Arsenal Image Mounter and Virtual Machine Inception

Mark Spencer

December 17, 2020

Arsenal Image Mounter’s (AIM’s) ability to reliably and powerfully launch disk images into virtual machines has become one of its most popular features. While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.

Why would a digital forensics practitioner want to run Hyper-V and AIM within VMware? We are currently aware of two scenarios – Linux-only environments (where the use of Windows is not authorized on bare metal), and strict organizational policy regarding VMware usage.

We have found announcements from Microsoft and VMware about interoperability interesting, but we were skeptical about how well Hyper-V would really run within VMware. Once Kevin Ripa from SANS told us he was running Hyper-V and AIM within VMware, and successfully launching virtual machines from disk images, we started to become believers… with the caveat that if circumstances allow, we still recommend running Hyper-V and AIM on bare metal.

So, how do you make this work? Fortunately it’s quite easy and involves two significant steps:

1. Add the following three lines to your VMware virtual machine’s .vmx file (do not duplicate any of them if they already exist):

hypervisor.cpuid.v0 = “FALSE”
mce.enable = “TRUE”
vhv.enable = “TRUE”

2.) In your VMware virtual machine’s Processors settings, enable:

Virtualize Intel VT-x/EPT or AMD-V/RVI
Virtualize CPU performance counters

In our testing, once we took care of these two steps we were able to boot Windows, install and run Hyper-V, and run AIM just as if (performance aside) we were on bare metal.

If for some reason you are already running Hyper-V on bare metal, but you then want to run Hyper-V and AIM within VMware, things are a bit more complicated. These are the errors you will see if you try launching a VMware virtual machine, while Hyper-V is already running, using the settings we have given you in this article:

You might think that simply turning Hyper-V off from the “Turn Windows features on or off” options may be all you need to do, but you would probably be mistaken:

Windows virtualization-based security (VBS) uses Hyper-V, so (counter-intuitively) it is still running even if you have turned Hyper-V off in the “Turn Windows features on or off” options. You can verify this based on the output of msinfo32 (see the screenshot above) and by running “bcdedit /enum {current}” from an administrative command prompt:

To really stop Hyper-V from running, run “bcdedit /set hypervisorlaunchtype off” from an administrative command prompt:

After a reboot, you can confirm that Hyper-V is really off by running msinfo32 again:

Please take note that we are not fans of disabling Windows VBS, so (in addition to performance concerns) that is a compelling reason to run Hyper-V and AIM on bare metal when possible. Our testing related to this article was based on Windows 10, so once we were done we re-enabled VBS by running “bcdedit /set hypervisorlaunchtype auto” from an administrative command prompt. If you are beginning your virtual machine inception on Linux as opposed to Windows, this will not concern you.

Our testing related to this article was based on Windows 10 v20H2, VMware Workstation Pro v16.1.0 build 17198959, and Arsenal Image Mounter v3.3.136.

If you ever have the need to run Hyper-V and AIM within VMware, we hope you find this Insights article useful! (And if you have a need to run Hyper-V within Hyper-V, let us know.)

Related Articles

Arsenal Image Mounter (AIM) Walkthrough

Arsenal Image Mounter (AIM) Walkthrough

This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass

Three months ago I challenged the Arsenal team by suggesting that we could get more creative about how to access protected content in Windows, especially considering Arsenal Image Mounter was already reliably launching disk images into virtual machines and bypassing every type of Windows authentication.

Arm Yourself!

Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook

Share This