virtualbox.org

I had tried Windows 10 20H2(19042.1348) and Windows 11(22509.1011) with VirtualBox 6.1.30-148432, 6.1.26-145957, and 6.1.16-140961.

The VirtualBox shows the following error, and I was failed to start any VMs(either registered or created freshly).

: Snipaste_2021-12-06_18-36-02.png (20.73 KiB) Viewed 2061 times

: Snipaste_2021-12-06_18-36-11.png (13.14 KiB) Viewed 2061 times

I have tried following the steps of "Diagnosing VirtualBox Hardening Issues" and several other posts from the Internet(proved useless):
from VBoxHardening.log:

Code: Select all

4be4.1f90: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
4be4.1f90: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
4be4.1f90: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\ole32.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000009:<flags> [calling]
4be4.1f90: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffb97ce0000 'C:\WINDOWS\system32\ole32.dll'
2e0c.28f8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 2656 ms, the end);

Later, I tried "System file check (SFC) Scan and Repair System Files & DISM to fix things SFC cannot" from Microsoft forum

Code: Select all

sfc /scannow
Dism /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

The system says everything is correct.
Then I rebooted 3 times, and the problem keeps existing.

In my machine, I can use VMWare Workstation Pro and MuMu emulator(an Android emulator based on some version of VirtualBox), so I'm sure that options of Hyper-V, Windows Defender, VT-d, etc. are correctly configured.

Following is the full log.

VBoxHardening.zip: (11.35 KiB) Downloaded 9 times

Is there anyway to solve this?

You have certificate errors on system DLLs, and resource data is being modified by an unknown process when in memory. It appears that you have been hacked. Or did you install some kind of theme hack?

11d0.2f3c: VirtualBoxVM.exe: timestamp 0x5f89bd71 (rc=VINF_SUCCESS)
11d0.2f3c: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
11d0.2f3c: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
11d0.2f3c: \SystemRoot\System32\ntdll.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xcfb3a60c; retrying against current time: 0x61ade78b.
11d0.2f3c: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\kernel32.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xe599805; retrying against current time: 0x61ade78b.
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\KernelBase.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xeecc324a; retrying against current time: 0x61ade78b.
11d0.2f3c: \Device\HarddiskVolume4\Windows\System32\apphelp.dll: Signature #1/1: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for 0xf73772b0; retrying against current time: 0x61ade78b.
11d0.2f3c: apphelp.dll: Differences in section #2 (.rdata) between file and memory:
11d0.2f3c: 00007ffb94381fb8 / 0x0051fb8: 90 != a0
11d0.2f3c: 00007ffb94381fb9 / 0x0051fb9: c2 != 1c
11d0.2f3c: 00007ffb94381fba / 0x0051fba: 7e != 67
11d0.2f3c: 00007ffb94381fbb / 0x0051fbb: 97 != 99
11d0.2f3c: 00007ffb94381fc0 / 0x0051fc0: 00 != a0
11d0.2f3c: 00007ffb94381fc1 / 0x0051fc1: 10 != d0
11d0.2f3c: 00007ffb94381fc2 / 0x0051fc2: 7e != 66
11d0.2f3c: 00007ffb94381fc3 / 0x0051fc3: 97 != 99
11d0.2f3c: 00007ffb94381fc8 / 0x0051fc8: 20 != b0
11d0.2f3c: 00007ffb94381fc9 / 0x0051fc9: ef != 1c
11d0.2f3c: 00007ffb94381fca / 0x0051fca: 7d != 67
11d0.2f3c: 00007ffb94381fcb / 0x0051fcb: 97 != 99
11d0.2f3c: 00007ffb94381fd0 / 0x0051fd0: c0 != 90
11d0.2f3c: 00007ffb94381fd1 / 0x0051fd1: ce != a1
11d0.2f3c: 00007ffb94381fd2 / 0x0051fd2: 7e != 66
11d0.2f3c: 00007ffb94381fd3 / 0x0051fd3: 97 != 99
11d0.2f3c: 00007ffb94381fd9 / 0x0051fd9: 4c != 64
11d0.2f3c: 00007ffb94381fda / 0x0051fda: 79 != 66
11d0.2f3c: 00007ffb94381fdb / 0x0051fdb: 97 != 99
11d0.2f3c: 00007ffb94381fe0 / 0x0051fe0: 10 != 50
11d0.2f3c: 00007ffb94381fe1 / 0x0051fe1: 88 != f1
11d0.2f3c: 00007ffb94381fe2 / 0x0051fe2: 80 != 66
11d0.2f3c: 00007ffb94381fe3 / 0x0051fe3: 97 != 99
11d0.2f3c: 00007ffb94381fe8 / 0x0051fe8: 30 != 60
11d0.2f3c: 00007ffb94381fe9 / 0x0051fe9: 32 != bb
11d0.2f3c: 00007ffb94381fea / 0x0051fea: 7f != 66
11d0.2f3c: 00007ffb94381feb / 0x0051feb: 97 != 99
11d0.2f3c: 00007ffb94381ff8 / 0x0051ff8: a0 != 00
11d0.2f3c: 00007ffb94381ff9 / 0x0051ff9: d9 != a9
11d0.2f3c: 00007ffb94381ffa / 0x0051ffa: 7a != 66
11d0.2f3c: 00007ffb94381ffb / 0x0051ffb: 97 != 99
11d0.2f3c: Restored 0x2000 bytes of original file content at 00007ffb94380000

