https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
a

Adrian Junge

01/18/2023, 2:46 PM
Hello everyone, is there a way/query to check if a device is a virtual machine?
k

Kathy Satterlee

01/18/2023, 5:42 PM
Something that can be used to determine if a host is a VM is to use the 
system_table
to check the hardware manufacture of the device. If it is a VM, you will end up getting names of VM vendors (Vmware, Virtualbox, etc) VM host
Copy code
osqueryi.exe "select hardware_model from system_info"
+----------------+
| hardware_model |
+----------------+
| VMware7,1      |
+----------------+
Physical host
Copy code
osqueryi.exe "select hardware_model from system_info"
+---------------------+
| hardware_model      |
+---------------------+
| HP Laptop 15-dw3xxx |
a

Adrian Junge

01/19/2023, 9:52 AM
Yeah I already saw this column but it is just empty for my VM. Is this VM configuration related?
Ok nvm @Kathy Satterlee when running it with osqueryi "hardware_model" is just empty. But when running your query in fleetdm it returns me the vendor of my VM in "hardware_model" column. But why? :o
k

Kathy Satterlee

01/19/2023, 4:28 PM
That's odd! What happens if you run 
osquery
with 
sudu
... or without if you already were? Is it just that column that comes up empty, or do you get all blank if you 
osqueryi.exe "select * from system_info"
a

Adrian Junge

01/19/2023, 5:01 PM
Omg yeah with sudo the query works... Thanks a lot!
Powered by