Error In supR3HardehedWinReSpawn

Discussions related to using VirtualBox on Windows hosts.

Error In supR3HardehedWinReSpawn

Postby S4kura0ne » 6. Dec 2021, 13:08

I had tried Windows 10 20H2(19042.1348) and Windows 11(22509.1011) with VirtualBox 6.1.30-148432, 6.1.26-145957, and 6.1.16-140961.

The VirtualBox shows the following error, and I was failed to start any VMs(either registered or created freshly).
Snipaste_2021-12-06_18-36-02.png
Snipaste_2021-12-06_18-36-02.png (20.73 KiB) Viewed 305 times

Snipaste_2021-12-06_18-36-11.png
Snipaste_2021-12-06_18-36-11.png (13.14 KiB) Viewed 305 times


I have tried following the steps of "Diagnosing VirtualBox Hardening Issues" and several other posts from the Internet(proved useless):
from VBoxHardening.log:
Code: Select all   Expand viewCollapse view
4be4.1f90: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
4be4.1f90: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
4be4.1f90: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\ole32.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000009:<flags> [calling]
4be4.1f90: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffb97ce0000 'C:\WINDOWS\system32\ole32.dll'
2e0c.28f8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 2656 ms, the end);

Later, I tried "System file check (SFC) Scan and Repair System Files & DISM to fix things SFC cannot" from Microsoft forum
Code: Select all   Expand viewCollapse view
sfc /scannow
Dism /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

The system says everything is correct.
Then I rebooted 3 times, and the problem keeps existing.

In my machine, I can use VMWare Workstation Pro and MuMu emulator(an Android emulator based on some version of VirtualBox), so I'm sure that options of Hyper-V, Windows Defender, VT-d, etc. are correctly configured.

Following is the full log.

VBoxHardening.zip
(11.35 KiB) Downloaded 6 times


Is there anyway to solve this?
S4kura0ne
 
Posts: 3
Joined: 6. Dec 2021, 12:46

Re: Error In supR3HardehedWinReSpawn

Postby mpack » 6. Dec 2021, 13:30

You have certificate errors on system DLLs, and resource data is being modified by an unknown process when in memory. It appears that you have been hacked. Or did you install some kind of theme hack?

11d0.2f3c: VirtualBoxVM.exe: timestamp 0x5f89bd71 (rc=VINF_SUCCESS)
11d0.2f3c: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
11d0.2f3c: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
11d0.2f3c: \SystemRoot\System32\ntdll.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xcfb3a60c; retrying against current time: 0x61ade78b.
11d0.2f3c: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\kernel32.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xe599805; retrying against current time: 0x61ade78b.
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\KernelBase.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xeecc324a; retrying against current time: 0x61ade78b.
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\apphelp.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xf73772b0; retrying against current time: 0x61ade78b.
11d0.2f3c: apphelp.dll: Differences in section #2 (.rdata) between file and memory:
11d0.2f3c: 00007ffb94381fb8 / 0x0051fb8: 90 != a0
11d0.2f3c: 00007ffb94381fb9 / 0x0051fb9: c2 != 1c
11d0.2f3c: 00007ffb94381fba / 0x0051fba: 7e != 67
11d0.2f3c: 00007ffb94381fbb / 0x0051fbb: 97 != 99
11d0.2f3c: 00007ffb94381fc0 / 0x0051fc0: 00 != a0
11d0.2f3c: 00007ffb94381fc1 / 0x0051fc1: 10 != d0
11d0.2f3c: 00007ffb94381fc2 / 0x0051fc2: 7e != 66
11d0.2f3c: 00007ffb94381fc3 / 0x0051fc3: 97 != 99
11d0.2f3c: 00007ffb94381fc8 / 0x0051fc8: 20 != b0
11d0.2f3c: 00007ffb94381fc9 / 0x0051fc9: ef != 1c
11d0.2f3c: 00007ffb94381fca / 0x0051fca: 7d != 67
11d0.2f3c: 00007ffb94381fcb / 0x0051fcb: 97 != 99
11d0.2f3c: 00007ffb94381fd0 / 0x0051fd0: c0 != 90
11d0.2f3c: 00007ffb94381fd1 / 0x0051fd1: ce != a1
11d0.2f3c: 00007ffb94381fd2 / 0x0051fd2: 7e != 66
11d0.2f3c: 00007ffb94381fd3 / 0x0051fd3: 97 != 99
11d0.2f3c: 00007ffb94381fd9 / 0x0051fd9: 4c != 64
11d0.2f3c: 00007ffb94381fda / 0x0051fda: 79 != 66
11d0.2f3c: 00007ffb94381fdb / 0x0051fdb: 97 != 99
11d0.2f3c: 00007ffb94381fe0 / 0x0051fe0: 10 != 50
11d0.2f3c: 00007ffb94381fe1 / 0x0051fe1: 88 != f1
11d0.2f3c: 00007ffb94381fe2 / 0x0051fe2: 80 != 66
11d0.2f3c: 00007ffb94381fe3 / 0x0051fe3: 97 != 99
11d0.2f3c: 00007ffb94381fe8 / 0x0051fe8: 30 != 60
11d0.2f3c: 00007ffb94381fe9 / 0x0051fe9: 32 != bb
11d0.2f3c: 00007ffb94381fea / 0x0051fea: 7f != 66
11d0.2f3c: 00007ffb94381feb / 0x0051feb: 97 != 99
11d0.2f3c: 00007ffb94381ff8 / 0x0051ff8: a0 != 00
11d0.2f3c: 00007ffb94381ff9 / 0x0051ff9: d9 != a9
11d0.2f3c: 00007ffb94381ffa / 0x0051ffa: 7a != 66
11d0.2f3c: 00007ffb94381ffb / 0x0051ffb: 97 != 99
11d0.2f3c: Restored 0x2000 bytes of original file content at 00007ffb94380000


