How does Windows 10 task manager detect a virtual machine?

I've analyzed the x64 taskmgr.exe from Windows 10 1803 (OS Build 17134.165) by tracing back the writes to the memory location that is consulted at the point where the Virtual machine: Yes label is set.

Responsible for that variable's value is the return code of the function WdcMemoryMonitor::CheckVirtualStatus

Here is the disassembly of the first use of the cpuid instruction in this function:

lea     eax, [rdi+1]                 // results in eax set to 1cpuidmov     dword ptr [rbp+var_2C], ebx  // save CPUID feature bits for later usetest    ecx, ecxjns     short loc_7FF61E3892DA       // negative value check equals check for bit 31...return 1loc_7FF61E3892DA:// different feature detection code if hypervisor bit is not set

So taskmgr is not using any hardware strings, mac addresses or some other sophisticated technologies but simply checks if the hypervisor bit (CPUID leaf 0x01 ECX bit 31)) is set.

The result is bogus of course since e.g. adding -hypervisor to qemu's cpu parameter disables the hypervisor cpuid flag which results in task manager not showing Virtual machine: yes anymore.

And finally here is some example code (tested on Windows and Linux) that perfectly mimics Windows task manager's test:

#include <stdio.h>#ifdef _WIN32#include <intrin.h>#else#include <cpuid.h>#endifint isHypervisor(void){#ifdef _WIN32    int cpuinfo[4];    __cpuid(cpuinfo, 1);    if (cpuinfo[2] >> 31 & 1)        return 1;#else    unsigned int eax, ebx, ecx, edx;    __get_cpuid (1, &eax, &ebx, &ecx, &edx);    if (ecx >> 31 & 1)        return 1;#endif    return 0;}int main(int argc, char **argv){    if (isHypervisor())        printf("Virtual machine: yes\n");    else        printf("Virtual machine: no\n"); /* actually "maybe */    return 0;}