Windows discovery

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • Discovery identifies and classifies information about Windows computers that use IPv4 addresses, IPv6 addresses, or both.

    Note:
    For information on Probe to Pattern migration see the knowledge article KB0694477.
    Note:
    admin$ share access is required for Windows discovery from Madrid P3 and later. A Remote Access role must be configured in the target Windows Server to enable connectivity with ServiceNow Discovery.

    Supported Windows versions

    For IPv4 discovery:
    • Windows Workstation 7, 8, 10
    • Windows Server versions:
      • 2008
      • 2008R2
      • 2012R2
      • 2016
      • 2019
      • 2022
      • 2025
    For IPv6 discovery:
    • Windows 2019 (10.0.17763)
    • Windows Server 2016
    • Windows Desktop 10
    • Windows 2019 Datacenter
    Note:
    For fiber channel discovery on a Windows 2008 host, the Microsoft Fibre Channel Information Tool (fcinfo.exe) must be installed on that machine. The fcinfo executable should be available on the environment path. The Microsoft Fibre Channel Information Tool tool is available for download at http://www.microsoft.com.

    IPv6 supportability limitations

    The following device types haven’t been verified for IPv6 discovery:
    • Printers
    • Network Storage (NFS, CIFS, NAS, FC, ISCSI)
    • Azure virtual machines (IPv6 native mode isn’t supported by Microsoft)

    Requirements

    Verify PowerShell support
    ServiceNow now supports PowerShell 3.0 up to 5.1.
    Configure Windows credentials
    For more information, see Windows credentials.
    Verify user access
    Verify that the user configured for the credential has the following permissions:
    • Local admin access to the Windows machine.
    • Access to the WMI service to the current namespace and subnamespaces.
    • Access to the PowerShell service.
    • Membership in the Distributed COM Users local security group.
    (Optional) Populate Virtual Machine Object field in Hardware [cmdb_ci_hardware] table
    Starting with Discovery and Service Mapping Patterns version 1.30.2, you can improve query performance by populating the Virtual Machine Object field in the Hardware [cmdb_ci_hardware] table. For more information, see Improved query performance with direct field population in CI tables.

    Classifiers, probes, and patterns

    Classifiers Probes Patterns
    • Windows
    • Windows 2008 Server
    • Windows 2012 Server
    • Windows 2016 Server
    • Windows 2025 Server
    • Horizontal discovery probe: Launches patterns
    • WMIRunner-Windows - Installed Software^
    • MultiProbe-Windows - ADM^
    • Windows - Identity*
    • Windows - Network ARP Table*
    • Windows - Network NDP Table*
    • Windows - OS Information*
    • Windows - Cluster*
    • Windows - CPU/Memory*
    • Windows - Installed Software*
    • Windows - Printers*
    • Windows - Storage 2008*
    • Windows - Storage 2012*
    • Windows - Amazon EC2*
    • Windows - Azure*
    • DNS*
    • SNMP - Routing*
    • Windows OS - Server
    • Windows OS - Desktops
    Windows 2019 Server N/A Windows OS - Server

    *These probes aren't active on the classifier, as Discovery uses patterns by default for these discoveries.

    ^These probes remain active by default, even when Discovery uses pattern discovery.

    To use patterns, verify that the correct pattern is specified in the horizontal pattern probe on the classifier. See Add the Horizontal Pattern probe to a classifier for instructions.

    Data collected

    Note:
    See the knowledge article KB0687582 for information on model_id and manufacturer.
    Label Table name Field name Source
    Assigned to cmdb_ci_win_server assigned_to wmi
    Chassis type cmdb_ci_win_server chassis_type wmi
    Command cmdb_running_process command wmi
    Connects to cmdb_running_process connects_to wmi
    CPU core count* cmdb_ci_computer cpu_core_count wmi
    CPU core thread* cmdb_ci_computer cpu_core_thread wmi
    CPU count* cmdb_ci_computer cpu_count wmi
    CPU manufacturer cmdb_ci_computer cpu_manufacturer wmi
    CPU name cmdb_ci_computer cpu_name wmi
    CPU speed (MHz) cmdb_ci_computer cpu_speed wmi
    Default gateway cmdb_ci_win_server default_gateway wmi
    Description cmdb_ci_disk short_description wmi
    Disk space (GB) cmdb_ci_computer disk_space wmi
    Disk space (GB) cmdb_ci_disk disk_space wmi
    DHCP enabled cmdb_ci_network_adapter dhcp_enabled wmi
    DNS domain cmdb_ci_win_server dns_domain DNS
    Free space (GB) cmdb_ci_file_system free_space wmi
    Hostname cmdb_ci_win_server host_name DNS, NBT
    IP address*** cmdb_ci_network_adapter ip_address wmi
    Listening on cmdb_running_process listening_on wmi
    MAC address cmdb_ci_network_adapter mac_address wmi
    Manufacturer cmdb_ci_win_server manufacturer wmi
    Model ID cmdb_ci model_id wmi
    Name cmdb_ci_win_server name DNS, NBT
    Name cmdb_ci_disk name wmi
    Name cmdb_running_process name wmi
    Name cmdb_ci_network_adapter name wmi
    Netmask cmdb_ci_network_adapter netmask wmi
    Operating System cmdb_ci_computer os wmi
    OS domain cmdb_ci_computer os_domain NBT
    OS service pack cmdb_ci_computer os_service_pack wmi
    OS version cmdb_ci_computer os_version wmi
    Parameters cmdb_running_process parameters wmi
    PID cmdb_running_process pid wmi
    RAM (MB) cmdb_ci_computer ram wmi
    Serial number cmdb_ci_win_server serial_number wmi
    Short description cmdb_ci_win_server short_description wmi
    Type cmdb_ci_disk type wmi
    * Core counts and threads per core might not be accurate, due to issues with Microsoft reporting.

    ** The value in the disk_space field is an aggregation of the total capacity (to include used space) for all non-removable disks, including both directly attached and SAN storage.

    The Windows registry

    Discovery can find software that has been installed on a Windows machine by looking at the Windows Registry. Discovery can find the following attributes of discovered software:
    • Product Name: Combination of name and version, such as Windows Imaging Component 3.0.
    • Name: Name of the product only without the version.
    • Version: Version of the product.
    • Uninstall String: Path to the uninstaller, such as C:\Program Files\Notepad++\uninstall.exe.
    • Part of: Update for which this registry is a part, such as Windows Internet Explorer 8 - Software U.
    • Install Date: The date the software was installed. The Windows - Installed Software sensor appends a timestamp of 00:00:00 to the install_date retrieved from the registry. The installation time of all Windows software is independent of the time zone and is set to midnight of the day it was installed. For example, an install date of 2.19.2017 in the Windows registry appears as 2.19.2017 00:00:00 in the CMDB.
    • Installed on: The name of the asset on which the software is installed.