Detecting Microsoft virtual machines

Detecting Microsoft virtual machines

  • Comments 13

From time to time it is handy to be able to detect that you are running inside of a virtual machine (for instance - you may have maintenance scripts that you want to run on all of your computers - but have them behave differently inside of your virtual machines).  The easiest way to detect that you are inside of a virtual machine is by using 'hardware fingerprinting' - where you look for hardware that is always present inside of a given virtual machine.  In the case of Microsoft virtual machines - a clear indicator is if the motherboard is made by Microsoft:

Dim Manufacturer

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_BaseBoard")

For Each objItem in colItems
    Manufacturer = objItem.Manufacturer
Next

if Manufacturer = "Microsoft Corporation" then
 wscript.echo "In Microsoft virtual machine"
else
 wscript.echo "Not in Microsoft virtual machine"
end if

The above script uses WMI to find out the motherboard manufacturer information.  If the motherboard is made by "Microsoft Corporation" then you are inside of one of our virtual machines.  Now to preemptively answer some questions that I can see people having about this:

  1. But I have seen some cool generic scripts to detect virtual machines - why don't you use that?

    Yes - there are various methods out there.  They usually rely on detecting common shortcuts taken by today's virtualization offerings.  But just because these shortcuts are common doesn't mean that they are necessary - nor does it mean that they will always be reliable for detecting the presence of a virtual machine.  Hardware finger-printing is the most reliable - but it is a vendor specific solution.
  2. But if people can easily detect that they are inside of a virtual machine - won't they be able to do special evil things?

    I seriously hope not.  One of the key tenets of virtual machine design is to ensure that the virtual machine is completely isolated from other virtual machines and from the host operating system.  This means that there should be nothing that can be done inside of a virtual machine to adversely affect the host or other virtual machines.

Anyway - enjoy the script :-)

Cheers,
Ben

Leave a Comment
  • Please add 2 and 6 and type the answer here:
  • Post
  • Minor correction -- I think you meant "tenets", not "tenants", in this sentence:

    "One of the key tenants of virtual machine design..."
  • Thanks - you are right (I have fixed it up).

    Cheers,
    Ben
  • Actually I hopen Microsoft never decides to create a motherboard now as this might mess up detection :) .

    I hink it would have been nice to have the motherboard echo Microsoft Virtual PC somewhere as this assures that it will not collide with other activities Microsoft might consider (Microsoft corporation is quite big I guess)
  • How can that be changed, so that for example if the VM was running as a honeypot, the bad guy couldn't use that script to determine if it the machine, for example, was a microsoft honeypot for trapping spammers and decide not to try spamming?

  • Ben,
    thank you for this new script.

    I posted during 2004 other three methods you could check:

    1) http://www.virtualization.info/2004/03/how-application-can-detect-if-is.html

    2) http://www.virtualization.info/2004/03/how-application-can-detect-if-is_17.html

    3) http://www.virtualization.info/2004/11/how-to-detect-virtual-machines.html


    HTH
    Alessandro
  • >> One of the key tenets of virtual machine design is to ensure that the virtual machine is completely isolated from other virtual machines and from the host operating system. This means that there should be nothing that can be done inside of a virtual machine to adversely affect the host or other virtual machines. <<

    However, we have the example of the 'Additions' or 'Tools' that show that interaction between the host & guest is in fact possible. It's clear that the mechanisms used by the Additions could be used for evil purposes.

    But, VMs would be so very much less nice to use without them (ah, those damn tradeoffs!).

    I'd actually like it if the mechanisms for host/guest interaction used by the additions were documented, because I think that many interesting and useful technologies could be built on them.

    If this were done (and even if not), there might be a need for the VM implementation to be able to configure that the communication mechanism be disabled (which would also disable the additions) in the interest of making the host secure from the guest.
  • Here's a portion of a CMD script that I use to detect if it's running in a VM. It uses DEVCON, a command line version of Device Manager. It's really useful for detecting exactly what hardware is in a system.

    REM Virtual Server and Virtual PC both have the device named "Virtual HD" for their IDE disks
    devcon hwids * | xgrep -c "Virtual HD"
    IF %errorlevel% EQU 0 CALL VMAdditions.Exe

    REM In the case the disk is SCSI then the disk device is named differently so we need to check for that too.
    devcon hwids * | xgrep -c "MS Virtual SCSI Disk Device"
    IF %errorlevel% EQU 0 CALL VMAdditions.exe
  • > Yes - there are various methods out there.
    > They usually rely on detecting common
    > shortcuts taken by today's virtualization
    > offerings. But just because these shortcuts
    > are common doesn't mean that they are
    > necessary - nor does it mean that they will
    > always be reliable

    Not always reliable, of course. But they are necessary. Microsoft doesn't make all VMs. Once upon a time they didn't even make yours.
  • Interesting - so this is how Virtual PC knows that isn't not supposed to run one virtual machine inside another?

    Is there any way to hack this so that you can do that, nevermind the performance and possible stability issues that might arise?

  • Ah, I was worried for a while there.

    Ben's blog just wouldn't be the same without Norman's negative posts, and its been a while.
  • Does this work approach work w/ Hyper-V R2?

  • VirtualMachineDetect uses some more techniques to detect VirtualPc. You can find it in securityresearch.in/.../virtualmachinedetect-v-2-1-1-beta-is-out.

  • Hi Ben,

    This has been working fine up until 'Windows Surface Pro'. Now 'Windows Surface Pro' also returns 'Manufacturer' value from Win32_BaseBoard as 'Microsoft Corporation'. So do you have an official Microsoft link that explains how to detect if we are running under a virtual machine?

    Thanks.

Page 1 of 1 (13 items)