Windows 4.3.16 specifically for errors due to security

Discussions related to using VirtualBox on Windows hosts.
Locked
XCD91
Posts: 2
Joined: 28. Sep 2014, 16:09

Re: Windows 4.3.16 specifically for errors due to security

Post by XCD91 »

Hi, sorry for my english.

When I try create a vm, always show this text:

Code: Select all

Creating process for virtual machine "..." (GUI/Qt)...
Host: Windows 7 Home Premium 64 bits, with a Intel Celeron E3300 and 6GB RAM.
Guest: Any...
Software virus: avast! Free Antivirus 2014.9.0.2021

Sorry for my poor english. Thanks!
Attachments
VBoxStartup.log
(1.51 KiB) Downloaded 43 times
Last edited by XCD91 on 28. Sep 2014, 22:05, edited 2 times in total.
kusuriya
Posts: 2
Joined: 28. Sep 2014, 20:38
Primary OS: MS Windows 8
VBox Version: PUEL
Guest OSses: PCBSD, OpenBSD, Windows, FreeBSD, HURD

Re: Windows 4.3.16 specifically for errors due to security

Post by kusuriya »

So out of the blue 4.3.16 started giving me issues with the security fixes after I tried to create a new FreeBSD VM, now none of the vms start.

windows 8.1 version 6.3 build 9600
Virus/Malware System Center Endpoint Protection

Running elevated or not elevated doesnt make a lick of difference
installing the latest test build (#3) as suggested does nothing
Rebooting the system does not help
Running the install repair and rebooting doesnt help

logs attached
Attachments
VBoxStartup.zip
Logs from the FreeBSD VM
(12.76 KiB) Downloaded 28 times
te777
Posts: 28
Joined: 15. Jul 2014, 19:09

Re: Windows 4.3.16 specifically for errors due to security

Post by te777 »

@kusuriya......Try a system restore. I had to do this to get 4.3.12 working again. Then the latest Test Builds of 2 and 3 worked for me.

I'm on Windows 7 so I did a system restore. I don't know what you do in Windows 8. I guess you have system restore. FYI.
kusuriya
Posts: 2
Joined: 28. Sep 2014, 20:38
Primary OS: MS Windows 8
VBox Version: PUEL
Guest OSses: PCBSD, OpenBSD, Windows, FreeBSD, HURD

Re: Windows 4.3.16 specifically for errors due to security

Post by kusuriya »

A system restore wont really do anything since the restore points only get made with system updates and I haven't had a system update since this has happened. But I did walk away from it for a day, reboot it two more times, and this morning it is running fine with test build 3
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Windows 4.3.16 specifically for errors due to security

Post by mpack »

@XCD91: Try the 4.3.17 test build attached to the first post of this discussion. Also read the instructions in the first message.
bird
Oracle Corporation
Posts: 127
Joined: 10. May 2007, 10:27

Re: Windows 4.3.16 specifically for errors due to security

Post by bird »

Hi all.

Sorry for not getting back to any of you in a while, been busy trying to figure out a couple of the difficult bugs here. I'll be uploading test build #4 after some sleep and testing.
There should be one or more test builds over the next few days as issues are considered fixed, we hope to finally push out 4.3.18 next week.

Individual responses to posts after test build #3:


- Hopefully Resolved -

@XCD91: That's the Avast problem with 4.3.16. Please try the test build the first post in this thread points to, that will solve that issue.

@SteKs: That's the comctl32.dll issue. Fixed in test build #2 already.

@Docfxit: The first complaint about detoured.dll should be fixed by test build #4. I don't know which version of UltraVNC you're using, but if it's similar to the most recent one, you shouldn't have any trouble with that either when using test build #4.
Regarding the BSOD, I've found and fixed a related issue. The problem should hopefully be gone with test build #4. Many thanks for the detailed report.

@rexcat: Test build #4 should address your issue. Please check it out.

@dukkymai: I've reproduced that fixed the issue you're seeing. Please check out test build #4. (The problem was a -104 due to ZoneAlarm system call hooks seemingly doing a DuplicateHandle call twice, we expected to see it only once. On a side note, the ZoneAlarm Extreme Security seems to include the core of Kaspersky with some or their own additions.)
@ggambira: You may be experiencing the same issue as @dukkymai, so please check out test build #4 when it's available.

@shewfig: You've got some Sophos Web Intelligence stuff installed, which isn't installed using TrustedInstaller or LocalSystem as owner. A similar issues was reported via bug tracker tick 13292. We've relaxed the requirements starting with test build #4. Please try it out.

@remoses: 4.3.16 extension pack works with 4.3.17 test builds. VBox is generally backwards compatible with older extension packs in the same release series (e.g. 4.3.x).

@kusuriya: Your windows\system32\SHCore.dll seems to have been modified, at least the hash we calculate for it did not match the signature stored in the file. We refuse to load modified DLLs as we have to assume the worst about who modified them. I don't know which service/whatever fix the DLL for you, but I'm glad it works again.


- Unresolved with workaround? -

@JonathanThorpe, @Martasdx: I see. We've only seen this issue twice in the test lab, without being able to analyze it any further. The cure is rebooting as the first message normally suggest. Should that not help: 1. uninstalling VirtualBox, 2. then reboot, 3. install VirtualBox again, 4. then reboot, 5. must work. Now, if even that doesn't help, your AV software is interfering, I fear.

@akujin: You have an old version of Malwarebytes Anti-Malware installed. I'm unable to find that exact version and reproduce the issue. We've tested three different versions here, including the latest one, and they all work fine. Exact version or/and upgrade?


