i can detect a Microsoft virtual guest by the following:

# this part determine whether the computer itself is a virtual guest #

$r=[microsoft.win32.registrykey]:penremotebasekey([Microsoft.Win32.RegistryHive]::LocalMachine,$computer)
$hostname=$r.opensubkey("SOFTWARE\Microsoft\Virtual
Machine\Guest\Parameters").getvalue("HostName")


How do i determine the virtual guest is a VMWARE guest ? Are there any
registries to indicate ?

Hello IT,

> i can detect a Microsoft virtual guest by the following:
>
> # this part determine whether the computer itself is a virtual guest #
>
>
> $r=[microsoft.win32.registrykey]:penremotebasekey([Microsoft.Win32.R
> egistryHive]::LocalMachine,$computer)
> $hostname=$r.opensubkey("SOFTWARE\Microsoft\Virtual
> Machine\Guest\Parameters").getvalue("HostName")
> How do i determine the virtual guest is a VMWARE guest ? Are there any
> registries to indicate ?
>

Get-WmiObject Win32_ComputerSystem -Comp <computername>


Will show the following for VMWare:
Manufacturer : VMware, Inc.
Model : VMware Virtual Platform

And, the following for Hyper-V:

Manufacturer : Microsoft Corporation
Model : Virtual Machine

(I don't know if it would be the same for VirtiualPC and VirtualServer though)

Karl
http://unlockpowershell.wordpress.com/

"Karl Mitschke" <karlmitschke@newsgroup> wrote:

>> i can detect a Microsoft virtual guest by the following:

>> # this part determine whether the computer itself is a virtual guest #

>> $r=[microsoft.win32.registrykey]:penremotebasekey([Microsoft.Win32.R
>> egistryHive]::LocalMachine,$computer)
>> $hostname=$r.opensubkey("SOFTWARE\Microsoft\Virtual
>> Machine\Guest\Parameters").getvalue("HostName")
>> How do i determine the virtual guest is a VMWARE guest ? Are there any
>> registries to indicate ?

> Get-WmiObject Win32_ComputerSystem -Comp <computername>

> Will show the following for VMWare:
> Manufacturer : VMware, Inc.
> Model : VMware Virtual Platform

Dressing up the command Karl provided to provide a boolean result for
computer "hostname" on a VMWare box:

if ((get-wmiobject win32_computersystem -comp
hostname).model.StartsWith("VMware"))
{"Foo!"}
else
{"Bar!!"}

Other choices would be to investigate the peripheral vendor tags and such,
but fishing the computer model value out of WMI is far easier.

I won't guarantee the validity of the setting, however...not because I know
that it can be forged, but because I don't know that it can't. Assuming
that you have some reason to trust the system not to counterfeit a
non-virtual machine, though, the test should be good enough for most uses.

(Side note: one of the problems that malware researchers have in examining
attack code is that the nasty-guy programmers often try to figure out if
their attack code is running in a virtual machine, and to lie dormant if
so...meaning that the researchers try to prevent programs on their honeypots
from being able to detect that it's on a VM. Some of the
am-I-on-a-virtual-machine tests used by malware are downright cute...pity
that the <censored> can't be brought over to the bright side.)

Joe Morris

Once i determine the "vendor" guests, is there a way to determine the HOST
where the virtual guests reside ?

Hello IT,

> Once i determine the "vendor" guests, is there a way to determine the
> HOST where the virtual guests reside ?
>

That will depend on your method of determining the vendor guests.

Please post the code you have so far

Karl
http://unlockpowershell.wordpress.com/