Skip to content

Add VM guest services and display adapter detection#165

Merged
jgowdy-godaddy merged 1 commit into
mainfrom
feat/improve-windows-vm-detection
May 22, 2026
Merged

Add VM guest services and display adapter detection#165
jgowdy-godaddy merged 1 commit into
mainfrom
feat/improve-windows-vm-detection

Conversation

@jgowdy-godaddy
Copy link
Copy Markdown
Contributor

@jgowdy-godaddy jgowdy-godaddy commented May 22, 2026

Summary

Follow-up to #164. Adds two new detection categories lifted from vmaware's methodology (artifact-based checks only, no CPUID scoring):

  • Guest services: Check for 30+ VM-specific Windows services in the registry (vmicheartbeat, VBoxGuest, vmci, vioscsi, etc.). These services are only installed by hypervisor guest tools — never present on bare metal.
  • Display adapter: Check the primary GPU driver description for known virtual adapters (Hyper-V Video, VMware SVGA, VirtualBox Graphics, QXL, etc.)

Both are exposed in VmDiagnostics for consumer diagnostic logging.

Design notes

  • Deliberately did NOT use vmaware as a dependency — its default classifier false-positives on VBS/Hyper-V physical machines (hypervisor bit = 100 points, threshold = 150)
  • Only lifted the guest-artifact checks which have zero false-positive risk on physical hardware
  • Guest services check runs early in detection (after BIOS strings, before CPUID) because it's highly conclusive

Test plan

  • 51 tests pass including new vm_display_signal tests
  • Clippy clean, fmt clean
  • Verify on Hyper-V VM: vmicheartbeat service detected
  • Verify on physical VBS machine: no guest services found

@jgowdy-godaddy
Add VM guest services and display adapter detection
30990e0 
Lift detection methodologies from vmaware — check for VM-specific
artifacts that only exist inside guest VMs, never on bare metal:

Guest services (registry key existence under Services\):
- Hyper-V: vmicheartbeat, vmicshutdown, vmickvpexchange, etc.
- VMware: vmci, vmhgfs, vmxnet3, VMTools
- VirtualBox: VBoxGuest, VBoxSF, VBoxMouse, VBoxVideo
- KVM/virtio: vioscsi, viostor, netkvm, vioinput, balloon
- QEMU: QEMU-GA guest agent
- Parallels: prl_strg, prl_tg, prl_eth
- Xen: xenevtchn, xenvbd, xennet, xenvif

Display adapter (GPU class registry DriverDesc):
- Microsoft Hyper-V Video, VMware SVGA, VirtualBox Graphics,
  Red Hat QXL, virtio GPU, Citrix Indirect Display, etc.

These checks run after BIOS/manufacturer strings but before CPUID,
giving them priority as concrete guest artifacts that cannot be
present on physical hardware. Also exposed in VmDiagnostics struct
for consumer-side diagnostic logging.
@jgowdy-godaddy jgowdy-godaddy force-pushed the feat/improve-windows-vm-detection branch from f5cce3f to 30990e0 Compare May 22, 2026 01:24
@jgowdy-godaddy jgowdy-godaddy merged commit 8e41493 into main May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jgowdy-godaddy