The "Diagnosing Hardening Issues" FAQ told you what to do about "terminated with error code 1": run the sfc /scannow command. But, this will only work in the case of accidental corruption, not a deliberate hack (because it works by comparing a system DLL against an original stored on the same drive - which would also therefore be subject to hacking). I'm less familar with how DISM works, but I would assume that it too uses the current installation for comparison unless you specify another, cleaner image.

Also: VirtualBox 6.1.16 is quite out of date. You should upgrade to a current release.

Thanks for replying.
I don't think I installed any theme hack. Considering that I just use my computer normally, and my Windows Defender did not give any alerts, I have no idea if my computer is hacked.
I do not know how to check if any program has been injected into apphelp.dll.
I was using the current release at the beginning, but this error occurs, so I downgraded all the way back to 6.1.16 (my peer works with this version successfully, but clearly it is not for me).

One of my peers also has such a problem, I posted the log in the attachment below.
It's really bad to meet such a problem, maybe there can be an option to disable this feature.
But for now, I am sure I lack Windows OS knowledge, and I need a VM to finish my course, so I decided to give up trying VB and switch to VMWare.

I will still follow this post just to improve the VB. Please let me know how can I check if there's a program hacking apphelp.dll, or maybe only a fresh reinstall of Windows helps.

Also, what may cause my peer no able to start a VM.

Thanks anyway.

VBoxHardening2.zip: (10.24 KiB) Downloaded 5 times

The Diagnosing tutorial also pointed out for Exit Code 1 that the previous post's last paragraph also had things that can cause trouble. Look on your PC for any 'web-safe browsing' or other security software (besides Windows' built-in Defender AV).

'web-safe browsing' or other security software - only Windows Defender

Application Guard - no
Credential Guard - no
Device Guard - no
<any> * Guard - no (Intel Thuderbolt3 driver interface disabled, do not help)
Containers - no
Core Isolation - disabled
Memory Integrity - no
Virtualization Based Security - disabled
Hyper-V - disabled
Virtual Machine Platform - no
Windows Hypervisor Platform - no
Windows Sandbox - no
Windows Subsystem for Linux 2 (WSL2) (WSL1 does not enable Hyper-v) - no

I exit all the applications I can exit in the system tray, and that does not help.

Unfortunately the log does not tell us what 3rd-party program is causing this problem. But there is a 3rd-party program causing it. You'll have to use your imagination, look for anything that purports to 'work with' other programs, not just security software, per the last paragraph in post #3 of the Diagnosing tutorial:

"web safe" internet browser filters or remote desktop applications

Alternately, you mention a "peer". If this means you're in a job environment with IT overlords who control your PC, you may have to ask the boss to help you get IT to look into this. Lots of IT controls can really be things that interfere with Virtualbox.

Are you talking about your regular Windows 10 20H2 installation or about your Windows 11 Dev Build? The latter is not a supported host OS and may pose additional issues.

virtualbox.org

Error In supR3HardehedWinReSpawn

Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn

Re: Error In supR3HardehedWinReSpawn