Security-first architecture

Security & Privacy

We designed WinSQLTool to pass the scrutiny of enterprise security teams. This page explains exactly what our scanner collects, what it never touches, and how your data is handled from scan to report.

Architecture Overview

The winsqlscan.exe binary runs entirely on a machine inside your network. It uses native WMI/CIM queries (the same protocol Windows Admin Center uses) to read hardware and software inventory from your servers. Nothing is transmitted during the scan. The output is a local JSON file that you can open and inspect in Notepad before uploading anything.

Single-file executable — no installer, no registry writes, no services
Read-only WMI queries — no write operations are issued to any target
Does not require Local Administrator rights on target servers
Runs under your existing domain user — no service accounts created

What we collect

Hostname (machine name)
Operating system name and version (e.g., Windows Server 2022 Datacenter)
Physical socket count
Physical core count per socket
Total RAM (GB)
Cluster name (if applicable)
Whether the machine is physical or virtual
SQL Server instance name
SQL Server edition (Standard / Enterprise)
SQL Server version number
Number of vCPUs assigned to SQL VMs

What we never collect

Passwords, service account credentials, or secret keys
IP addresses or MAC addresses
File system contents, databases, or application data
Active Directory usernames or group membership
Windows Event Log or security audit logs
Network topology or firewall rules
Any form of personally identifiable information (PII)

Sample output JSON

Below is a representative sample of the JSON payload the scanner produces. Your security team can verify this matches the “What we collect” list above before any upload occurs.

{
  "scan_version": "1.0.0",
  "generated_at": "2025-06-04T09:14:22Z",
  "servers": [
    {
      "hostname": "SRV-SQL-01",
      "os_name": "Windows Server 2022 Datacenter",
      "os_version": "10.0.20348",
      "physical_sockets": 2,
      "physical_cores_per_socket": 10,
      "total_physical_cores": 20,
      "ram_gb": 128,
      "is_virtual": false,
      "cluster_name": "PROD-CLUSTER-01",
      "sql_instances": [
        {
          "instance_name": "MSSQLSERVER",
          "edition": "Enterprise",
          "version": "15.0.4345.5",
          "vcores_assigned": 20
        }
      ]
    }
  ]
}

No IP addresses, no user data, no file system contents. This is the complete payload.

Cloud data handling

Uploaded JSON payloads are stored in an isolated, encrypted S3-compatible bucket scoped to your organization. Multi-tenant isolation is enforced at the database row level — no query can return data belonging to another organization. Processed reports are retained for 90 days and can be deleted on demand from your dashboard. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).