.vdi file disappeared and is gone

Discussions related to using VirtualBox on Windows hosts.
Post Reply
John T
Posts: 4
Joined: 11. Aug 2022, 08:09

.vdi file disappeared and is gone

Post by John T »

I was running a Windows 10 environment on a Windows 10 host and encountered some AHCI write errors (portion of log file attached). When I restarted VirtualBox and attempted to restart the virtual environment, it couldn't because my .vdi file containing the guest OS was just gone from the directory on the host machine.

Any suggestions on recovery? I looked in my recycle bin and it wasn't there, and I tried using Windows File Recovery but that didn't recover anything. I'm baffled as to how the file could just disappear. Thanks in advance!
crash log.txt
(116.09 KiB) Downloaded 24 times
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: .vdi file disappeared and is gone

Post by mpack »

Please do not chop up logs for our consumption. You need to zip the entire log then attach the zip here.

<speculation>The fragment of log you provided shows "VERR_INVALID_HANDLE". So I'm going to assume that you have a removable drive and the drive was removed while the VM was running. That could certainly produce all of these effects if the timing was especially bad.</speculation>

Don't assume VirtualBox has magic powers: a VDI is just an ordinary file, albeit rather large, manipulated using normal host OS file I/O functions. Looking after the host filesystem is the defining responsibility of the host OS. There are no tools in VirtualBox for maintaining the host OS or its filesystem.

The only recovery option is to restore the VDI from your last backup. I have never known a "file recovery tool" to work on files of that size.
John T
Posts: 4
Joined: 11. Aug 2022, 08:09

Re: .vdi file disappeared and is gone

Post by John T »

Thanks for your reply. I've attached the entire log file here.

The .vdi was on a desktop SSD, the same drive that's running the host OS, and was not physically removed (the errors occurred when I wasn't even at the computer). I was more surprised that the entire file was missing, I wouldn't have expected I/O errors to just corrupt that file rather than wipe it completely from existence without a trace.
Attachments
VBox.log.zip
(72.84 KiB) Downloaded 21 times
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: .vdi file disappeared and is gone

Post by mpack »

SSDs can behave in strange ways because of how "trim" works, and especially so if the SSD is failing - and it seems likely that something is very wrong with that host SSD.

That said, you have two VDI files attached to this VM, but the errors seem to be confined to "Windows10.vdi". For some reason you seem to have no errors with "D-drive.vdi" despite it being seemingly located on the same host drive. With a mechanical drive I would suspect sector errors, but I don't know if that's even possible on an SSD. Total failure yes, but sector errors? Perhaps the VM simply wasn't writing to "D-drive" at the time.

Still, I'd suggest running thorough filesystem checks on the host drive (chkdsk). A colleague here also suggests that you try to find an official diagnostic tool from the drive manufacturer, and see what that can tell you.

However the fundamental position remains that file recovery is never a practical possibility with files of these sizes. You either have a backup or you have nothing.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: .vdi file disappeared and is gone

Post by fth0 »

VBox.log file wrote:
182:27:27.012336 AssertLogRel F:\tinderbox\win-6.1\src\VBox\Runtime\win\RTErrConvertFromWin32.cpp(448) int __cdecl RTErrConvertFromWin32(unsigned int): <NULL>
182:27:27.012511 Unhandled error 225
These are the first log messages indicating the problem. Win32 Error Codes 225 == 0x000000E1 == ERROR_VIRUS_INFECTED.

AV-Software (on the host) and disappearing files would be a good match ...
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: .vdi file disappeared and is gone

Post by mpack »

ERROR_VIRUS_DETECTED doesn't make much sense to me. To be reported as an OS error it would have be caused by Defender, and would Defender ever just instantly delete a file it thinks has a virus inside it?

But John T, you can at least answer if you have Defender AV settings particularly high?

And I assume you were not specifically experimenting with malware inside this VM.

