VMware Workstation 11.1 Windows Installation Spills the Host Machine ID

Discussion in 'Virtualization' started by BWEL, Feb 24, 2015.

  1. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    #1 BWEL, Feb 24, 2015
    Last edited by a moderator: Apr 20, 2017
    Hello Everybody,

    I am just opening this thread to present my case in which I have discovered that certain major websites like Gmail, Yahoo! Mail and many others use intrusive technologies to track your hardware and somehow this issue affects any windows installations done under VMware Workstation (tested from version 9.x - 11.1). Pretty much new technologies such as ThreatMatrix use a Device Fingerprinting technology that to my understanding identifies a certain device/machine by collecting various variables and then assigning a unique identifier.

    How do I know this? Well my case is simple. I have used VMware Workstation since two years now. Currently using v11.1.0 Build 249682 patched with Unlocker v2.0.4. Unlocker is a patching utility that allows VMware Workstation to run Mac OS X under Windows. Note: You don't need Unlocker if you're just running windows and unix guest machines in your VMWare Workstation.

    In Mac OS X guest installations (tested from Snow Leopard to Mavericks) as long as I add the following lines to the *.vmx file:

    Code:
    system-id.enable = "FALSE"
    board-id.reflectHost = "FALSE"
    board-id = "ANY TEXT"
    hw.model.reflectHost = "FALSE"
    hw.model = "ANY TEXT"
    serialNumber.reflectHost = "FALSE"
    serialNumber = "ANY NUMBER"
    efi.nvram.var.ROM.reflectHost = "FALSE"
    efi.nvram.var.MLB.reflectHost = "FALSE"
    efi.nvram.var.ROM = "ANY NUMBER"
    efi.nvram.var.MLB = "ANY NUMBER"
    
    you can rest assured neither gmail or yahoo will be able to identify your device/machine. Therefore, this will allow a normal user to sign up for a new account in either Gmail or Yahoo! Mail services without having to go through phone verification.

    However, whenever I do a Microsoft Windows guest installation under the same VMWare Workstation (meaning the same computer/machine) in which I built the Mac OSX guest earlier, no matter whether I use various windows installations ISOs: Windows 8, 8.1, 7 (x64 or x86) my browsing is immediately identified to belong to the same host machine, eventhough I add to the *.vmx the following lines to spoof the host machine settings:

    Code:
    system-id.enable = "FALSE"
    ethernet0.Address = "xx:xx:xx:xx:xx:xx"
    ethernet0.addressType = "static"
    ethernet0.checkMACAddress = "false"
    svga.autodetect = "FALSE"
    bios440.filename = "anyslic.rom" (I try different roms here from different manufacturers)
    smbios.reflectHost = "FALSE"
    serialNumber.reflectHost = "FALSE"
    serialNumber = "ANY NUMBER"
    board-id.reflectHost = "FALSE"
    board-id = "ANY TEXT"
    hw.model.reflectHost = "FALSE"
    hw.model = "ANY TEXT"
    
    I have tried to change the Windows Product ID in the registry immediately upon installation (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId). I also added a new random windows key via slmgr.vbs /ipk in a cmd prompt window as administrator.

    No matter which of the above variables I change, my guest machine gets recognized. I cannot sign up for Gmail or Yahoo! Mail anymore. Both services immediately ask for phone verification upon entering the sign-up data and clicking *create*.

    In the past several months I've run several tests in which I try different windows variables such as:

    1. assigning static real MAC Ethernet addresses
    2. with and without installed vmware tools for windows in the guest machine
    3. different processor core numbers
    4. different harddrive sizes
    5. different ram memory
    6. different screen sizes
    7. disabling various peripherals
    8. changing *.rom files (using the VMware Bios Mega Pack v3 385d)
    9. changing from BIOS to EFI

    but in the end any windows installation I do within VMware Workstation is recognized and immediately fingerprinted by Google Gmail and Yahoo! Mail to belong to the same host machine hardware ID.

    At this point I know that somehow one or several host machine variables are transparent to all Windows Guests installations created in the same computer.

    It is rather unsettling to know that Microsoft Windows does offer so little privacy and furthermore that VMWare Workstation and virtualization itself doesn't change the fact that the bad guys can still pry on you, no matter how much of an effort you make to keep your privacy.

