Page tree
Skip to end of metadata
Go to start of metadata
Product Name
Internet Information Services
Publisher Page
Application Server Software Platforms
TKU 2019-Nov-1
More Information
Publisher Link

Product Description

Extended Discovery pattern which allows to model "Website", "FTP Server", "Web Application", "Virtual Directory" and "Application Pool" is available for this product.


Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internet-based services for servers using Microsoft Windows.

The servers currently include FTP, SMTP, NNTP, WebDAV and HTTP/HTTPS.

Known Versions

  • 1.0
  • 2.0
  • 3.0
  • 4.0
  • 5.0
  • 5.1
  • 6.0
  • 7.0
  • 7.5
  • 8.0
  • 8.5

Software Pattern Summary

Product ComponentOS TypeVersioningPattern Depth
Microsoft IIS ServiceWindowsRegistry and OS InferencesInstance Based
Microsoft IIS Webserver
Microsoft FTP Server

Platforms Supported by Software Pattern

As the software is integrated within the Windows Operating System kernel, it cannot be run on any other Operating System - as such the patterns only identify Windows installations.


Software Instance Triggers

The following patterns will only run on Windows 2003 or earlier:

PatternTrigger NodeAttributeConditionArgumentFalse positive checking








{escapeall}%systemroot%\system32\inetsrv\Metabase.xml{escapeall} must contain regex '(?i)iisftpserver'. %systemroot% is a Windows environment variable


The following patterns will only run on Windows Vista or later:

PatternTrigger NodeAttributeConditionArgument












Simple Identification Mappings

The following processes are identified through the use of Simple Identifiers and are modeled within a full Software Instance for Microsoft Internet Information Services using the primary and associate relationships (See 749283203 for more details about modeling this product).

Microsoft IIS WebDAV Service


Microsoft Worker Process


Microsoft IIS Worker Process


Microsoft IIS Webserver - IIS 6.0 and above



Microsoft IIS FTP Server



Microsoft IIS Service




Version information for this product is currently collected using one of two possible methods, either checking the registry for an explicit version number or by checking the operating system for a version that we know maps 1:1 with a specific version of IIS.

Registry Versioning

The primary manner in which we achieve versioning for IIS is by querying the registry for an appropriate version value.

Major Version:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MajorVersion
Minor Version:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MinorVersion
Major Version:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp
Minor Version:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp

The major and minor version numbers are retrieved and amalgamated together.

Operating System Inference

Due to the tight integration of IIS with the underlying Windows operating system a specific version of IIS can only be found in one lifecycle of a Windows release, IIS may be found in more than one version of Windows but you will not find more than one version of IIS available for a specific version of the operating system.

*Full IIS to OS Mapping*

IIS VersionWindows Version
IIS 1.0Windows NT 3.51
IIS 2.0Windows NT 4.0
IIS 3.0Windows NT 4.0 SP3
IIS 4.0Windows NT 4.0 Options Pack
IIS 5.0Windows 2000
IIS 5.1Windows XP Professional x32
IIS 6.0Windows Server 2003
IIS 6.0Windows Server 2003 R2
IIS 6.0Windows XP Professional x64
IIS 7.0Windows Vista
IIS 7.0Windows 7
IIS 7.0Windows Server 2008
IIS 7.5Windows Server 2008 R2

Due to the fact that older versions of IIS/NT are no longer used and that it is relatively difficult to tell the difference between Windows XP Pro x32 and x64 we have chosen to only provide mappings for a subset of the available IIS versions, this is to ensure that where we infer this information from the Operating System we are positive that we are providing the correct information and not providing misleading data.

The only mappings we provide within the pattern are for Windows 2000, 2003 and 2008, as they are easier to spot and they map to a single version of IIS.

Application Model Produced by Software Pattern

Product Architecture

The IIS services are integrated with the OS and started via the Windows Services manager.

Once started the software will run under a number of guises, different aspects of the service can be seen in different manners, for example the WWW .net worker process is a unique executable which handles processes where as the actual web hosting functionality is ran using svchost.exe with the arguments "-k iissvcs".

All or some of these processes may be present on a given host, the only process that is always present on a running installation of IIS v6 is the Microsoft IIS Management Service represented by the process "inetinfo.exe". "inetinfo.exe" may or may not be running on IIS v7 and above, as only supplied for backwards compatibility purposes.

Application Model

The Software instances created by these patterns are based on the core IIS Service, the Web Hosting Service and the FTP hosting service. They create separate Software Instances for these services.

Dependency links are created between the Webserver and the IIS Service, and between the FTP Server and the IIS Service

So a typical installation might look like

Configuration Options

There is a configuration option for this product which allows to use Windows system root location (absolute path).


sysroot_directories :=[ "C:\\Windows", "C:\\WINNT"];

SI Depth

As there can only be a single running installation of IIS on a specific host the pattern will always create a Deep/Instance Based Software Instance.

Listing of IIS Websites, Web Applications, Virtual Directories and Application pools

A separate pattern (IIS_Extended) has been created to query the IIS Websites, Web Applications, Virtual Directories and Application pools. For more information about this pattern, please refer to the relevant page

Database relationship discovery

Database relationship discovery is performed by IIS_Extended pattern, please refer to the relevant page for more details

Subject Matter Expertise

SME input would be appreciated to improve the model of IIS further.


This pattern has been tested against multiple running installations of IIS on a variety of Windows hosts.

Information Sources

A list of IIS 7.0 services is at

Open Issues

Created by: Rebecca Shalfield 25 Mar 2009
Updated by: Chris Blake 18 July 2013
Reviewed by: Nikola Vukovljak 24 Oct 2012