virtualbox.org

Jacob Klein wrote:It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.

They did. Klaus, 3 posts before yours. Please read it, in case that you missed it...

klaus wrote:So never ever expect Insider Preview for anything but toying around. It's NOT meant for production use.

socratis wrote:

Jacob Klein wrote:It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.

They did. Klaus, 3 posts before yours. Please read it, in case that you missed it...

klaus wrote:So never ever expect Insider Preview for anything but toying around. It's NOT meant for production use.

I read it, earlier.

As I said, I was curious about Oracle's take on this particular certificate issue - OS bug that Oracle can ignore indefinitely, or OS change likely to be committed in a general release that will eventually require on Oracle change.

I'm not expecting a response, but it'd be nice I completely understand if they think it's not worth investigating at this time We understand that there is no obligation.

PS: Your responses sometimes come across as antagonizing and confrontational. But it could be my interpretation - I'm under quite a bit of stress.

Jacob Klein wrote:As I said, I was curious about Oracle's take on this particular certificate issue - OS bug that Oracle can ignore indefinitely, or OS change likely to be committed in a general release that will eventually require on Oracle change.

Me, too. A large swath of Windows uses this DLL, and more than a few 3rd-party apps, too (ones that I have running right now: Outlook, Firefox, Skype), yet it's all working except....

I was also intrigued by the "licensing documents" line. It is true that IP builds forcibly have all telemetry elements enabled (as they should for an ongoing beta), but there would be no chance of "proprietary information transferred off a Windows 10 IP install" (even allowing for the possibility that that's what MS telemetry gathering includes, which it does not), because there never would be proprietary information on a test machine in the first place. It's a test PC. It could even be an isolated PC.

Is this all to suggest that Oracle has had zero(!) IP builds installed to date?

Most of the other programs don't care about unsigned DLLs injecting themselves into their program space.
Oracle uses standard Windows system calls to verfiy the signature of such DLLs and from time to time Microsoft changes something there or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.

Martin wrote:...or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.

Hmmm, I have been testing every Fast Ring build since Insider inception, and this is the first time I've seen a VirtualBox failure relating to an invalid certificate, I think.

Here are my details regarding this problem:

========================================================================================================
Dialog Box 1:
---------------------------
VirtualBox - Error In supR3HardNtChildPurify
---------------------------
<html><b>supHardenedWinVerifyProcess failed with VERR_CR_X509_CPV_NOT_VALID_AT_TIME: (rc=-23033)</b><br/><br/><br><br><!--EOM-->where: supR3HardNtChildPurify
what: 5
VERR_CR_X509_CPV_NOT_VALID_AT_TIME (-23033) - Certificate path validator: The certificate is not valid at the specified time.
</html>
---------------------------
OK
---------------------------

========================================================================================================
Dialog Box 2:
---------------------------
VirtualBox - Error
---------------------------
Failed to open a session for the virtual machine boinc_c2eadc1e63dade66 Clone 4 Clone xxx.

The virtual machine 'boinc_c2eadc1e63dade66 Clone 4 Clone xxx' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'E:\VirtualBox VMs\boinc_c2eadc1e63dade66 Clone 4 Clone xxx\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}

========================================================================================================
"VBoxHardening.log" Log File (attached)
...
2890.3c18: Error (rc=-23033):
2890.3c18: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume4\Windows\System32\ntdll.dll
2890.3c18: Error -23033 in supR3HardNtChildPurify! (enmWhat=5)
2890.3c18: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume4\Windows\System32\ntdll.dll

========================================================================================================


Hmm... I wonder where it's getting that "ValidTime=2088-08-14T12:05:18.000000000Z" value from. I've tried to look at all 3 certificates in the chain, but can't find "year 2088" anywhere!
It's almost like it's maybe thinking "today is 2088", and then thinking "cert only valid 2014-2029"... meaning the problem might actually be "getting current date" somehow?

Martin wrote:Most of the other programs don't care about unsigned DLLs injecting themselves into their program space.
Oracle uses standard Windows system calls to verfiy the signature of such DLLs and from time to time Microsoft changes something there or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.

OK, maybe there is something different about it that the other programs and all of the many system services don't care about, but it's definitely not unsigned. I've clicked all through its certificate, so it's most definitely there, and Windows declares that "This certificate is OK."

I wonder if the certificate is a red herring, like sometimes with a BSOD, when the module cited has nothing to do with why your system crashed. Usually it does, but not always.

Attached is just a bit of the cert's properties.

rseiler:

Did you read the error message, regarding "ValidTime" - where did that 2088 date come from, do you think?

Jacob Klein wrote:Did you read the error message, regarding "ValidTime" - where did that 2088 date come from, do you think?

No, where is that field?

Read your VBoxHardening.log file more closely
And also the comment at the bottom of my post where I posted my full details.

.
ditto
.

LtRadar wrote:1)Win10 vbox ver Version 5.1.9 r111957 (Qt5.6.2) also in 5.1.8 hence tried latest test build
2)attached log
3)related stuff
Just autoupdated to latest win 10 insider 14971.1000 build and got this message


and "Failed to open a session for the virtual machine xp.

The virtual machine 'xp' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\Virtual Machines\xp\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine

"
was working fine in 14965 and 5.1.8
AVG Internet Security
Intel inbuild graphics
No firewall
UAC disabled
On windows insider program fast channel
developer mode
no issues on sfc or chkdsk

Jacob Klein wrote:Read your VBoxHardening.log file more closely
And also the comment at the bottom of my post where I posted my full details.

I thought you meant in the properties of the cert, which I had just posted (I hadn't seen the end of your prior post before).

Perhaps we should set our machines back then to 1944.

I do not intend to try that, but you or someone else are certainly welcome to. I'd be curious if that test would affect the 2088 date or not.

Jacob Klein wrote: I do not intend to try that, but you or someone else are certainly welcome to. I'd be curious if that test would affect the 2088 date or not.

Wikipedia says that Windows supports an "epoch" of 1 January 1601 to AD 30,828, but I can't get earlier than 1980.

Windows 10 is not time-machine ready. Sad!

This program does let you do it, but Vbox doesn't run at all with it regardless of date:
http://www.nirsoft.net/utils/run_as_date.html

We suspect the problem is some certificate or signature parsing issue caused by some slight change in the output from the microsoft signing tools or CA. However, in order to fix it we need the offending ntdll.dll and are eagerly waiting for the laptop with the insider build setup to feel like update itself so we can get it. With a bit of luck we'll have it fixed soon...
-bird