With the February Windows patch Tuesday I am now getting a driver update for VMCI.SYS on the guests.   It may be because I installed the Intel Optane SATA driver on the host.   Or it may be that VMWare has chosen to do this type of update in conjunction with Microsoft.   Would some expert please elaborate on the vmci.sys driver and why an update gets pushed out through the Microsoft February patch Tuesday updates?

Thank you for your reply.   I will contain my posts on this subject to this thread.

My question which still has not been answered is that before this driver was only installed

when selected on VMWare tools installation.    If I did not select it, it was not installed on the guest.

Now it is mandatory.   Why?

I have tried to stop the installation on guests but it is still forced through.   Can you

provide a link where VMWare says that the vmci.sys on WIndows guests is now mandatory

and the reason why it is required?

Thank you for you help.

Hi,

To amend to Ulli's question (which I think is interesting)

Windows itself will try to install a driver for every hardware device it finds.
If disabling the device as discussed by Ulli prevents the VM from booting then you can probably still disable the driver in Windows after it is installed.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Thank you.   Will try that.

The CRAZY thing is if MS updates force the install of vmci.sys and the person using VMWare workstation

has not unchecked GUEST ISOLATION items then they now unknowing have a security issue.   The GUEST

now has 'more' access to host then before.

I do not see the vmxnet3 driver as now being mandatory from Microsoft?   You may be confused by the fact you had already selected it in VMTools.   If you do not select it then it appears Microsoft updates does not install/update it on the guest.    Here is what I see.

> then they now unknowing have a security issue.

Thats why I recommend to disable vmci in the vmx-file.

Didnt realize there are vmci settings in the vmx file.    Because when I installed

VMWare tools I completely deselected that.   One would think the vmx file would

reflect that properly.   Thank you.

Checking that out.

Nice.   I was tricked into believing that when I do a 'VMWare Tools' install and deselect VMCI that would be the end of it.

However, doing just that DOES NOT adjust the VMX file vmci0 setting.    The vmx vmci0 is 'true' and really should be

'false' if one is not install it using the tools.    So Microsoft update sees the pci item.   It looks like setting it to 'false'

turns off the vmci pci item and stops the Microsoft update.   My guess is that there is some disconnect between

install VMWare tools and making changes to the vmx file.

It looks like you nailed!

If you want a VM to do what YOU WANT you must edit the vmx-file. 😎

Ulli

Hi,

Glad to hear that the suggested vmx edit worked and that you have a solution.

---

@kasper wrote:

I do not see the vmxnet3 driver as now being mandatory from Microsoft?

---

Yeah.. it's not a big deal, but that's not what I said.
What I said is that the vmxnet3 driver is now an inbox driver.
A driver being an inbox driver does not make it mandatory.

What it means is that when you install Windows and happen to have a vmxnet3 device installed (which you probably don't) that Windows will detect it "out of the box" and install a driver for it without you having to install VMware Tools first. To put it differently, the vmxnet3 driver is already "in the windows 10 box" (not that we still install software from a box nowadays anymore, but oh well.)

As for installing VMware Tools not changing vmx settings... it better not.
VMware Tools is for configuring in guest software, not for changing hardware configuration.
You removing the vmci hardware device from the virtual hardware is a hardware configuration change and it should never be possible to change that by installing/uninstalling software in the guest (for security reasons)

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Thank you and thank the 'continuum' for your response.   I am somewhat familiar with the vmx file.    You are right that a VMTools install should not edit the vmx file.   But I do not see any method other than a manual edit to make the change.    And now that Microsoft is making the vmci file mandatory there should be an option somewhere other than to manually edit the file.   As I stated previously adding the vmci driver and not reviewing 'guest isolation' has the potential to lead to security issues.

Thank you and the 'continuum' for pointing me to the solution to this issue.

Hi,

While I understand where you are coming from.

Personally I do not really view vmci as a potential security issue.
Yes, it is a communication channel into the guest.

But the way to use that channel would basically require you to first compromise the host.
Once the host is compromised.. all bets are off and there are much easier ways to get anything with the guest than via the Virtual Machine Communication Interface.

Now there's also the possibility to use VMCI to communicate between guests, but that is not a default configuration. You have to edit the .vmx file in order to even enable that.

The only way to look at it as a potential security issue (at least in my view) is that you are looking at it from a "less is more approach" and a "defend in depth" position.
IOW, I agree with your view on "potential security issue", but more on a view of principles that on looking at it from a practical point of view. I do not remember that vmci has ever been on a CVE, but that might change.

As such I understand VMware's choice to enable it by default and not provide a user interface option for it.
For advanced users such as yourself, there is always the possibility of a manual edit to the .vmx file.
There are a lot more things you can do there that are not exposed in a user interface.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Hmmm.   Changing the option vmci0.present may affect the activation process for Windows.   Microsoft may have made vmci.sys mandatory in part to assist with the licensing process.    Ouch.

Any changes made to the hardware might affect the Windows activation logic.
That's not specific for VMCI, it's an algorithm that looks at how much hardware has changed over time.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

VMWare started publishing several of their drivers through Windows Update, so Windows will automatically offer to install them if you have an older version installed, or if you don't have VMWare Tools installed at all. You can get these same drivers if you install VMWare Tools 11.2.5.

This has nothing to do with the drivers on your host – VMs running inside ESXi are getting the same updates.

I do not use the vmci.sys integration.   It was not installed with VMTools.   Now it is mandatory.

Less is more.   I prefer editing the .vmx file and setting 'vmci0.present=FALSE'.   Is there any

reason not to do this if I do not use the guest/host integration?

> I prefer editing the .vmx file and setting 'vmci0.present=FALSE'. 

I recommend to do that also - stick to this until you run into a convincing reason to enable vmci.

Ulli