Geoff Chappell, Software Analyst
The SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemHypervisorDetailInformation (0x9F).
The SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure is not documented.
The SYSTEM_HYPERVISOR_DETAIL_INFORMATION is 0x70 bytes in both 32-bit and 64-bit Windows.
|from cpuid leaf 0x40000000, see HV_VENDOR_AND_MAX_FUNCTION|
|from cpuid leaf 0x40000001, see HV_HYPERVISOR_INTERFACE_INFO|
|from cpuid leaf 0x40000002, see HV_HYPERVISOR_VERSION_INFO|
|from cpuid leaf 0x40000003, see HV_X64_HYPERVISOR_FEATURES|
|from cpuid leaf 0x40000006, see HV_X64_HYPERVISOR_HARDWARE_FEATURES|
|from cpuid leaf 0x40000004, see HV_X64_ENLIGHTENMENT_INFORMATION|
|from cpuid leaf 0x40000005, see HV_IMPLEMENTATION_LIMITS|
The HV_DETAILS structure is 0x10 bytes. While it seems to be used nowhere else, it may as well be presented here:
ULONG Data ;
It is a generic container for the cpuid instruction’s output in the eax, ebx, ecx and edx registers when its input in eax selects a cpuid leaf from a hypervisor series that begins at 0x40000000. Microsoft defines more specific containers, presumably for its internal use, which are noted above in the Remarks column.
A hypervisor’s presence is established by a set 0x80000000 bit in ecx from cpuid leaf 1. This is taken as implying that cpuid leaves 0x40000000 and 0x40000001 are implemented. If cpuid leaf 0x40000001 produces 0x31237648 in ebx, the hypervisor is deemed Microsoft-compatible, implying that cpuid leaves 0x40000002 to 0x40000005 are implemented. Implementation of cpuid leaf 0x40000006 is inferred only if eax from cpuid leaf 0x40000000 is at least 0x40000006. For any cpuid leaf that is in this way deemed unimplemented, the corresponding HV_DETAILS is zeroed.