Product Description

Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internet-based services for servers using Microsoft Windows. It is the world's second most popular web server in terms of overall websites. As of October 2007 it served 37.13% of all websites and 38.23% of all active websites according to Netcraft.

The servers currently include FTP, SMTP, NNTP, WebDAV and HTTP/HTTPS.

Known Versions

• 1.0
• 2.0
• 3.0
• 4.0
• 5.0
• 5.1
• 6.0
• 7.0
• 7.5

Software Pattern Summary

Product Component	OS Type	Versioning	Pattern Depth
Microsoft IIS Service	Windows	Registry and OS Inferences	Instance Based
Microsoft IIS Webserver

The pattern will quit immediately if the host is running a Windows version later than XP (i.e. Vista or Windows 7).

Platforms Supported by Software Pattern

As the software is integrated within the Windows Operating System kernel, it cannot be run on any other Operating System - as such the patterns only identify Windows installations.

Identification

Software Instance Triggers

Microsoft IIS Service

Trigger Node	Attribute	Condition	Argument
DiscoveredProcess	cmd	matches	regex'(?i)\binetinfo\.exe$'
	or
	cmd	matches	regex '(?i)\bsvchost\.exe$'
	args		regex '(?i)-k.*iissvcs'

Microsoft IIS Webserver

Trigger Node	Attribute	Condition	Argument
DiscoveredProcess	cmd	matches	regex'(?i)\bsvchost\.exe$'
	args		regex'(?i)-k.*iissvcs'

Simple Identification Mappings

The following processes are identified through the use of Simple Identifiers and are modeled within a full Software Instance for Microsoft Internet Information Services using the primary and associate relationships (See Application Model Produced by Software Pattern for more details about modeling this product).

Name	Command	Arguments
Microsoft IIS WebDAV Service	regex '(?i)\bdavcdata\.exe$'
Microsoft ASP.net Worker Process	regex '(?i)\baspnet_wp\.exe$'
Microsoft IIS Worker Process	regex '(?i)\bw3wp\.exe$'
Microsoft IIS Webserver - IIS 6.0 and above	regex '(?i)\bsvchost\.exe$'	regex '^.*-k.*iissvcs'
Microsoft IIS Service	regex '(?i)\binetinfo\.exe$'
Microsoft IIS Application Host Helper Service	regex '(?i)\bsvchost\.exe$'	regex '-k apphost'
Microsoft IIS Web Management	regex '(?i)\bWMSvc\.exe$'
Microsoft IIS Manager	regex '(?i)\bInetMgr\.exe$'
Microsoft IIS v6 Admin Program	regex '(?i)\bInetMgr6\.exe$'

Versioning

Version information for this product is currently collected using one of two possible methods, either checking the registry for an explicit version number or by checking the operating system for a version that we know maps 1:1 with a specific version of IIS.

Registry Versioning

The primary manner in which we achieve versioning for IIS is by querying the registry for an appropriate version value.

Major Version:	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MajorVersion
Minor Version:	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MinorVersion

The major and minor version numbers are retrieved and amalgamated together.

Operating System Inference

Due to the tight integration of IIS with the underlying Windows operating system a specific version of IIS can only be found in one lifecycle of a Windows release, IIS may be found in more than one version of Windows but you will not find more than one version of IIS available for a specific version of the operating system.

Full IIS to OS Mapping

IIS Version	Windows Version
IIS 1.0	Windows NT 3.51
IIS 2.0	Windows NT 4.0
IIS 3.0	Windows NT 4.0 SP3
IIS 4.0	Windows NT 4.0 Options Pack
IIS 5.0	Windows 2000
IIS 5.1	Windows XP Professional x32
IIS 6.0	Windows Server 2003
IIS 6.0	Windows XP Professional x64
IIS 7.0	Windows Vista
IIS 7.0	Windows Server 2008

Due to the fact that older versions of IIS/NT are no longer used and that it is relatively difficult to tell the difference between Windows XP Pro x32 and x64 we have chosen to only provide mappings for a subset of the available IIS versions, this is to ensure that where we infer this information from the Operating System we are positive that we are providing the correct information and not providing misleading data.

The only mappings we provide within the pattern are for Windows 2000, 2003 and 2008, as they are easier to spot and they map to a single version of IIS.

