The VM Trick: Running a Clean OS Inside a Dirty One
A cheater installs VirtualBox or VMware on their main PC. Inside the VM, they run a fresh Windows install — no cheat clients, no suspicious files. When screenshare is requested, they share the VM screen while their actual Minecraft with cheats runs on the host machine, completely hidden. From a naive screenshare perspective, everything looks clean.
How Audit AC Detects Virtualisation
Audit AC queries multiple system data sources to identify hypervisor indicators. On Windows it uses WMI queries against Win32_BIOS (VM firmware strings like VBOX, BOCHS, QEMU), Win32_VideoController (virtual GPU names like 'VirtualBox Graphics Adapter'), Win32_ComputerSystem (system model), and running service processes. On Linux it reads /sys/class/dmi for DMI table entries. Supported detections: VirtualBox, VMware, Hyper-V, KVM, QEMU, Xen, and Parallels.
The VPN Problem: Masking Identity and IP
Cheaters use VPNs to bypass IP bans, obscure their location, and hide their IP from ban database cross-referencing. Audit AC runs three independent VPN detection checks simultaneously for maximum coverage.
| Signal | Method |
|---|---|
| Running processes | Checks for NordVPN, ProtonVPN, OpenVPN, ExpressVPN, and 15+ VPN daemon processes |
| Network adapters | Scans for connected adapters with real traffic matching known VPN adapter names |
| Public IP lookup | Cross-references the player's public IP against the X4BNet VPN IP database |
Important Nuance: Context Is Everything
VM detection: there is no legitimate reason to share a VM's screen instead of your actual desktop during a screenshare. Any VM indicators should be treated as evasion by default. VPN detection: many players legitimately use VPNs, so a VPN hit alone is insufficient for punishment on most servers. However, VPN use during a screenshare where the player has already been invoked significantly increases suspicion. Combine with other flags for a complete case.