I would still do the disk checks I mentioned.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: .vdi file disappeared and is gone

Post by fth0 »

mpack wrote:ERROR_VIRUS_DETECTED doesn't make much sense to me. To be reported as an OS error it would have be caused by Defender, and would Defender ever just instantly delete a file it thinks has a virus inside it?
I guess that for an application like VirtualBox, Windows putting a file in quarantine and deleting a file should be undistinguishable.

I don't know if it is Microsoft Defender or another AV software. When developing 64-bit Windows, Microsoft also took the opportunity to force AV software to use Microsoft-provided interfaces, to prevent the latter from using their own techniques too much (as was the case in 32-bit Windows). So I wouldn't be surprised if quarantining used a common mechanism provided by Microsoft.
John T
Posts: 4
Joined: 11. Aug 2022, 08:09

Re: .vdi file disappeared and is gone

Post by John T »

You guys are awesome! You are correct that Windows Defender was the cause (it was set at default settings). It looks like the VM picked up some malware but the host Defender (rather than the VM Defender) flagged it and initiated quarantine of the .vdi file. I was able to successfully restore the .vdi file from quarantine. A bit disturbing that this occurred, but I added my virtualbox file directory to the Defender whitelist to hopefully prevent this going forward.

Thanks again for helping on the recovery!
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: .vdi file disappeared and is gone

Post by fth0 »

You're welcome, and thanks for reporting back! :)
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: .vdi file disappeared and is gone

Post by mpack »

I was going to suggest that you look for the quarantined file, but it seems you are way ahead of me.

I discussed this case with our IT guy at work, because the options were sector errors on an SSD (which doesn't make sense), or Defender deleting files on its own authority and without saying anything (which doesn't make sense either). Our conclusion was that the file must have been moved to a quarantine location - though neither of us had personally experienced that behaviour ever. Weird. I'd like to know what was the Defender setting (default doesn't mean much to me, since I suspect it varies), and what was the nature of the threat that caused such dramatic action? I ask the latter because I thought that Defender didn't go in for that dumb pattern matching crap whereby any code included in malware is flagged as malware too (even though it's just the runtime library of the C compiler used) - so maybe Defender was pretty sure about what it found.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: .vdi file disappeared and is gone

Post by scottgus1 »

John T wrote:I added my virtualbox file directory to the Defender whitelist to hopefully prevent this going forward.
+1 to this. I always tell Defender (or other 3rd-party AV when Windows 7 was the host) to stay out of the Virtualbox VMs' folders, then I use AV within the VMs as needed to handle malware inside the VMs.
John T
Posts: 4
Joined: 11. Aug 2022, 08:09

Re: .vdi file disappeared and is gone

Post by John T »

Screenshots of my host PC Defender settings and event logs are below. There wasn't any notification on the host PC of a malware detection event or quarantine.
2022-08-11 Windows Defender 1 (detected malware).png
2022-08-11 Windows Defender 1 (detected malware).png (28.03 KiB) Viewed 3949 times
2022-08-11 Windows Defender 2 (quarantine).png
2022-08-11 Windows Defender 2 (quarantine).png (30.9 KiB) Viewed 3949 times
2022-08-11 Windows Defender 3 (settings)-resize.jpg
2022-08-11 Windows Defender 3 (settings)-resize.jpg (30.62 KiB) Viewed 3949 times
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: .vdi file disappeared and is gone

Post by mpack »

In my Defender settings that first option is enabled (Real-time protection), all of the others are turned off. "Cloud delivered protection" for faster (i.e. more glitchy) protection sounds especially unwelcome to me.
ant
Posts: 334
Joined: 9. Jul 2007, 20:02
Primary OS: MS Windows other
VBox Version: OSE other
Guest OSses: Windows and macOSes
Location: An Ant Farm
Contact:

Re: .vdi file disappeared and is gone

Post by ant »

mpack wrote:In my Defender settings that first option is enabled (Real-time protection), all of the others are turned off. "Cloud delivered protection" for faster (i.e. more glitchy) protection sounds especially unwelcome to me.
Same. I don't trust the clouds. I ran into this issue today as shown in my viewtopic.php?f=6&t=107094&p=523957 thread.
Post Reply