Application Model Produced by Software Pattern

Product Architecture

The IIS services are integrated with the OS and started via the Windows Services manager.

Once started the software will run under a number of guises, different aspects of the service can be seen in different manners, for example the WWW .net worker process is a unique executable which handles ASP.net processes where as the actual web hosting functionality is ran using svchost.exe with the arguments "-k iissvcs".

All or some of these processes may be present on a given host, the only process that is always present on a running installation of IIS v6 is the Microsoft IIS Management Service represented by the process "inetinfo.exe". "inetinfo.exe" may or may not be running on IIS v7 and above, as only supplied for backwards compatibility purposes.

Software Pattern Model

The Software instances created by these patterns are based on the core IIS Service and Web Hosting Service. They create two separate Software Instances for these services.

The trigger for the IIS Web Hosting Service pattern is the "svchost.exe" process with the arguments "-k iissvcs" while for the core IIS Service pattern we trigger on the "inetinfo" process in case of v6 and the "svchost.exe" process where the arguments contain "-k iissvcs" in case of v7 and above.

SI Depth

As there can only be a single running installation of IIS on a specific host the pattern will always create a Deep/Instance Based Software Instance.

Detail Nodes and their relationships

Detail Nodes are created for the following entities:-

• Web Sites
• Web Applications
• Virtual Directories

In IIS v6 each Web Site can contain one or more Virtual Directories and Web Applications. The information regarding detail nodes is extracted from the Metabase.xml file.
In IIS v7 and above, each Web Site contains one or more Web Applications which in turn contain one or more Virtual Directories. The information regarding detail nodes is extracted using WMI queries.

WMI Queries

For IIS v7 and above, IIS pattern attempts to execute a number of WMI queries to get the following:-

• List of Websites
• List of Application Pools
• List of Web Applications
• List of Virtual Directories

Namespace	WMI Query
root\WebAdministration	SELECT Name FROM Site
root\WebAdministration	SELECT Name from ApplicationPool
root\WebAdministration	SELECT ApplicationPool,Path,SiteName from Application
root\WebAdministration	SELECT SiteName,Path,ApplicationPath from VirtualDirectory

Note: The rootWebAdministration namespace is installed on the host if the host has the IIS 7.x WMI provider installed. The WMI provider is installed by selecting the IIS Management Scripts and Tools component under Management Tools (or Web Management Tools). In Windows Vista, this is in the Windows Features dialog under Internet Information Services. On Windows Server 2008, this is in the Server Manager under the Web Server (IIS) role.

Obtaining the Configuration File

When we have identified a version of IIS v6, we will try to open the metabase.xml file; This file contains information with regards the revision of the configuration or list of web sites hosted on the server. When we have identified a version of IIS v7 or above, we will try to open the applicationHost.config file; This file contains information with regards the list of web sites hosted on the server.

We know that either file can be found in the System Root of the Windows partition, to identify it we execute a command:

Executed Command:	set systemroot

From this result (something like "SystemRoot=C:\WINDOWS") we extract the required information using the following regex:

cmd Regex	(?i)systemroot=(.+?)[\r\n]*$

If we are able to extract information about the system's root then we will attempt to read one of the following files:

File to open	v6	%sys_root%\\system32\\inetsrv\\MetaBase.xml
	v7.x	%sys_root%\\system32\\inetsrv\\config\\applicationHost.config

Extracting the list of websites

For IIS v6, once the Metabase.xml file is opened we perform some Xpath queries on the file to extract the information regarding the web sites hosted on the server:

XPath Query
/configuration/MBProperty/IIsWebServer/@ServerBindings
/configuration/MBProperty/IIsWebServer[@ServerBindings = '" + binding + "']/@ServerComment
/configuration/MBProperty/IIsWebServer[@ServerComment = "' + website + '"]/@Location
/configuration/MBProperty/IIsWebServer[@ServerComment='" + website + "']/@SecureBindings

For IIS v7.x if the WMI queries do not succeed in giving us the list of websites the pattern executes Xpath queries on the applicationHost.config file to get the websites. The following Xpath query is used for getting the information:-

/configuration/system.applicationHost/sites/site/@name

Extracting the list of Virtual Directories and Web Applications

For IIS v6, once the Metabase.xml file is opened we perform some Xpath queries to extract the list of Virtual Directories and Web Applications hosted on the Websites of the server

