We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

WinRM ports open producing false positive errors.

ITOMinator
Tera Contributor

6 hours ago

I am receiving false positive errors.  Could not find any valid credentials to authenticate the target for type [Windows] errors on Ips with no host. The Shazzam probe is detecting an open WinRm port 5986 and returning the error on IPs with no host. What ways could this be avoided, and what would be the impact of changing the mid.windows.management_protocol to only use WMI to avoid this?

0 Helpfuls
  • 76 Views
1 REPLY 1

pavani_paluri
Tera Guru

4 hours ago

Hi @ITOMinator ,

 

The Shazzam probe scans IP ranges and sees port 5986 (WinRM) open.
It assumes there’s a Windows host and tries to authenticate.
If there’s no actual host or no valid credentials, Discovery throws the error:
Could not find any valid credentials to authenticate the target for type Windows
This shows up as a false positive because the port is open but not tied to a real Windows system.


Ways to avoid false positives
Credential Affinity / Credential Assignment
Make sure credentials are only applied to IP ranges where you know Windows hosts exist.
This prevents Discovery from wasting attempts on empty IPs.


IP Range Exclusions
Exclude ranges that don’t contain Windows machines from Discovery schedules.
This reduces noise and avoids unnecessary WinRM attempts.


Probe Behavior Adjustments
Configure Discovery to validate host presence before attempting WinRM authentication.
For example, check for WMI or SMB responses first, then try WinRM only if confirmed.
In Discovery Patterns → Classification Rules, you can add conditions so WinRM authentication only runs if:
WMI or SMB responds, or OS fingerprint confirms Windows.
This ensures WinRM isn’t triggered just because port 5986 is open.
In practice, this means adjusting the Windows Classifier Probe so it checks for WMI/SMB first, then WinRM.

 

Impact of changing mid.windows.management_protocol to WMI only
Pros
Stops WinRM-related false positives on empty IPs.
Cleaner logs and fewer misleading errors.
WMI is widely supported on older Windows systems.
Cons
You lose the ability to discover/manage systems that only allow WinRM (common in newer Windows environments).
WMI can be slower and more resource-heavy in large-scale scans.
Some modern features (like remote PowerShell execution) won’t be available.

Recommended approach


Instead of switching entirely to WMI:
Keep both WinRM and WMI enabled.
Use exclusion rules and credential scoping to avoid probing empty IPs.
Configure Discovery to validate host presence before WinRM authentication.
This way, you reduce false positives but still retain full coverage for both legacy (WMI) and modern (WinRM) Windows environments.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

 

 

 

0 Helpfuls