Identifying IIS, svchost.exe

mikeb5 · ‎06-08-2015

Discovery is finding Internet Information Services (IIS) by looking for a running process called "svchost.exe" with a command line parameter "iissvcs".

Unfortunately, we're not finding a lot of IIS instances as the command line parameter is not displayed when we do a WMI query. It's shown on some servers, but not others!

Has anyone else seen this?

Is there an alternative way of reliably identifying IIS?

Examples:

PS C:\vb> gwmi win32_process -comp xxxxxxx |?{$_.name -match "svchost"} | select name,commandline

name commandline

---- -----------

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe

_________________________________________________________________________________________________________________________________________________________

PS C:\vb> gwmi win32_process -comp yyyyyyyyy |?{$_.name -match "svchost"} | select name,commandline

name commandline

---- -----------

svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe C:\Windows\system32\svchost.exe -k RPCSS
svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe C:\Windows\system32\svchost.exe -k LocalService
svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
svchost.exe C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
svchost.exe C:\Windows\system32\svchost.exe -k apphost
svchost.exe C:\Windows\system32\svchost.exe -k regsvc
svchost.exe C:\Windows\system32\svchost.exe -k iissvcs
svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
svchost.exe C:\Windows\System32\svchost.exe -k termsvcs
svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

mikeb5 · ‎06-08-2015

IIS is running. I can work out which PID it's got and see there's a svchost.exe with that PID.

Deepak Ingale1 · ‎06-08-2015

If I am not mistaken, PID is process identifier.

I have not worked on Discovery, does that command gets executed by discovery only? or is it created by some admin ?

Can you not also work on Service to check if IIS server service is running or not?

mikeb5 · ‎06-08-2015

Service Now identifies IIS by looking at processes running. If it finds svchost.exe running with a parameter IISSVC, it assumes IIS is there.

I could use the service to check if IIS is there....one of my questions was whether there was a reliable alternative to the way ServiceNow have written things.

I don't know much about IIS 🙂 Would looking for a service work? I s it always the same service name across windows versions and IIS versions?

glennpinto · ‎06-08-2015

Hi Mike, if you can see the IIS process captured under the processes tab of the CI in ServiceNow, you can open that record and basically create a new process identifier using anything available within that record as a condition to identify IIS is running. ServiceNow provides a default process identifier, but you can always create another one and deactivate the baseline one to avoid getting IIS to display twice for one server if the identifier is matched twice using two classifiers. So questions I would look at:

1. Does the IIS process show under the CI's process tab for the one that is not being classified?

2. If not does it show within task manager under the processes tab on the server itself. This is generally what is collected and provided back to ServiceNow in order to do the process classification.

3. If it does not show under task manager you have to verify the service is up as it should always appear there by default when the service is running, which means SN should pick it up if it picks up all the other processes.

mikeb5 · ‎06-08-2015

I can see svchost.exe in the processes tab. Unfortunately, I can see 11 instances of svchost.exe !! I can't tell which, if any, is the IIS one. SN doesn't pick up the parameters so all the svchost.exe entries look alike.