    Any reference to Google Gmail and Yahoo! Mail in this thread is done for the purpose of offering a sandbox environment in which one can pretty much analyze whether their real machine and/or virtualized guest machine have been fingerprinted and identified. Obviously there are many more other websites and web applications out there that rely on such intrusive technologies.

    It would be nice to see a community effort to make our virtualized machines more secure and less transparent. Therefore, if anyone of you guys who are professionals in the virtualization department, know of any settings or tricks one should try to avoid such detection mechanisms, it would be really nice if you could share them here.

    I'd really appreciate any input you guys might have.

    THANKS A LOT
    BWEL
     
  2. sabio00

    sabio00 MDL Novice

    May 18, 2011
    25
    1
    0
    Maybe is a stupid question, but... Do you make sure your IP is NOT the same and that you have all browser related tracing cleared before attempting to connect to gmail?
     
  3. leebo_28

    leebo_28 MDL Senior Member

    Jun 12, 2011
    459
    169
    10
    We can be stupid together :hug2: The external IP is what came to mind first, but keep trying as I hope you find a solution!
     
  4. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    #4 BWEL, Feb 24, 2015
    Last edited: Feb 25, 2015
    (OP)
    Please keep in mind that both Google Gmail and Yahoo! Mail have sign-up restrictions based on the IP address as well. In my case, I avoid such restrictions by restarting my router which then returns a new IP address for me to work with.

    Keep in mind that when you create a Windows Guest Machine in VMWare Workstation, any browsing cookies or history in the host machine, doesn't affect the pristine and clean history of the guest Machine. It is pretty much as if you were to run a real physical machine out of the box. No cookies or history has ever been present, therefore neither Google Mail or Yahoo! Mail are able to collect any info about your past history. The only info they can collect is your Hardware ID which as I mentioned in my introduction post is the sum of several variables coming together. One, two or more of these variables could be the same, while the others could differ. As long as one or two variables are always the same, it is a given that your machine has been fingerprinted and most likely blacklisted from running any additional Sign-Ups.

    It is odd though that the spoof VMX settings work fine on all Mac OSX guest installations and are absolutely insignificant/irrelevant in all Windows guests. ;)
     
  5. sabio00

    sabio00 MDL Novice

    May 18, 2011
    25
    1
    0
    A little bit more infos, just to attempt to reproduce..

    1) is the behaviour reproducible with 11.1.0 only, or with other versions also?
    1.1) do you think unlocker 2.0.4 is mandatory to let patch binaries or not ?(i'm going to investigate win only)

    I've tried in a "physical" win2012 and gmail is actually recognizing (NOT ALWAYS, sometimes yes sometimes not) even if I change ip and completely wipe out browser cache cookies etc etc..

    So it seems the "problem" you describe is actual not only in a virtual environment...
     
  6. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    I am not describing a problem. Any company that runs web services has its own restriction policies on how users can access and operate within their framework. I am absolutely fine with it. What concerns me, is the fact that they are using intrusive technologies that violate our privacy and are not mentioned in their terms and conditions of service.

    Obviously Gmail and Yahoo! Mail try to restrict the number of sign-ups you can do from a certain device (be that real/virtual). Once that number has been reached, in order to avoid spamming, they do still allow you to do a sign-up, but in order to proceed you're given a mandatory additional step of verifying the sign-up via your phone number. Even in such a case, a single phone number can only be used a limited times to authenticate the sign-up process.

    The browsing history matters, but it's not as relevant as hardware ID. One can simply use CCleaner and wipe out everything related to their past browsing history.

    Also recently the WebRTC Flaw showed how many services out there could find your real IP address and Intranet one, despite the use of VPN or Proxy, in a Windows Machine.

    So in order to avoid the WebRTC exploit from being executed, the safest option in windows is to run Firefox and then in the advanced settings which can be accessed by typing in the address bar: about:config you should toggle: media.peerconnection.enabled from TRUE to FALSE.

    And despite following all these steps, my virtual guest machines, are still transparent to Gmail and Yahoo! Mail and that has me on a crusade to figure out how totally spoof my virtual windows guests so that they can show unique hardware IDs separate from the host machine.
     
  7. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,955
    150
    WebRTC flaw works on all OS, BTW, and my VPN config doesn't leak my true WAN IP, just VPN IP and LAN IPs.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    You're wrong. It works on Windows, but it doesn't work on Mac OS X. I've checked several Mac OS X configurations and it didn't spill anything. ;)
     
  9. greenfoo

    greenfoo MDL Novice

    Sep 5, 2009
    47
    6
    0
    I wonder if something like WireShark can help? Compare the capture with an older non-leaking VMware WS maybe?
     
