virtualbox.org

It seems now with this build the certificate for ntdll.dll is invalid. Any quick fix?

4a8.31c0: VBoxHeadless.exe: timestamp 0x582c8767 (rc=VINF_SUCCESS)
4a8.31c0: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports
4a8.31c0: Error (rc=-23033):
4a8.31c0: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume2\Windows\System32\ntdll.dll
4a8.31c0: Error -23033 in supR3HardNtChildPurify! (enmWhat=5)
4a8.31c0: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume2\Windows\System32\ntdll.dll

I deleted your other post from the general "VirtualBox on Windows Hosts" forum, since this is a more appropriate one. I will not delete your third post on the same problem, since it's only a redirect to this thread, but remember in the future that duplicate posts are not allowed.

As for the certificate, Microsoft has invalidated itself in the past. Nobody but them can fix it, so my guess is that you'll either have to downgrade your Win10, or wait for a new fix. In any event, you should definitely let Microsoft know about it.

1)Win10 vbox ver Version 5.1.9 r111957 (Qt5.6.2) also in 5.1.8 hence tried latest test build
2)attached log
3)related stuff
Just autoupdated to latest win 10 insider 14971.1000 build and got this message


and "Failed to open a session for the virtual machine xp.

The virtual machine 'xp' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\Virtual Machines\xp\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine

"
was working fine in 14965 and 5.1.8
AVG Internet Security
Intel inbuild graphics
No firewall
UAC disabled
On windows insider program fast channel
developer mode
no issues on sfc or chkdsk

Chatted with the user this morning on IRC, and I interpret the messages he wrote at the end as having VirtualBox working as it should after

Code: Select all   Expand viewCollapse view

sfc /scannow

. Looks like a weird messup in the user's install which got cured by using the proper files.

OK, thanks klaus, good to keep that in mind...

Based on comparing logs anyway (see attached), it sounds like what I mentioned here:
https://forums.virtualbox.org/viewtopic ... 66#p378466

...is the same problem.

However, when looking at the cert for that file, it looks valid to me. And it expires May 15, 2017.

I do see some mentions of this in the Feedback Hub, too, so I don't think it's some messup with one (or, two, including me) user's install.

For reference, someone opened this, but it points back here:
https://www.virtualbox.org/ticket/16198

I also tried the 111957 test build.

rseiler wrote:..is the same problem.

So did you try the same solution that "klaus" pointed to the OP? I.e. run:

Code: Select all   Expand viewCollapse view

sfc /scannow

rseiler wrote:For reference, someone opened this, but it points back here:

"kalikosmil" opened the bug, "KWierso" simply said me too (with no logs), I took a look at the log of "kalikosmil" and pointed them here. The forums are the true place for discussions, not the bugtracker.

socratis wrote:

rseiler wrote:..is the same problem.

So did you try the same solution that "klaus" pointed to the OP? I.e. run:

Yes:

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

It would have been very weird if it found an integrity problem after installing a new build, since that process does its own checking of this type, and the odds of there being that kind of problem afterwards is very low-to-impossible. Usually, that sort of problem develops over time.

For anyone curious, run (from an admin prompt):
sfc /verifyonly

I have the same problem: "Certificate is invalid".
The proposed solutions not working for me.

Windows 10 14971
VirtualBox 5.1.8 111374 / 5.1.9 111957

@rseiler
I went only with information given from a VirtualBox developer with almost identical VBoxHardening.logs (thanks for including yours, btw, so that I could compare them). It seemed like it was worth a shot. Too bad it's not a generic solution...

@ASM
You have an almost identical log. Same things apply to you. Nothing solid at the moment I'm afraid, that's why the only thing that I could do is to remove the "[Solved]" from the topic title...

I still believe that this is a Microsoft mess, as it's not the first time that they've invalidated their own systems. It used to be KB articles, now it's called ... insider builds. I really don't have a clue if the devs can provide a solution or not.

To state the obvious: no software vendor can possibly support the Insider Previews. There are simply too many changes in it, many of which have seen only very limited QA. Often changes get pulled once Microsoft realizes that it's having bad side effects.

Another issue is that getting access to Insider Previews requires the authority to sign licensing documents, which is something very hard to do in big corporations. Especially when these documents talk about Microsoft having the right to retrieve pretty much any piece of data from a system which has an IP build running - should Oracle risk having its proprietary information transferred off a Windows 10 IP install?

So never ever expect Insider Preview to be suitable for anything but toying around. It's NOT meant for production use. There's nothing wrong with reporting issues to us, we'll always see what we can do about it.

@socratis. Thanks for getting back. So this particular flavor, relating to a certificate (apparently), seems to be something new then? I know that there have been epic threads over the years about various hardening issues, so our finding a new variation on that is quite the thing.

@rseiler, you mentioned something before, that made me think twice:

rseiler wrote:It would have been very weird if it found an integrity problem after installing a new build, since that process does its own checking of this type, and the odds of there being that kind of problem afterwards is very low-to-impossible.

That assumes that the integrity check is happening with a known "signature" at the time of the installation, correct? You compare the signature of "ntdll.dll" with the signature that you have on the installer. A match? Proceed and update the system.

But, what if you "forget" at the last step to also update the system known signatures? Or you end up with a mix of signatures? I really don't know how the whole thing works, i.e. is it self signed per file, or it has a database of known files/signatures?

Just thinking out loud...

Update: Then the "sfc /verifyonly" would fail too, wouldn't it? You'd think...

Yeah, I'm not sure of how the checks work in any detail.

I should add that ntdll.dll is one of the more critical dlls in Windows, if not the most important one. You would think that if it had a problem, then there would be problems showing up everywhere. Process Explorer shows that there are an incredible 151 processes on my system at the moment that are using ntdll.dll. Many are system services.

That would seemingly point back to the given app as opposed to Windows itself being the culprit.

(It's actually probably more like 135, since some of those processes are using \windows\syswow64\ntdll.dll, which is a different file used by 32-bit apps.)

To me, it seems we do have a "new failure point" here, and we are doing what we can to give details. I would only expect Oracle to put in a fix if they believe Microsoft will commit to whatever was changed with the OS that broke things. And I would only expect that fix to be committed, in the days/weeks leading up to the release of the new OS build to general users, even if we'd prefer it quicker.

In short ... Would never want Oracle to put in a stub or shim to work around a buggy OS build. Would only want fixes they think would "stay committed, relevant for the release OS build."

It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.

I will have to rely on my "Release partition", until the "Fast partition" can do VirtualBox again