The "Diagnosing Hardening Issues" FAQ told you what to do about "terminated with error code 1": run the sfc /scannow command. But, this will only work in the case of accidental corruption, not a deliberate hack (because it works by comparing a system DLL against an original stored on the same drive - which would also therefore be subject to hacking). I'm less familar with how DISM works, but I would assume that it too uses the current installation for comparison unless you specify another, cleaner image.

Also: VirtualBox 6.1.16 is quite out of date. You should upgrade to a current release.
mpack
Site Moderator
 
Posts: 35136
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Error In supR3HardehedWinReSpawn

Postby S4kura0ne » 6. Dec 2021, 18:05

Thanks for replying.
I don't think I installed any theme hack. Considering that I just use my computer normally, and my Windows Defender did not give any alerts, I have no idea if my computer is hacked.
I do not know how to check if any program has been injected into apphelp.dll.
I was using the current release at the beginning, but this error occurs, so I downgraded all the way back to 6.1.16 (my peer works with this version successfully, but clearly it is not for me).

One of my peers also has such a problem, I posted the log in the attachment below.
It's really bad to meet such a problem, maybe there can be an option to disable this feature.
But for now, I am sure I lack Windows OS knowledge, and I need a VM to finish my course, so I decided to give up trying VB and switch to VMWare.


I will still follow this post just to improve the VB. Please let me know how can I check if there's a program hacking apphelp.dll, or maybe only a fresh reinstall of Windows helps.

Also, what may cause my peer no able to start a VM.

Thanks anyway.

VBoxHardening2.zip
(10.24 KiB) Downloaded 1 time
S4kura0ne
 
Posts: 3
Joined: 6. Dec 2021, 12:46

Re: Error In supR3HardehedWinReSpawn

Postby scottgus1 » 6. Dec 2021, 18:18

The Diagnosing tutorial also pointed out for Exit Code 1 that the previous post's last paragraph also had things that can cause trouble. Look on your PC for any 'web-safe browsing' or other security software (besides Windows' built-in Defender AV).
scottgus1
Site Moderator
 
Posts: 14325
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Error In supR3HardehedWinReSpawn

Postby S4kura0ne » 6. Dec 2021, 19:28

'web-safe browsing' or other security software - only Windows Defender

Application Guard - no
Credential Guard - no
Device Guard - no
<any> * Guard - no (Intel Thuderbolt3 driver interface disabled, do not help)
Containers - no
Core Isolation - disabled
Memory Integrity - no
Virtualization Based Security - disabled
Hyper-V - disabled
Virtual Machine Platform - no
Windows Hypervisor Platform - no
Windows Sandbox - no
Windows Subsystem for Linux 2 (WSL2) (WSL1 does not enable Hyper-v) - no

I exit all the applications I can exit in the system tray, and that does not help.
S4kura0ne
 
Posts: 3
Joined: 6. Dec 2021, 12:46

Re: Error In supR3HardehedWinReSpawn

Postby scottgus1 » 6. Dec 2021, 20:34

Unfortunately the log does not tell us what 3rd-party program is causing this problem. But there is a 3rd-party program causing it. You'll have to use your imagination, look for anything that purports to 'work with' other programs, not just security software, per the last paragraph in post #3 of the Diagnosing tutorial:
"web safe" internet browser filters or remote desktop applications


Alternately, you mention a "peer". If this means you're in a job environment with IT overlords who control your PC, you may have to ask the boss to help you get IT to look into this. Lots of IT controls can really be things that interfere with Virtualbox.
scottgus1
Site Moderator
 
Posts: 14325
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Error In supR3HardehedWinReSpawn

Postby fth0 » 6. Dec 2021, 20:55

Are you talking about your regular Windows 10 20H2 installation or about your Windows 11 Dev Build? The latter is not a supported host OS and may pose additional issues.
fth0
Volunteer
 
Posts: 2763
Joined: 14. Feb 2019, 03:06
Location: Germany
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...


Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: Google [Bot] and 28 guests