Welcome to MSDN Blogs Sign in | Join | Help

Detecting Microsoft virtual machines

From time to time it is handy to be able to detect that you are running inside of a virtual machine (for instance - you may have maintenance scripts that you want to run on all of your computers - but have them behave differently inside of your virtual machines).  The easiest way to detect that you are inside of a virtual machine is by using 'hardware fingerprinting' - where you look for hardware that is always present inside of a given virtual machine.  In the case of Microsoft virtual machines - a clear indicator is if the motherboard is made by Microsoft:

Dim Manufacturer

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_BaseBoard")

For Each objItem in colItems
    Manufacturer = objItem.Manufacturer
Next

if Manufacturer = "Microsoft Corporation" then
 wscript.echo "In Microsoft virtual machine"
else
 wscript.echo "Not in Microsoft virtual machine"
end if

The above script uses WMI to find out the motherboard manufacturer information.  If the motherboard is made by "Microsoft Corporation" then you are inside of one of our virtual machines.  Now to preemptively answer some questions that I can see people having about this:

  1. But I have seen some cool generic scripts to detect virtual machines - why don't you use that?

    Yes - there are various methods out there.  They usually rely on detecting common shortcuts taken by today's virtualization offerings.  But just because these shortcuts are common doesn't mean that they are necessary - nor does it mean that they will always be reliable for detecting the presence of a virtual machine.  Hardware finger-printing is the most reliable - but it is a vendor specific solution.
  2. But if people can easily detect that they are inside of a virtual machine - won't they be able to do special evil things?

    I seriously hope not.  One of the key tenets of virtual machine design is to ensure that the virtual machine is completely isolated from other virtual machines and from the host operating system.  This means that there should be nothing that can be done inside of a virtual machine to adversely affect the host or other virtual machines.

Anyway - enjoy the script :-)

Cheers,
Ben

Published Thursday, October 27, 2005 10:14 PM by Virtual PC Guy

Comments

Friday, October 28, 2005 1:53 AM by AC

# re: Detecting Microsoft virtual machines

Minor correction -- I think you meant "tenets", not "tenants", in this sentence:

"One of the key tenants of virtual machine design..."
Friday, October 28, 2005 2:05 AM by Virtual PC Guy

# re: Detecting Microsoft virtual machines

Thanks - you are right (I have fixed it up).

Cheers,
Ben
Friday, October 28, 2005 2:52 AM by gedoe

# re: Detecting Microsoft virtual machines

Actually I hopen Microsoft never decides to create a motherboard now as this might mess up detection :) .

I hink it would have been nice to have the motherboard echo Microsoft Virtual PC somewhere as this assures that it will not collide with other activities Microsoft might consider (Microsoft corporation is quite big I guess)
Friday, October 28, 2005 3:53 AM by zzz

# re: Detecting Microsoft virtual machines

How can that be changed, so that for example if the VM was running as a honeypot, the bad guy couldn't use that script to determine if it the machine, for example, was a microsoft honeypot for trapping spammers and decide not to try spamming?

Friday, October 28, 2005 5:14 AM by Alessandro Perilli

# re: Detecting Microsoft virtual machines

Ben,
thank you for this new script.

I posted during 2004 other three methods you could check:

1) http://www.virtualization.info/2004/03/how-application-can-detect-if-is.html

2) http://www.virtualization.info/2004/03/how-application-can-detect-if-is_17.html

3) http://www.virtualization.info/2004/11/how-to-detect-virtual-machines.html


HTH
Alessandro
Friday, October 28, 2005 3:14 PM by mikeb

# re: Detecting Microsoft virtual machines

>> One of the key tenets of virtual machine design is to ensure that the virtual machine is completely isolated from other virtual machines and from the host operating system. This means that there should be nothing that can be done inside of a virtual machine to adversely affect the host or other virtual machines. <<

However, we have the example of the 'Additions' or 'Tools' that show that interaction between the host & guest is in fact possible. It's clear that the mechanisms used by the Additions could be used for evil purposes.

But, VMs would be so very much less nice to use without them (ah, those damn tradeoffs!).

I'd actually like it if the mechanisms for host/guest interaction used by the additions were documented, because I think that many interesting and useful technologies could be built on them.

If this were done (and even if not), there might be a need for the VM implementation to be able to configure that the communication mechanism be disabled (which would also disable the additions) in the interest of making the host secure from the guest.
Friday, October 28, 2005 7:11 PM by Patrick M. Slattery

# re: Detecting Microsoft virtual machines

Here's a portion of a CMD script that I use to detect if it's running in a VM. It uses DEVCON, a command line version of Device Manager. It's really useful for detecting exactly what hardware is in a system.

REM Virtual Server and Virtual PC both have the device named "Virtual HD" for their IDE disks
devcon hwids * | xgrep -c "Virtual HD"
IF %errorlevel% EQU 0 CALL VMAdditions.Exe

REM In the case the disk is SCSI then the disk device is named differently so we need to check for that too.
devcon hwids * | xgrep -c "MS Virtual SCSI Disk Device"
IF %errorlevel% EQU 0 CALL VMAdditions.exe
Sunday, October 30, 2005 10:13 PM by Norman Diamond

# re: Detecting Microsoft virtual machines

> Yes - there are various methods out there.
> They usually rely on detecting common
> shortcuts taken by today's virtualization
> offerings. But just because these shortcuts
> are common doesn't mean that they are
> necessary - nor does it mean that they will
> always be reliable

Not always reliable, of course. But they are necessary. Microsoft doesn't make all VMs. Once upon a time they didn't even make yours.
Tuesday, November 01, 2005 2:09 PM by mike

# re: Detecting Microsoft virtual machines

Interesting - so this is how Virtual PC knows that isn't not supposed to run one virtual machine inside another?

Is there any way to hack this so that you can do that, nevermind the performance and possible stability issues that might arise?

Tuesday, November 01, 2005 11:43 PM by SJ

# re: Detecting Microsoft virtual machines

Ah, I was worried for a while there.

Ben's blog just wouldn't be the same without Norman's negative posts, and its been a while.
Monday, September 11, 2006 1:09 PM by Stephen Murillo Blog

# Detecting Virtual Machines

I was a firm believer in the fact that an application could not for sure detect that it was running on...
Thursday, July 17, 2008 2:22 AM by Virtualization Everything &laquo; Everything [ Design | Technology | Business ]

# Virtualization Everything &laquo; Everything [ Design | Technology | Business ]

PingBack from http://thetoptenme.wordpress.com/2008/07/17/virtualization-everything/

New Comments to this post are disabled
 
Page view tracker