...
- Windows - CPU / Memory, which is a WMI Probe is executed.
ECC Entry looks like this. In this case basically just a list of values it wants. Executed via mid server at 172.17.172.207.
Code Block language xml linenumbers true collapse true <?xml version="1.0" encoding="UTF-8"?><parameters><parameter name="used_by_discovery" value="true"/><parameter name="probe_name" value="Windows - CPU / Memory"/><parameter name="probe" value="b141fd470a0a0ba5001d3c32c7d834fb"/><parameter name="WMI_FetchData" value="Win32_Processor.NumberOfLogicalProcessors,Win32_Processor.NumberOfCores,Win32_PhysicalMemory.BankLabel,Win32_PhysicalMemory.DataWidth,Win32_PhysicalMemory.FormFactor,Win32_PhysicalMemory.DeviceLocator,Win32_PhysicalMemory.Manufacturer,Win32_PhysicalMemory.PartNumber,Win32_PhysicalMemory.SerialNumber,Win32_PhysicalMemory.Speed,Win32_PhysicalMemory.Status,Win32_PhysicalMemory.TotalWidth,Win32_PhysicalMemory.MemoryType,Win32_PhysicalMemory.TypeDetail,Win32_PhysicalMemory.Tag,Win32_PhysicalMemory.Capacity,Win32_Processor.Name,Win32_Processor.MaxClockSpeed,Win32_Processor.Manufacturer"/><parameter name="credential_id" value="a5896eea1366be0057f7b7a66144b0fd"/></parameters>
- This input is parsed by scripts on the mid server and executed on the target machine at 172.17.172.247. Here's some powershell logging showing the execution going against the remote host.
- Script is executed as PowerShell. See the log from the target machine here:
PowerShell_transcript.SPINUP-0005A8.NdOTnTCh.20170607142128.txt - Information is pulled back into the mid server and parsed. See the output here.
probe_response.xml - ServiceNow works it's magic to get it into the CMDB.
More Details
Script Files
Powershell and WinRM scripts are here:
https://yale.app.box.com/files/0/f/27799187643/Mid_Server_Powershell_Scripts_
Ecc Queue
One thing that's a bit confusing here is that we see WMI being invoked. This isn't actually remote WMI as evidenced above and is handled differently based on the protocol being used.
...