Geoff Chappell - Software Analyst
The HviIsAnyHypervisorPresent function tells whether the cpuid instruction is implemented by a hypervisor.
BOOLEAN HviIsAnyHypervisorPresent (VOID);
The function returns TRUE or FALSE according to whether a hypervisor is present.
The HviIsAnyHypervisorPresent function is exported by name from the kernel in version 10.0 and higher.
The version 6.3 kernel has an inline routine that is coded very similarly to the version 10.0 HviIsAnyHypervisorPresent. Public symbol files for the version 6.3 kernel confirm that this earlier kernel has an inline routine that was already named HviIsAnyHypervisorPresent, took no input and returned a BOOLEAN. That the inline routine in the binary is the same as named in the symbol files which is in turn the origin of the exported function must be all but certain.
The HviIsAnyHypervisorPresent function is not documented.
Before the 1607 release of Windows 10, the function’s whole behaviour was to return TRUE or FALSE according to whether the 0x80000000 bit is set or clear in ecx from cpuid leaf 1. Intel’s literature for Intel’s processors assures that this bit is “Not Used” and “Always returns 0”. From a set bit, the function infers that some sort of hypervisor is present.
The 1607 release of Windows 10 introduced a qualification of the answer. Put another way, it extended the question in the function’s name: is any hypervisor present but not the Xbox Nanovisor? After finding that a hypervisor is present, the function executes cpuid with 0x40000001 in eax, expecting this to load eax with an identifier of the hypervisor’s interface. If this is 'vnbX', then the function returns FALSE.