XPath Query
/configuration/MBProperty/IIsWebVirtualDir/@Location
/configuration/MBProperty/IIsWebVirtualDir[@Location="' + virtual_dir_location + '"]/@AppFriendlyName
/configuration/MBProperty/IISWebVirtualDir[@Location='" + virtual_dir_location + "']/@AppPoolId
/configuration/MBProperty/IIsWebVirtualDir[@Location="' + virtual_dir_location + '"]/@Path

For IIS v7.x if the WMI queries do not succeed in giving us the list of websites the pattern executes Xpath queries on the applicationHost.config file to get the websites and subsequently the list of Web Applications and Virtual Directories too. The following Xpath query is used for getting the information:-

Web Applications:-

/configuration/system.applicationHost/sites/site[@name='%website%']/application/@path

where %website% is the name of the website

/configuration/system.applicationHost/sites/site[@name='%website%']/application[@path='%web_app%']/@applicationPool

where %website% is the name of the website and %web_app% is the name of the web application

Virtual Directories:-

/configuration/system.applicationHost/sites/site[@name='%website%']/application[@path='%web_app%']/virtualDirectory/@path

where %website% is the name of the website and %web_app% is the name of the web application

Differentiating between Web Applications and Virtual Directories

For IIS v6 the distinction between Web Applications and Virtual Directories has not been made very clearly. All Web Applications are Virtual Directories themselves. Hence we have to use some intelligence for differentiating between the same. In IIS pattern the following conditions need to be satisfied for a Virtual Directory to be treated as a Web Application:-

• AppFriendlyName property is set and contains a value
• It is present in the first level of hierarchy or at the root level i.e. <Website Location>/ROOT/<Application Location> or <Website Location>/<Application Location>

All matches for these two conditions are treated as Web Applications, except for duplicates of existing entries

Extracting port information for websites

For IIS v7.x the port information for each website is accurately given in the applicationHost.config file. If the file has been correctly obtained the pattern will use the following XPath query to get this information:
*/configuration/system.applicationHost/sites/site[@name='%website.Name%']/bindings/binding/@bindingInformation
where %website.Name% is the name of website obtained from WMI query

Relationship Creation

Inference relationships are created between the Software Instance and the Microsoft ASP.net Worker Process and Microsoft IIS Worker Process (for versions of IIS prior to 7.0 as there are no Worker Process instances anymore).

A Dependency relationship is created from the IIS Webhosting Service to the core IIS Service Software Instance.

SoftwareComponent Nodes

The pattern creates SoftwareComponent nodes in addition to Detail nodes for modelling Websites and Web Applications. This is done so that this information can be synchronized to the BMC Atrium CMDB. The creation of SoftwareComponent nodes is done by default but it can be turned off from the Pattern Configuration .

Subject Matter Expertise

SME input would be appreciated to improve the model of IIS further.

Testing

This pattern has been tested against multiple running installations of IIS on a variety of Windows hosts.

Information Sources

A list of IIS 7.0 services is at http://blogs.iis.net/tomwoolums/archive/2009/02/13/the-services-behind-internet-information-services-7-0.aspx

http://blogs.iis.net/thomad/archive/2008/05/07/the-iis-process-model-features.aspx

Open Issues

TOP

Created by: Luke 15:58, 16 November 2007 (GMT)
Updated by: Nikola Vukovljak 18:58, 5 December 2008 (GMT)
Updated by: [Rebecca Shalfield] 16:09, 25 March 2009 (GMT)
Updated by: Chris Blake 15:03, 22 September 2009 (GMT)
Updated by: [Rebecca Shalfield] 15:08, 25 September 2009 (GMT)
Updated by: Vineet Deshpande 11:30, 20 September 2010 (GMT)
Updated by: Vineet Deshpande 13:07, 20 October 2010 (GMT)
Updated by: Chris Blake 13:07, 20 October 2010 (GMT)
Updated by: Vineet Deshpande 11:30, 17 March 2011 (GMT)
Updated by: Vineet Deshpande 13:07, 20 June 2011 (GMT)
Updated by: Vineet Deshpande 12:00, 15 June 2011 (GMT)
Updated by: [Pradeep Tyagi] 12:00, 16 March 2012 (GMT)