I do believe that the virtual disks and CD drive are named VMWare_something... Tools or no tools.

/Rubeck

Thanks for the suggestions guys, not to sure what I'll go with yet but you've been very helpful.

run redpill.exe

if it says "not in matrix" you are not in a VM

http://invisiblethings.org/papers/redpill.html

___________________________________

description of vmx-parameters:

VMware-liveCD:

redpill fails in 64bit VMs due to VT

For a reliable detection OP should run several of the detection tools like redpill, kenkatos checkvm or what it is called and two or three more which names I don't remember right now.

Additionally he should query SCSI-device IDs, MAC-addresses of the nics and so on.

For quick detection of 32bit hosts redpill probably is suffiecient - don't you think ?

___________________________________

description of vmx-parameters:

VMware-liveCD:

For quick detection of 32bit hosts redpill probably is suffiecient - don't you think ?

Not when you don't "trust" the VM.

Most of these checks (checkvm, redpill, bluepill, ...) can be easily defeated by either using the isolation parameters or by using VT.

The only reliable checks I'm aware of are:

--MAC address (I've heard rumors that this will fail in the future, since VMware allows the use of arbitrary MAC addresses in new product releases)

--VM specific hardware combinations, like a BX chipset with a Xeon CPU

--VM specific hardware devices, like disks and CDROMs containing the VMware string

--Timing attacks

Thats a great idea, Mac address detection should work fine.

If you found this information useful, please consider awarding points for Correct or Helpful.

Alan Renouf

VMware, Citrix, Microsoft Consultant

UK

Mac address detection should work fine

If the testing system happens to reside in the same network.

I believe you can accomplish this through Windows Management Instrumentation (WMI) scripting. It should tell you the model as VMWare Virtual Platform as the computer's model. If you are familiar with vbscript scripting, then this should come naturally to you. If not, refer to the Hey Scripting Guy site to give you a crash course (). The class you will be using is Win32_ComputerSystem and the property is Model (). I recommend you test scripts on test servers prior to production servers since a script can be very helpful or very painful. Thanks.

Please award helpful/correct answer points when you see fit.

WMI definately works, I have used this before as was mentioned in my earlier post.

If you found this information useful, please consider awarding points for Correct or Helpful.

Alan Renouf

VMware, Citrix, Microsoft Consultant

UK

Doh...sorry about that bud. I didnt wanna shanghai your post. I didnt read it all the way through. Please ignore mine. I apologize again.

WMI isn't natively installed on NT 4.0 so sadly doesn't quite fit my requirements.

Thanks for the suggestion though.

Anyone know if there's a common registry key across all platforms? I reckon I could probably knock up a script to check that....

Thanks,

Steve

Maybe check for the Mainboard ?

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\*\440BX__

not sure if this exists in NT4 ?

___________________________________

description of vmx-parameters:

VMware-liveCD:

Addition to continuum's suggestion, how about the HKLM\SYSTEM\CurrentControlSet\Control\Video\. I am totally in the dark with WinNT and not sure if this would even work if you dont have the VMTools installed. Enumerate your subkeys. Underneath that should have a subkey 0000 and a value called Device Description. Mine says VMware SVGA II. Let me know if that even works. I am kinda curious myself. Who knows, it might just be there and might be called VMware something. All I did was just search through my whole registry. Maybe someone can find something more useful. Thanks.

Good suggestion but unreliable. If someone has not installed vmx_fb display driver this query will show nothing as a standard vga doesn't have the Device Description.

On the other hand - you may argue - if mentioned key exists it MUST be a VM

___________________________________

description of vmx-parameters:

VMware-liveCD:

One related option would be to search for the PCI Vendor and Device IDs.

I haven't tried it - so only a guess.

Well it will get a bit messy searching through the registry for something that might not be standard. I figured it wouldnt be there if the VMTools is not installed. Enumerating through the registry is actually not that time consuming so that might be a viable option even if you have to search through a whole key's subkeys and as suggested by you guys, it might actually work out if you enumerate through the installed hardware. One more suggestion: HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses. Enumerate through that whole key's subkeys' subkey and you should find a value called DeviceInstance. Within that value you will have a data that will have the word vmware. It might say IDE or SCSI. If time constraints become an issue, you might want to schedule these scans nightly or whenever it suits your environment. Again, I have no idea how a WinNT registry looks like and we have VMWare tools installed on every VM we have around. Hope it helps anyway.