Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 7.0 Preview: Hypervisor & Virtual Machine Detection

  • by Helge Klein
  • May 17, 2022

While we’re finalizing version 7.0 of our digital employee experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at another cool new feature: hypervisor and virtual machine detection.

VM Detection: CPUID Is Not Enough

Many products try to detect whether they’re running in a VM or on physical hardware with the CPUID instruction built into Intel and AMD CPUs (more info). uberAgent did the same in earlier versions. As it turned out, that is not enough, though.

Issue: Parent Partition Identified as VM

The most common issue with a VM detection approach that is solely based on the CPUID instruction is that Hyper-V parent partitions are detected as VMs, too.

Technically, that is correct. If you look at the Hyper-V architecture diagram in the documentation, you see that the parent, or root, partition actually is a VM, too. That, however, is not what people expect to see from a VM detection tool.

Most IT pros want only the child partitions to be identified as VMs. The parent partition should be determined as physical. That is exactly what we implemented with uberAgent 7.0.

What’s New With uberAgent 7.0

Improved VM Detection

As you can see in the screenshot below, uberAgent correctly identifies the Hyper-V host HOST01 as a physical machine (the field Hardware: is VM? has a value of 0), whereas the virtual machines VM01 and VM02 are detected as such.

Hypervisor Detection: Hyper-V, VMWare, …

uberAgent 7.0 not only detects VMs as people expect it to, but it also identifies a VM’s hypervisor type. Take another look at the screenshot above. In the column Hardware: Hypervisor you can see that the hypervisor type is correctly identified as Hyper-V (Microsoft Hv), both for the host and the guests (i.e., the parent and the child partitions).

Of course, uberAgent 7.0 detects other hypervisor types, too: VMware, KVM, QUEMU, VirtualBox, Xen, and others are all correctly identified.

Dashboard Filtering by Hypervisor

uberAgent’s Splunk dashboards offer sophisticated filtering capabilities. With uberAgent 7.0, these have been extended to also include the hypervisor type. This means that you can now restrict the data visualized on many dashboards to endpoints running as VMs on Hyper-V, or VMware, for example.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *