Determine when running in a virtual machine
Solution 1
I wrote a series of articles last year on this, with source code. VMware and Wine detection are here. Virtual PC is here. All three of these have pretty iron-clad detection because there are documented callbacks to the hypervisor (in the case of Wine, an extension to a standard DLL). I put up an untested VirtualBox detector (don't have it installed to test with) in the comment section. Parallels might be detectable using a callback also but I don't have it installed. The link for the documentation (which is poor since it's from a security researcher focusing on exploits) but located here if you have it installed and are interested. There's also a PPT here that has some information on detecting Sandbox, Bochs, and Xen. Not a lot of code in it but it might give you a starting point if you have to detect those.
Solution 2
Code Project shows a way to Detect if your program is running inside a Virtual Machine that goes in much detail on how to accomplish it to give a good understanding
Solution 3
I think the best approach to this is to check the hardware profiles. Virtualized hardware usually uses part of the companies name. If you check the motherboard description while in Virtual PC, you will notice it is made by "Microsoft Corporation". Likewise in VMWare, your ethernet adapter will be prefixed with VMNet.
Solution 4
This thread on the SysInternals forums has a couple of answers (in Delphi, of course), including a single IsVM function. I've tested on XP and Win2003 hosted on both XP and Vista in VMWare with good results.
Solution 5
To determine the machine is physical or VM
dmidecode | egrep -i 'manufacturer|product'
If the dmidecode command not found install the respective rpm.
This is tested under EXSI, VMWARE and hyperv machines.
Joel
Developer Advocate for Embarcadero Technologies Invented and patented swipe to unlock in 2000. See US Patent # 8352745 & 6766456, and others. Host of the Podcast at Delphi.org. (mostly a blog with occasional episodes). Preferred Languages: Delphi / Object Pascal C++ JavaScript C# / .NET Java
Updated on June 15, 2022Comments
-
Joel almost 2 years
Is there an official way for an application to determine if it is running in VMWare or Virtual PC (or whatever Microsoft is calling it now)? The code I have seen is usually a hack that took advantage of some odd behavioral side effect in a specific version of VMWare or Virtual PC.
Ideally Delphi code, but if you can link to an official explanation then I am sure I can convert it.
-
John T about 15 yearsThere is also virtualbox, and VMWare among others.
-
Joel about 15 yearsI had looked at that link before, but being that it was 4 years old and didn't really site any sources so I wasn't sure if it was still valid. Virtualization software has changed a lot since then.
-
Michael Madsen about 15 yearsCorrect, which is where everything gets a bit iffy if you want to check those as well - you need to look at the hardware info provided by these other VMs to see what special value you can look for there. However, the question asks for VPC, and that code handles it. I would argue that WMI is, regardless of VM, the best bet for a unified way of getting the required info, though, as all you need to change is the query and field name you're checking.
-
a_h about 15 yearsit has changed a lot, but that example checks the register that hypervisor uses for interupts and being a person that knows some info about hypervisors, that part still has yet to change
-
Joel about 15 yearsOK, I will test these on the latest virtual machines. Thanks!
-
Bruce McGee about 15 yearsThese tests work with VMWare Workstation 5 up to the latest. I don't use VPC.
-
Joel about 15 yearsThese were the articles I remembered reading about it. Thanks! The code is even in Delphi.
-
mistertodd almost 15 yearsIt should be noted that it's not using some officially documented scheme to detect the presence of VirtualPC. It's using instructions that should be invalid on the real hardware, that VPC uses for communication to the outside. Nothing is to say that those instructions can't change in the future, or that Intel couldn't release a CPU that then uses those "unused" instructions.
-
Stéphane over 14 yearsThe problem with RedPill and likewise similar techniques such as the initial scoopy_doo is that it produces false-positives when run on multi-core systems. Google for "NoPill" for additional details.
-
Stéphane over 14 yearsAlso keep in mind that most virtualization software will let you modify the MAC address to anything you want. Thus, this technique is not reliable.
-
tobsen over 13 yearsAlso, other techniques are obsolete or produce false positives: charette.no-ip.com:81/programming/2009-12-30_Virtualization/…
-
0xC0000022L almost 12 years@skamradt: Have you seen this? -> blog.assarbad.net/20061105/redpill-getting-colorless