Hyper-V How To: Detect if you are inside a VM
Sometimes, when troubleshooting or for forensic reasons, you may have to determine if an application is running inside a virtual machine. John Kelbley, co-author of Windows Server 2008 Hyper-V : Insiders Guide to Microsoft's Hypervisor, shares how.
One (relatively) simple way to detect key virtualization information is via WMI / WBEM. You can use the root\CIM2 namespace and access the Baseboard class (full of interesting BIOS information) to get a description of the "physical" system. This class often includes information about the motherboard and chassis - manufacture, model, serial number, other. You can run the following VBS to get this info.
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20arrComputers = Array(".")
For Each strComputer In arrComputers
WScript.Echo
WScript.Echo "=========================================="
WScript.Echo "Computer: " & strComputer
WScript.Echo "=========================================="Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)For Each objItem In colItems
WScript.Echo "Caption: " & objItem.Caption
strConfigOptions = Join(objItem.ConfigOptions, ",")
WScript.Echo "ConfigOptions: " & strConfigOptions
WScript.Echo " CreationClassName: " & objItem.CreationClassName
WScript.Echo " Description: " & objItem.Description
WScript.Echo " HostingBoard: " & objItem.HostingBoard
WScript.Echo " InstallDate: " & WMIDateStringToDate(objItem.InstallDate)
WScript.Echo " Manufacturer: " & objItem.Manufacturer
WScript.Echo " Model: " & objItem.Model
WScript.Echo " Name: " & objItem.Name
WScript.Echo "OtherIdentifyingInfo: " & objItem.OtherIdentifyingInfo
WScript.Echo " PartNumber: " & objItem.PartNumber
WScript.Echo " Product: " & objItem.Product
WScript.Echo " SerialNumber: " & objItem.SerialNumber
WScript.Echo " SKU: " & objItem.SKU
WScript.Echo " Status: " & objItem.Status
WScript.Echo " Tag: " & objItem.Tag
WScript.Echo " Version: " & objItem.Version
WScript.Echo
Next
NextFunction WMIDateStringToDate(dtmDate)
WScript.Echo dtm:
WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function
Here is a screen capture of the script results for a physical system running Windows Server 2008.
NOTE the motherboard was manufactured by Intel (model DG45ID).
Running the same script in a virtual machine returns similar information:
NOTE On the virtual machine, the "motherboard" appears to be made by Microsoft (we don't make motherboards!) and is of a virtual type.
The version number shown reflects the version of Hyper-V (Server 2008 RTM), and the Serial Number matches that found in the VM configuration file (XML file on the physical host).
The Perl script version for this is:
use strict;
use Win32::OLE('in');use constant wbemFlagReturnImmediately => 0x10;
use constant wbemFlagForwardOnly => 0x20;my @computers = (".");
foreach my $computer (@computers) {
print "\n";
print "==========================================\n";
print "Computer: $computer\n";
print "==========================================\n";my $objWMIService = Win32::OLE->GetObject("winmgmts:\\\\$computer\\root\\CIMV2") or die "WMI connection failed.\n";
my $colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL",
wbemFlagReturnImmediately | wbemFlagForwardOnly);foreach my $objItem (in $colItems) {
print " Caption: $objItem->{Caption}\n";
print " ConfigOptions: " . join(",", (in $objItem->{ConfigOptions})) . "\n";
print " CreationClassName: $objItem->{CreationClassName}\n";
print " Description: $objItem->{Description}\n";
print " HostingBoard: $objItem->{HostingBoard}\n";
print " InstallDate: $objItem->{InstallDate}\n";
print " Manufacturer: $objItem->{Manufacturer}\n";
print " Model: $objItem->{Model}\n";
print " Name: $objItem->{Name}\n";
print "OtherIdentifyingInfo: $objItem->{OtherIdentifyingInfo}\n";
print " Product: $objItem->{Product}\n";
print " SerialNumber: $objItem->{SerialNumber}\n";
print " SKU: $objItem->{SKU}\n";
print " Status: $objItem->{Status}\n";
print " Tag: $objItem->{Tag}\n";
print " Version: $objItem->{Version}\n";
print "\n";
}
}sub WMIDateStringToDate(strDate)
{
return "blah";
}
For additional reference, within Windows I could also access the same information in a single command line (in Windows XP or newer) by typing the following:
wmic baseboard get manufacturer, product, Serialnumber, version
For info on how to use Hper-V PS cmdlets see: https://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/index.mspx
See also James O’Neil’s New and improved PowerShell Library for Hyper-V. Now with more functions and... documentation!
For 35 sample Hyper-V PS1 scripts in a zipfile, go to: Hyper-V%20PowerShell%20Example%20Scripts.zip-download
And buy John(et al)’s book!
Update: John's blogging now and has an updated method to detect the hypervisor: https://blogs.technet.com/enterprise_admin/archive/2009/10/20/detecting-the-virtualization-layer-from-within-a-guest-child-instance.aspx
Comments
- Anonymous
August 21, 2009
I wasn't super clear when I provided this information to Tony - this shows a VM running on a Microsoft virtualization layer like Hyper-V. A Windows virtual machine on VMWare does not report the same information (it may show that it has a 440BX chipset motherboard due to emulation). You can detect a VMware physical host by interrogating the WMI Win32_BIOS and looking at the serialnumber. My buddy Ben Herman (you know who you are you scripting master!) helped me with that since I didn't have a VMware host handy. I'll send Tony some more info on all this that he can post.