SSL inspection is enabled, add those domains to your decryption bypass list. The forwarder performs certificate validation and will fail silently if certificates are substituted.
  3. Check the registry for the correct environment ID and registration token: HKLM\Software\Stairwell\SwellService (v1.6+) or HKLM\Software\Stairwell\Inception (earlier).
  4. If credentials are missing or incorrect, re-register the asset: uninstall, then reinstall with valid credentials from your Stairwell environment settings.

High CPU or disk I/O during initial deployment

Symptoms: Noticeable CPU or disk activity after first installation, particularly on systems with large file inventories.

What is happening: On first install, the forwarder performs an initial backscan of the entire file system to build a baseline inventory. This is expected behavior and is a one-time cost. Subsequent activity is event-driven (new/modified files only) and has minimal performance impact.

Reducing impact:

  • Deploy during off-hours or maintenance windows when possible.
  • Use Stairwell policies to configure deny paths that exclude high-volume directories unlikely to contain security-relevant files (e.g., video libraries, backup staging directories).
  • For developer workstations and other high-churn systems, consider adding build output directories and package caches to deny paths before deployment.
  • See Forwarder Performance Tuning for configuration guidance.

Backscan is not completing or appears stuck

Symptoms: Initial file collection appears to stall. The asset is active but sighting volume drops to zero after initial burst.

Steps:

  1. Check the registry key BackscanStatus at HKLM\Software\Stairwell\SwellService to confirm backscan state.
  2. Review forwarder logs for errors or repeated retry messages.
  3. If backscan has been running for more than 24 hours on a standard endpoint (not a file server), it may be stuck. Restart the StairwellForwarder service to resume.
  4. If backscan consistently fails, check whether antivirus software is blocking file reads. Add the Stairwell service binary and its working directories to your AV exclusion list. See Antivirus Exclusions for the Windows Forwarder.

Upgrade fails or forwarder reverts to previous version

Symptoms: After running an upgrade package, the forwarder still reports the old version, or the service does not restart.

Steps:

  1. Confirm the previous forwarder version is fully stopped before applying the upgrade. Run Get-Service StairwellForwarder | Stop-Service before deploying the new installer.
  2. If deploying via Intune or SCCM, verify that the detection rule for the previous version is cleared before the new package is deployed. A detection conflict can cause the deployment system to report success while the old version remains installed.
  3. After upgrade, confirm the version in HKLM\Software\Stairwell\SwellService\Version.
  4. If the upgrade consistently fails, perform a clean install: uninstall via Add/Remove Programs or msiexec /x, reboot, then install the new version.

Registration failure

Symptoms: Forwarder installs but the asset never appears in the Stairwell platform. Logs show repeated registration errors.

Steps:

  1. Confirm the environment ID and forwarder token are correct. Both are available in Stairwell under SettingsEnvironment.
  2. Verify that the host can reach *.api.stairwell.com:443. A proxy or firewall may be blocking the initial registration call even if general internet access works.
  3. If using a proxy, confirm that the forwarder is configured to route through it. See Proxy Support.
  4. Check the forwarder log for the specific registration error. A 401 indicates bad credentials. A timeout or connection refused indicates a network block.

Getting help

If you cannot resolve the issue using this guide, gather the following before contacting Stairwell support:

  • Forwarder version
  • OS version and patch level
  • Forwarder log files from C:\ProgramData\Stairwell\SwellService\logs
  • Registry export of HKLM\Software\Stairwell\SwellService
  • Description of when the issue started and any recent changes (upgrades, policy changes, network changes)

Updated 3 days ago