Home/Toolchest

IIS site and binding inventory

A read-only IIS inventory that correlates sites, bindings, ports, host headers, app-pool identities, content paths, and certificate thumbprints for migration or renewal work.

Good For

  • IIS migration prep
  • certificate renewal
  • web outage triage
  • server documentation
  • binding drift review

How to Use It

  1. Capture site names, states, physical paths, and application pools before migration or outage work.
  2. Review bindings for protocol, IP, port, host header, and certificate hash so duplicate or missing bindings are visible.
  3. Compare certificate hashes with the certificate scanner when renewal or TLS errors are involved.
  4. If an app pool is stopped or using an unexpected identity, record it before changing state.
  5. Export inventory to CSV when the server hosts multiple sites or when migration planning needs sign-off.
  6. Use the inventory to identify missing owners, stale host headers, abandoned content paths, and certificate renewal scope.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list

Inputs and Outputs

Inputs

  • computer name
  • CSV or TXT server list
  • IIS role access
  • expected site owner list

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# IIS inventory starter
# ---------------------------------------------------------------------
Import-Module WebAdministration
$OutputPath = '.\iis-site-binding-inventory.csv'

$Results = foreach ($Site in Get-Website) {
    # Capture site-to-binding context so bindings are not orphaned from the owning site.
    foreach ($Binding in Get-WebBinding -Name $Site.Name) {
        $Parts = $Binding.bindingInformation -split ':'
        $AppPool = Get-Item ("IIS:\\AppPools\\{0}" -f $Site.ApplicationPool)

        [pscustomobject]@{
            SiteName              = $Site.Name
            SiteState             = $Site.State
            PhysicalPath          = $Site.PhysicalPath
            ApplicationPool       = $Site.ApplicationPool
            AppPoolState          = $AppPool.State
            AppPoolIdentityType   = $AppPool.processModel.identityType
            AppPoolUserName       = $AppPool.processModel.userName
            Protocol              = $Binding.protocol
            IPAddress             = $Parts[0]
            Port                  = $Parts[1]
            HostHeader            = $Parts[2]
            CertificateHash       = $Binding.certificateHash
            CertificateStoreName  = $Binding.certificateStoreName
        }
    }
}

$Results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Results | Format-Table -AutoSize

Validation

  • Every IIS site has documented state, path, app pool, and binding information.
  • TLS bindings can be mapped to certificate thumbprints and renewal owners.
  • Migration or troubleshooting plans reference the captured before-state.

Reporting

  • Export site, binding, app-pool, and certificate mapping to CSV.
  • Attach host-header and certificate thumbprint evidence to renewal or migration tickets.
  • Promote repeated use into an IIS migration-readiness report.

Safety Notes

  • This inventory is read-only and should not start, stop, remove, or rebind sites.
  • Do not change app pool identity or certificate bindings from the inventory pass.