0

I've been researching for several days now on how to distinguish programatically (C#) if my software (Windows) is running on a VM or a physical machine. The approaches I find are two:

  1. Test for specific attributes indicating you're running on a specific type of a VM (VMWare, AMI etc.). Disadvantage: And what if you're not running on them? And what if these attributes can easily be changed by the manufacturer?
  2. Try use WMI to determine that by querying for certain attributes: I saw at least five different pieces of code, all contradicting each other and with someone commenting "it doesn't work".

I find it very difficult to believe that we do not have a definitive solution for making that distinction. Can anyone share a robust piece of code for this problem?

Improve this question
10
  • What are you trying to accomplish by checking this? Usually it's only easy to tell if you're running on certain types of virtualization but some may not be so easy to detect. Commented Apr 30, 2014 at 20:45
  • 1
    Mybe it could be helpful to check what kind of information the Virtual CPU contains : codeproject.com/Articles/17973/… Commented Apr 30, 2014 at 20:46
  • 2
    Our requirement is to tell the difference between the platforms for some licensing purposes. I really don't know much about the world of virtualization, but you mean to say there is not a SINGLE queryable attribute that distinguishes a virtual environment from a physical one? Commented Apr 30, 2014 at 20:48
  • 1
    @user181218 In some cases no, because that's the whole idea: to make sure the virtual is as real as possible; having run into some issues also related to licensing, I can tell you that all identifiable information can be forged by the host of the VM. Commented Apr 30, 2014 at 21:04
  • 1
    You might also want to look into "Blue Pill Detection", which is the art of detecting a hypervisor that's trying to hide from you. Commented Apr 30, 2014 at 21:29

2 Answers 2

Reset to default
2

My suggestion is to poll the registry of the machine running your app for specific keys that the VM's insert. It is highly unlikely that a physical machine will have the keys.

For example, below is a screenshot of some keys in one of my VMware dev boxes.
You could check for the presence of some or all of these keys from within your app if it is running VMware.

Since this was tagged with C#, I would suggest you use the methods in the following Stack Overflow question: Read Registry Keys via C#

Same methodology applies to any other VM system.

VMware Keys in Windows Server

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What if the physical server is running several VMs and your application is simply run under the physical server? They'll have those keys for VMWare products installed.
@Michael J. Gray, interesting and valid comment. I can only speak for VMware as it is what I use but the specific keys are different on the host vs the guest. If one were to use this method, you'd have to do a little homework to find the differences but they are definitely there.
Another part of the requirement based on a response by the author about hardware spoofing is that the keys could be detoured/altered/edited by some hypervisor module or something operating below the OS in general. It could detect that the virtualization software is trying to read a key and then return results for the other keys, thus defeating your detection mechanism. I believe all methods are easily thwarted because of the fact that the application only knows what the OS/hardware tells it. When you get into virtual hardware, it can represent anything, even add or remove CPU instructions.
0

As far as I know there is no confident way to determine whether you are in a virtual Environment.

I would start with:

  • Look for VM-specific virtual hardware (for instance network adapters or USB Controllers etc.)
  • Look for VM-specific processor capabilities some virtual machines introduce additional intructions sets.

there might be something else....

Improve this answer

1 Comment

Sadly, for the first point, the information can be easily forged (literally every device type, model and/or serial number is stored in a clear text file, which the VM reads on startup).

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.