Determining whether a compromised computer is a VM (Virtual Machine) or not is important when orienting yourself in a network. If a breached computer is a VM that means that there’s a hypervisor on the network that could be a valuable target.

If a compromised computer is residing on a hypervisor there is also a chance that you’re now on a honeypot system and being observed, which is not good from a pentester’s perspective. Typically we wouldn't expect to find a Windows XP, Vista, 7, or 10 computers on a hypervisor but if you do that is somewhat suspicious, which makes this all the more important.

The checkvm command will determine whether or not a host is a VM or not, and what kind of hypervisor it’s running on:

run checkvm

The command output should indicate whether you're on a virtual computer or not, and what type of hypervisor it's running on if it is virtualized.

Tyler Hart

Tyler Hart is a networking and security professional who started working in technology in 2002 with the US DoD and moved to the private sector in 2010. He holds a Business degree in IT Management, as well as the CISSP certification and others from Microsoft, CompTIA, Cisco, (ISC)2, Tenable Network Security, and more. For over 15 years he has worked and consulted with large and small organizations including hospitals and clinics, ISPs and WISPs, U.S. Defense organizations, and state and county governments.

Website