<< Click to Display Table of Contents >> Raynet One > 2026.1 > User Guide > Technical overview  Agentless Inventory Methods: Windows Zero Touch

Windows Zero Touch is the fully agentless, adaptive inventory method in Raynet One Scan Engine for all supported Windows platforms.

 

Supported Windows Operating Systems

The Windows Zero Touch inventory method is technically compatible with a wide range of Windows versions as long as the required WMI services and remote management features are available and enabled.

However, Raynet One officially supports and recommends the use of currently maintained Microsoft Windows releases. This ensures optimal compatibility and reliable inventory results in current and well maintained Windows environments.

 

 

Older Windows versions may still provide functional inventory results via WMI; however, they are not part of the official support scope due to Microsoft's end-of-support status.

The scanner works exclusively with native Windows protocols (DCOM/RPC, SMB, Remote Registry, WinRM) and follows a strict phase model (0–6). Every phase is executed with the absolute minimum required privileges (Least-Privilege principle). If a privilege is missing, the scanner automatically falls back to the next best available method – exactly like Unix Zero Touch.

 

Key technical requirements:

 

•Domain or local account with appropriate rights on the target

•Firewall ports 135 (RPC Endpoint Mapper), dynamic RPC ports (49152-65535), 445 (SMB) and optionally 5985/5986 (WinRM)

•For full inventory depth: account must be local administrator + member of „Distributed COM Users“ and „Performance Monitor Users“ on the target

•Without local admin rights: graceful degradation to basic WMI + registry read (still ~70 % data)

 

 

Execution Context Overview

Every single query is classified into one of the following Execution Contexts. This decides which access method is used and what happens if the required privilege is missing.

 

Execution Context

 

How the Scan Works

The RIW component (Remote Inventory for Windows) orchestrates the entire agentless Windows Zero Touch scan in exactly the same adaptive, least-privilege manner as its Unix counterpart RIU. The scanner conntects to each Windows target individually via DCOM/RPC and executes the phases 0-6 in strict sequence on that system:

 

•Phase 0 first probes all available protocols and rights in a single pass. The result of this phase determines the maximum achievable inventory depth for the remaining phases.

•Phases 1-6 are executed adaptively: only queries that are applicable to the detected Windows version and permitted by the current privileges are run. Queries requiring unavailable rights or non-existent components are silently skipped or automatically degraded (Principle of Least Privilege).

•Every query is classified into one of the Execution Contexts defined above. The context decides: which access method is used (WMI, Registry, SMB, Remote Execution). Whether elevated rights are required. Which fallback path is taken if the rights are missing

•When Phase 6 is complete, all collected data is normalised, returned to the Scan Engine and the connection is closed.

•Multiple targets are processed fully in parallel, with each scan instance running its own independent Phase 0-6 sequence.

 

This fully automated, adaptive behaviour - combined with graceful degradation at every step - is the reason the solution is called Zero Touch.

 

The phases described below are executed strictly in order; rights discovered in Phase 0 are reused throughout the entire scan. If a required Execution Context is not available, the scanner never aborts - it simply delivers the best possible result with the rights that are present.

 

Phase 0: Connection & Capability Probe

First contact with the target. In a single pass, the scanner tests connectivity (RPC 135 + dynamic ports, SMB 445, Remote Registry, WMI-ReadOnly, WMI Execute Method, WinRM) and determines which Execution Contexts are actually available - this result rigidly defines the maximum achievable inventory depth for the remaining phases.

 

 

WinRM (TCP 5985/5986) is not tested in Phase 0. It is only probed in Phase 6 (Extended Inventory) and serves as the optional, preferred channel for Remote-Execution (Docker, Python custom scripts).

If WinRM is unavailable, the scanner automatically falls back to WMI Process.

 

 

Phase 1: Basic System Identity (Read-Only)

Collects fundamental system information that is always available. Uses only WMI-ReadOnly (root\cimv2 basic classes) and Remote Registry read access - this phase runs successfully on every target that passed Phase 0.

 

 

 

 

Phase 2: Hardware & Runtime Inventory

Gathers detailed hardware, running processes and services. Requires WMI-Full rights (Execute Method + Remote Launch in root\cimv2) - without these rights only the limited Read-Only data from Phase 1 is available.

 

 

Phase 3: Software Inventory

The Software Inventory Phase combines two complementary components to deliver comprehensive and reliable results in Windows Zero Touch scans. The primary method is registry-based and enumerates all locally installed software packages (both 64-bit and 32-bit) by reading the standard Uninstall keys in the Remote Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall.

This approach is fast, complete, and independent of WMI privileges, making it the preferred and most accurate source for software inventory. As a secondary, complementary component, the scanner queries the WMI classes SoftwareLicensingProduct (namespace \root\cimv2) and SoftwareLicensingService (namespace \root\cimv2) to retrieve Windows and Office activation and licensing details. This provides visibility into the actual license state, including successful automatic activation via KMS (Key Management Service), ADBA (Active Directory-Based Activation), or MAK (Multiple Activation Key) after OS imaging or deployment. This dual approach, Registry for comprehensive package detection and WMI for precise licensing information, is essential for Windows Zero Touch.

 

 

Phase 4: Storage Deep Dive

Retrieves physical disk serial numbers, SMART data and file metadata. Possible only with full access to administrative shares (C ADMIN, IPC$$) - without Admin Shares the scanner falls back to basic WMI disk information (no serials, no file scanning).

 

 

Phase 5: Virtualization & Application Platforms

Inventories Hyper-V VMs, Failover Clusters and SQL Server instances. Requires WMI-Full plus specific Execute/Remote Enable rights in the namespaces root\virtualization\v2, root\MSCluster and root\Microsoft\ fully functional only when these namespace rights were granted in Phase 0.

 

 

Phase 6: Extended Inventory

Executes Docker inventory (docker.exe) and customer-specific Python/PowerShell scripts. Runs only with successful Remote-Execution context (WinRM or WMI Process.Create) and, for Docker, membership in the local docker-users group - otherwise this phase is completely skipped.

 

 

Cleanup and System Footprint

Raynet One Scan Engine's Windows Zero Touch inventory is designed and documented as a zero-impact, fully agentless scanning method.

No software, agent, service, scheduled task, or configuration is installed on the target system.

The scanner executable and all temporary working files are automatically deleted immediately after scan completion.

All inventory operations are performed under the supplied administrative credentials and are fully recorded in the standard Windows Security event log - exactly like any other legitimate administrative activity.