  10. sabio00

    sabio00 MDL Novice

    May 18, 2011
    25
    1
    0
    Ok, I understand ... so, you implicitly say also that using vmware workstation 10.0.x doesn't exhibit that undesiderable behavior of being traced even if in virtual environment ??
     
  11. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,955
    150
    I use OS X and depending on my config, it may or may not leak.

    If I connect to Ethernet AND Wi-Fi, both WAN and VPN IP leak. My current config doesn't leak, but believe me all OS can be jacked for their IP depending on the VPN setup.

    I have my VPN set to send all traffic, and a default route to the VPN, as long as I don't connect via 2 interfaces, I don't leak.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    #13 BWEL, Mar 12, 2015
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Well it turns out I am close to the objective. It's all related to the GUID (Globally Unique Identifier) or otherwise labelled UUID.

    All my VMWare Windows 7 Guests despite the various configuration settings I use spill the same GUID:
    Code:
    BuildGUID: bdc94b6e-58f7-4f4f-ac61-6b1471d051db
    
    It can be found by simply browsing the registry via regedit and going to: (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildGUID)

    Whereas all my Windows 8.1 guests despite the various configuration settings used spill the same GUID:
    Code:
    BuildGUID: ffffffff-ffff-ffff-ffff-ffffffffffff
    
    Whatever settings are changed in the vmx don't reflect at all on the windows guest machine, so any machine created within the same host will have the very same GUID inside of windows, despite the VMware UUID being different.

    It would be great if anyone out there had any idea on how to anonymize or at least change the values windows reads to create the GUID. A simple change in the registry doesn't do anything, as upon restarting the machine the original GUID reverts back.
     
  13. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,834
    1,748
    180
    Just checked 2 random Win7 VMs on WKS 11, each one has VERY different BuildGUID

    sebus
     
  14. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    175
    60
    Same here just checked x2 Windows 7 VMWare VM's both have different BuildGUID's
    But, x2 Windows 8 VM's and the Windows 8 Host all have ffffffff-ffff-ffff-ffff-ffffffffffff as their BuildGUID.
     
  15. bigfoot15

    bigfoot15 MDL Member

    Jul 22, 2009
    102
    218
    10
    I played around with a few vm's and my vms have the same BuildGuid that you posted. It appears that the BuildGUID comes from ntoskrnl.exe. If you hexedit the file, it will have that buildguid in it. The only way that i found that it changes is when a patch is installed and it replaces/upgrades the kernel.
    My iso's that I install from have a BuildGuid: 7b7c15f9-747a-455f-9ba5f521dde4252d. If I install Windows6.1-KB3031432-x64, the BuildGUID is bdc94b6e-58f7-4f4f-ac61-6b1471d051db
     
  16. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    175
    60
    Just rechecked my two Windows 7 VM's, both were just for testing things, so neither have been updated.

    Windows 7 x86 Guest = 422a68c3-a1a4-4ede-831c-32f54828fe10
    Windows 7 x64 Guest = 7b7c15f9-747a-455f-9ba5-f521dde4252d

    As you can see the x64 BuildGUID matches yours. And wouldn't be surprised if Sebus' are too.
     
  17. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,834
    1,748
    180
    #18 sebus, Mar 14, 2015
    Last edited by a moderator: Apr 20, 2017
    Well, I have 7 x86 guest:

    Code:
    0fd5a505-ba0a-446e-bbf9-f881340882de
     
  18. bigfoot15

    bigfoot15 MDL Member

    Jul 22, 2009
    102
    218
    10
    That appears to be from win 7 home premium. So since others can have the same buildguid, the buildguid must not be what google is detecting
     
  19. BWEL

    BWEL MDL Novice

    Nov 11, 2012
    9
    3
    0
    #20 BWEL, May 3, 2016
    Last edited by a moderator: Apr 20, 2017
    (OP)
    I have come across these new VMX lines, which supposedly should help people activate windows via OEM SLIC. However, I was wondering whether these could have any anonymizing effect:

    Code:
    acpi.passthru.slic = "FALSE"
    acpi.passthru.slicvendor = "FALSE"
    SMBIOS.reflecthost = "FALSE"
    
    Any insight would be appreciated. Thanks