PowerShell for Discovery and Service Mapping

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of PowerShell for Discovery and Service Mapping

    This content explains how ServiceNow MID Servers use PowerShell and PowerShell Remoting to perform horizontal and top-down discovery of Windows servers and applications. PowerShell enables MID Servers to directly communicate with Windows servers via WMI and WinRM protocols, allowing efficient and secure querying of configuration items (CIs) across potentially multiple Windows domains.

    Show full answer Show less

    If PowerShell is not configured, MID Servers default to using WMI. PowerShell is the preferred method due to its ability to handle credentials for servers in different domains and establish secure remote sessions.

    Key Features

    • PowerShell Remoting: Establishes persistent, secure PSSessions for querying Windows servers using WinRM.
    • Probe and Sensor Integration: For example, detecting an MSSQL instance triggers the Windows - MSSQL probe to return database catalogs and version information.
    • Probe Parameters: Scripts like WMIActiveConnections.ps1 run netstat.exe remotely to gather connection details such as process IDs, ports, and IP addresses.
    • Credential Management: Uses credentials stored in the Credentials [discoverycredentials] table or, if absent, the MID Server service account credentials to authenticate during discovery.
    • MID Server Script Includes: Scripts like GenerateWMIScriptJS and GenerateWMIScriptPS1 dynamically generate discovery scripts for WMIRunner and PowerShell probes.
    • PowerShell Version Support: ServiceNow supports PowerShell versions 3.0, 4.0, and 5.0 for discovery and service mapping. Version 6.0 is not supported due to missing cmdlets required for discovery.
    • Execution Policies: PowerShell execution policies (Restricted, AllSigned, RemoteSigned, Unrestricted) must be considered. Non-Unrestricted policies require scripts to be signed.
    • MID Server Configuration: Specific parameters control PowerShell behavior on MID Servers. Changes require restarting the MID Server service.
    • PowerShell Remote Execution Framework: Probe developers benefit from a unified framework that enhances stability and efficiency when executing scripts remotely during discovery.

    Practical Implications for ServiceNow Customers

    • Configuring MID Servers to use PowerShell enhances discovery capabilities, especially across multiple Windows domains.
    • Ensuring MID Servers run on supported Windows OS versions and compatible PowerShell versions is essential for optimal operation.
    • Proper management of credentials and adherence to PowerShell execution policies facilitate secure and successful discovery.
    • Understanding the role of probes, sensors, and script includes helps in customizing and troubleshooting discovery processes.
    • Restarting MID Servers after changing PowerShell-related parameters ensures new settings take effect.

    MID Servers use PowerShell and PowerShell Remoting for accessing configuration items (CIs) during horizontal and top-down discovery. Review MID Server parameters and script includes, probe parameters, and credentials for using PowerShell.

    PowerShell is used to control and automate the administration of Windows servers and applications.

    MID Servers can use PowerShell to directly communicate with Windows servers using both WMI and WinRM protocols. For Windows services using the WinRM protocol, the PowerShell process establishes a secure PSSession (PowerShell Remoting session) that stays open until the MID Server finishes querying a Windows server. For Windows servers using the WMI protocol, the PowerShell process sends every PowerShell command with credentials.

    PowerShell is also the preferred method for performing discovery over multiple Windows domains. PowerShell allows a single MID Server to authenticate on servers on different domains using credentials stored on the instance.

    If you do not configure MID Servers to use PowerShell and PowerShell Remoting, MID Servers use WMI.

    How PowerShell Discovery works

    The following descriptions explain how MID Servers use PowerShell to deploy probes.
    Probe and sensor

    When a Windows machine is classified with PowerShell, and an MSSQL instance is detected, a probe called Windows - MSSQL is launched. The probe returns the SQL database catalogs and version to a matching sensor.

    Probe parameter

    The WMI_ActiveConnections.ps1 probe parameter contains a script that runs netstat.exe on a target server when PowerShell is enabled. This script extracts the information on Windows server connections, such as process IDs, ports, and IP addresses.

    Credentials

    Discovery uses Windows PowerShell credentials from the Credentials [discovery_credentials] table or the domain administrator credentials of the MID Server service. If Discovery cannot find PowerShell credentials in the Credentials table of the type (Windows) it uses the login credentials of the MID Server service.

    MID Server Script Includes
    The following script includes were added for PowerShell discoveries. These scripts run on the MID Server to generate the scripts that Discovery uses for WMIRunner and PowerShell.
    • GenerateWMIScriptJS: Generates a Javascript script for the WMIRunner probe.
    • GenerateWMIScriptPS1: Generates a PowerShell script for PowerShell discovery.
    MID Server parameters for PowerShell
    Optional parameters for the MID Server can be found at MID Server parameters for PowerShell. After changing the setting for any parameter, be sure to restart the MID Server service.

    PowerShell version requirements

    MID Servers using PowerShell must be installed on a supported Windows operating system. ServiceNow supports these PowerShell versions:
    Version 3.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    • PowerShell version 3.0 does not support Windows Server 2003.
    Version 4.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    Version 5.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    Note:
    PowerShell version 6.0 is not supported. Many of the cmdlets that discovery relies on have been removed from this version. For example, only cmdlets using WinRM are available for remote operations.

    Windows PowerShell execution policies

    Windows PowerShell has four different execution policies. Customers can set the script execution policies with their group policy settings. For more information, see the Microsoft website for PowerShell documentation.
    • Restricted: No scripts can be run. Windows PowerShell can be used only in interactive mode.
    • AllSigned: Only scripts signed by a trusted publisher can be run.
    • RemoteSigned: Downloaded scripts must be signed by a trusted publisher before they can be run.
    • Unrestricted: No restrictions; all scripts can be run.
    Note:
    If you have any policy other than Unrestricted, the script needs to be signed.