Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
From time to time it is handy to be able to detect that you are running inside of a virtual machine (for instance - you may have maintenance scripts that you want to run on all of your computers - but have them behave differently inside of your virtual machines). The easiest way to detect that you are inside of a virtual machine is by using 'hardware fingerprinting' - where you look for hardware that is always present inside of a given virtual machine. In the case of Microsoft virtual machines - a clear indicator is if the motherboard is made by Microsoft:
Dim Manufacturer
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_BaseBoard")
For Each objItem in colItems
Manufacturer = objItem.Manufacturer
Next
if Manufacturer = "Microsoft Corporation" then
wscript.echo "In Microsoft virtual machine"
else
wscript.echo "Not in Microsoft virtual machine"
end if
The above script uses WMI to find out the motherboard manufacturer information. If the motherboard is made by "Microsoft Corporation" then you are inside of one of our virtual machines. Now to preemptively answer some questions that I can see people having about this:
But I have seen some cool generic scripts to detect virtual machines - why don't you use that?
Yes - there are various methods out there. They usually rely on detecting common shortcuts taken by today's virtualization offerings. But just because these shortcuts are common doesn't mean that they are necessary - nor does it mean that they will always be reliable for detecting the presence of a virtual machine. Hardware finger-printing is the most reliable - but it is a vendor specific solution.
But if people can easily detect that they are inside of a virtual machine - won't they be able to do special evil things?
I seriously hope not. One of the key tenets of virtual machine design is to ensure that the virtual machine is completely isolated from other virtual machines and from the host operating system. This means that there should be nothing that can be done inside of a virtual machine to adversely affect the host or other virtual machines.
Anyway - enjoy the script :-)
Cheers,
Ben
Comments
Anonymous
October 27, 2005
Minor correction -- I think you meant "tenets", not "tenants", in this sentence:
"One of the key tenants of virtual machine design..."Anonymous
October 27, 2005
Thanks - you are right (I have fixed it up).
Cheers,
BenAnonymous
October 27, 2005
Actually I hopen Microsoft never decides to create a motherboard now as this might mess up detection :) .
I hink it would have been nice to have the motherboard echo Microsoft Virtual PC somewhere as this assures that it will not collide with other activities Microsoft might consider (Microsoft corporation is quite big I guess)Anonymous
October 27, 2005
How can that be changed, so that for example if the VM was running as a honeypot, the bad guy couldn't use that script to determine if it the machine, for example, was a microsoft honeypot for trapping spammers and decide not to try spamming?Anonymous
October 27, 2005
Ben,
thank you for this new script.
I posted during 2004 other three methods you could check:
1) http://www.virtualization.info/2004/03/how-application-can-detect-if-is.html
2) http://www.virtualization.info/2004/03/how-application-can-detect-if-is_17.html
3) http://www.virtualization.info/2004/11/how-to-detect-virtual-machines.html
HTH
AlessandroAnonymous
October 28, 2005
The comment has been removedAnonymous
October 28, 2005
The comment has been removedAnonymous
October 30, 2005
> Yes - there are various methods out there.
> They usually rely on detecting common
> shortcuts taken by today's virtualization
> offerings. But just because these shortcuts
> are common doesn't mean that they are
> necessary - nor does it mean that they will
> always be reliable
Not always reliable, of course. But they are necessary. Microsoft doesn't make all VMs. Once upon a time they didn't even make yours.Anonymous
November 01, 2005
The comment has been removedAnonymous
November 01, 2005
Ah, I was worried for a while there.
Ben's blog just wouldn't be the same without Norman's negative posts, and its been a while.Anonymous
September 30, 2010
Does this work approach work w/ Hyper-V R2?Anonymous
February 17, 2012
VirtualMachineDetect uses some more techniques to detect VirtualPc. You can find it in securityresearch.in/.../virtualmachinedetect-v-2-1-1-beta-is-out.Anonymous
May 08, 2013
Hi Ben, This has been working fine up until 'Windows Surface Pro'. Now 'Windows Surface Pro' also returns 'Manufacturer' value from Win32_BaseBoard as 'Microsoft Corporation'. So do you have an official Microsoft link that explains how to detect if we are running under a virtual machine? Thanks.Anonymous
July 13, 2015
Try this: FOR /F "tokens=*" %a IN ('wmic bios get bioscharacteristics^|find /c "33"') DO set USBlegacy=%a This returns "1" for a limited range of desktops and laptops in my environment and "0" for VMWare workstation 9 ESX 5.5 and Citrix 6.5 and 7.6. BIOSCharacteristic "50" (one "reserved for system vendor") I've only found in the four virtual environments so that would work in reverse.Anonymous
July 14, 2015
Or there's this: FOR /F "tokens=*" %a IN ('wmic path win32_pnpentity get ^|find /c "ACPI Fan"') DO set ACPIfan=%a Returns "5" on an HP Desktop, "0" on VMware workstation 9 and ESX 5.5, not tested on the others.Anonymous
December 08, 2015
Hello, We run in the Problems with MS Surface Pro too. Is there any official solution from Microsoft for dedecting MS VPCs? thx a lot.Anonymous
August 20, 2016
HI There!I have problem with my laptop lately. Two weeks ago I've noticed some changes on the way my machines starts work. Before it starts up very quickly and works fine. But now it starts two times as if two computers opening one behind the other and takes 30 times more time to load. Few days ago I typed my password to login to my laptop and it opened as normal and suddenly another screen appeared to login again. When typed my same password on that screen it opened. Later what ever I typed letters being changed automatically, cursor arrow moving by itself, emails that I send to other people is coming back to my account etc...I do I fix this issue because it seems like it's trying to block my activities. Feels like I'm using different operation on my laptop with my username and password.Please help me in this regard.