Home > Software Development, vSphere API > vSphere APIs for Guest Operating System Management: What’s Special and When to Use It?

vSphere APIs for Guest Operating System Management: What’s Special and When to Use It?

March 19th, 2012 Leave a comment Go to comments

This is a wrap-up post of recent series on vSphere guest operating system management APIs. If you missed them, here are a few links to related posts: [Note: these are not related to the vSphere Guest API.]

After reading these posts, you may wonder (at least, I did): Why should we use these guest operating system related APIs? Can’t we simply use well-known alternatives like HTTP to download/upload files, SSH/WMI to run programs, etc.? To some extents, you are right but not exactly.

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure


For one thing, all these remote manageability to a guest operating system requires network connection to the guest OS. With vSphere APIs, it doesn’t. All you must have is networking connection to the ESXi on which the guest operating system is running. I think this is the biggest uniqueness of this APIs.

This does not mean you don’t need remote manageability. In fact, you do. The question is really when you should use which.

To answer the question, you have to first consider the accessibility of the management network to the ESXi. In general, this is a separate network dedicated for management, nothing else as a best practice. This limitation actually excludes lots of use cases already. It basically suggests that you use vSphere API only in management applications which can access management network.

The second consideration is the performance. In general, I felt, without apple to apple comparison, that the vSphere API is slow especially when moving files from and to a guest operating system. I think it’s in part due to the fact that ESXi is a middleman in between.

To sum up, the guest management APIs via vSphere is not meant to be used as a general approach for communicating with a guest operating system. Only these management applications with ESXi access should use these APIs. For other general purpose communications like download files, use whatever existing protocols/APIs out there as would you work with an operating system running directly on a physical machine.

  1. March 21st, 2012 at 00:32 | #1

    Hi Steve, thanks for the great work on the APIs!
    It seems the APIs allow a great deal of new modify access to the guest OS from vCenter – how does VMware intend to address this?

    For instance I can now craft a powershell script to remotely access all VMs as root (subverting our policy) /etc/ssh/sshd_config PermitRoot No

    I’d suggest ideally there would be a decentralized (secure) sudoers list of allowed guest operations to mitigate a vcenter compromise.


  2. March 21st, 2012 at 07:49 | #2

    Hi Fletcher,
    I now see your comment! Thanks for reminding me on Twitter and trying it again!
    To gain access to an OS, you will need credential as would you log in the OS directly. I think you raised a good point to use sodo for better auditing.

  3. Svetozar
    August 31st, 2012 at 13:34 | #3

    Hi Steve,

    I like the VI Java API.
    I would like to use this “vSphere APIs for Guest Operating System managment” too.

    Do you have plans to share its source code ?


  4. lihlcnkr
    October 7th, 2012 at 20:33 | #4

    Hi Steve,
    It’s great job.

    but it have a issue.
    some vm, GuestOperationsManager works well, but after hot adding nic device to vm,
    it always throw GuestPermissionDenied exception.

    It’s like vmware issue, and because this issue, we can not use it: (
    Vcenter version is 5.0
    virtual machine guest OS is windows 2008 server R2

    are u have any idea?



  5. October 8th, 2012 at 18:57 | #5

    Hi lihlcnkr, interesting issue. what if you re-login? just wonder if you can work this around.


  6. lihlcnkr
    October 8th, 2012 at 21:14 | #6

    Hi Steve.
    thanks your reply.

    I tested re-login, restart VM guest OS, reset VM。
    after hot adding nic device, guest OS API is not working again.
    always throw GuestPermissionDenied exception.

    and after hot adding nic device, I try to use vSphere upgrade GuestOS VM tool , but it fail.

    So, it looks when hot adding nic device, GuestOS VM tool is not working well.

    I Tested it win 2003 and win 2008 server R2, It’s same result.

  7. October 8th, 2012 at 23:23 | #7

    Let’s try to understand what you found out. After hot adding NIC to a VM running Windows 2003 and Windows 2008 SR2, the guest OS API stops working correctly with GuestPermissionDenied exception even after you re-logining, restarting guest OS, reset VM. Am I right?
    Also, how about after removing the hot added NIC? I know it’s probably not acceptable in your case, but I am curious what would happen. What version of VMware Tools did you use? Had you upgrade the VMware Toosl before you hot adding NIC?

  8. lihlcnkr
    October 9th, 2012 at 01:13 | #8

    Hi, Steve,

    Yes, It’s just you say.
    My VMware Tool version is 8.6.5, Build 652272

    and after removing the hot added NIC, it also happen.

  9. lihlcnkr
    October 9th, 2012 at 01:20 | #9

    my environment is like this:

    VMware Tools: Version 8.6.5, Build 652272
    Vcenter Server: Version 5.0.0 Build 455964
    ESXi: Version 5.0.0 Build 623860

    before hot adding NIC device, I upgraded the VMware Toosl.
    and after removing the hot added NIC, it also happen.

    sorry for my poor english.


  10. October 9th, 2012 at 12:41 | #10

    Thanks Lihlcnkr, as you pointed out earlier, it’s mostly an issue with VMware Tools which carries real executions. You may want to contact VMware support on this issue. I believe part of VMware Tools is open sourced somewhere (search it), you also take a look there. But I wouldn’t recommend that unless you are really familiar with low level programming. Even so it’s still a lot of work.
    Thanks! Steve

  11. lihlcnkr
    October 10th, 2012 at 01:24 | #11

    Hi, Steve.

    I contacted VMware support team, but they said for technical support, it need technical support license, it very expensive@@. and without support team, it can’t report bug directly.

    Anyway, Thanks very much.

  12. October 10th, 2012 at 10:49 | #12

    Tech support license needed to file a bug with VMware? It doesn’t make senese to me. Maybe for a solution but not for filing a bug. Can you ask around on Twitter and cc me there? Thanks!


  13. lihlcnkr
    October 11th, 2012 at 21:42 | #13

    Hi, Steve

    I posted on twitter and vmware community.

    And I tested it again using vSphere powerCLI, and result is same.

    and I Installed open source vmware tool(open-vm-tools) on linux, and tested it.
    but looks open-vm-tools not working well with guest OS API.

    if I can’t resolve this issue, looks like I only use VIX or wmi&ssh for handle guest OS: (

    anyway, thanks your advise^^


  1. No trackbacks yet.