- Need feedback -

@rnewman: We have several positive feedbacks on Trend Micro AV/FW products. So, we need to figure out why your system reboots. Any does it cause any minidump, log event, or similar to be created? If there is a minidump your or we need to take a look at it and see who is the guilty party. If there are only log events or popup messages, the details usually are less helpful than a minidump, but still valuable, the details might provide clues.

@MT: Thanks for extensive and comprehensive testing. We've not been able to reproduce the issue with Trend Micro locally, I'm afraid, so you could please check the event log for crash details? Any chance of a minidump of the process (like rexcat was kind enough to supply)?

@spider38: Looks like someone is messing with the hotpatch locations in RtlFreeHeap (ntdll) and we're reaching an impass of sorts, where I restore the original code and the other party relatively immediately reapplies one of the changes (inserting an invalid instruction for some reason). I doubt this is normal hotpatching machinery behavior, but just in case, do you have any windows hot fixes installed or pending reboot? (Windows 8.1 retires the hot-patching support in the kernel and ntdll.dll, from what I can tell, so I doubt Microsoft is issuing a lot of hot-patch capable fixes and updates.) More importantly, any other protection software in addition to avast? I cannot see my avast installations here doing anything like this...

@khagaroth: Your windows\system32\uxtheme.dll seems to have been modified locally. Do you have any StarDock software installed for modifying the themes or similar?

@mjdbb1: I need your VBoxStartup.log to tell for sure, but it looks like you have the same problem as @khagaroth, i.e. uxtheme.dll has been modified. Same question: Do you have any windows theme software installed? If not, please upload VBoxStartup.log.

@Memiself: WinVerifyTrust fails on crypt32.dll, from the VBox perspective it looks like it may have been modified or replaced, which is a non-continueable error for us. Could you use sigcheck.exe from SysInternals/Microsoft or some similar tool to verify this? The output of the following would be appreciated: syscheck.exe -i %windir%\system32\crypt32.dll

@sl4syh3r: WinVerifyTrust fails on user32.dll, from the VBox perspective it looks like it may have been modified or replaced, which is not acceptable to us. Could you perhaps use sigcheck.exe from SysInternals/Microsoft or some similar tool to verify this? The output of the following would be appreciated: syscheck.exe -i %windir%\system32\user32.dll


- Still Pending -

@RelakS: Still not able to reproduce... (PS. If you have a minidump or something from the logs or popups, that could be of help.)
TODO: McAfee crash

@Redbyte, @mcdickey, @Krynos: Same problem, it seems, slightly different SEP versions though. What's more you're all on windows 8.1. We've been testing SEP on w8.0 and w7, hopefully something specific to running on 8.1... Investigating.
TODO: w8.1 + SEP

@lewekleonek: This is a reasonably old release of SEP that I'm afraid we haven't tested against. Any chance you may update to a more recent version? We'll be trying to locate this version and figure out what's going wrong as time permits.
TODO: w7.1 + SEP 12.1.1101.401, RU1 MP1; (symevent64x86.sys from 2011-11-22)

Kind Regards,
bird.
Knut St. Osmundsen
Oracle Corporation
bird
Oracle Corporation
Posts: 127
Joined: 10. May 2007, 10:27

Re: Windows 4.3.16 specifically for errors due to security

Post by bird »

Here's test build #4: https://www.virtualbox.org/download/tes ... 42-Win.exe

Changes since build #3:
* Combinding Symantec Endpoint Protection and Comodo Firewall should no longer cause crash. (this may fix other problems)
* NAT problems some of you have should be fixed.
* Numerous problems related to refusal to load DLLs owned by the Builtin\Administrator group. For example the non-working NAT issue some of you have been seeing and Nvidia's detoured.dll.
* Error -104 respawn issues seen by ZoneAlarm users on 32-bit hosts.

Enjoy,
bird.
Knut St. Osmundsen
Oracle Corporation
rexcat
Posts: 32
Joined: 13. Sep 2014, 16:11

Re: Windows 4.3.16 specifically for errors due to security

Post by rexcat »

@bird: Unfortunately, test build #4 is still unable to run
Attachments
dump.7z
(183.15 KiB) Downloaded 20 times
spider38
Posts: 6
Joined: 15. Sep 2014, 11:58

Re: Windows 4.3.16 specifically for errors due to security

Post by spider38 »

@bird: Still unable to start a VM with test build 4.

Uninstalled VBox test build 3, rebooted

Installed test build 4, ran it and VM would still not start

Checked for any pending updates, one, so installed and rebooted

Started VBox, tried to start VM and it still wouldn't start (same error)

I don't have any hotpatches installed but further digging has reminded me that Windows Defender is running in the background
Initial error dialogue box
Initial error dialogue box
VBox 4.3.17-96342 error when attempting to start VM.png (25.4 KiB) Viewed 8488 times
Second dialogue box
Second dialogue box
VBox 4.3.17-96342 error when attempting to start VM second dialogue box.png (37.77 KiB) Viewed 8488 times
VBoxStartup.zip
Startup log
(15.11 KiB) Downloaded 29 times
RobBrownNZ
Posts: 12
Joined: 18. May 2010, 12:31
Primary OS: MS Windows 8
VBox Version: PUEL
Guest OSses: WinXP, Gentoo64, Gentoo32

Re: Windows 4.3.16 specifically for errors due to security

Post by RobBrownNZ »

Windows 8.1 x64
Avast! Free 2014.9.0.2021, definitions 140930-1

Test #4 installed correctly (no reboots needed) and has successfully run up the two VMs that I've tried it with (one 32-bit Linux, one 64-bit Linux). Also the VBoxLinuxAdditions installed correctly (kernel 3.16.3).

That's a big thumbs-up from me. Thanks!
RelakS
Posts: 15
Joined: 15. Sep 2014, 09:53

Re: Windows 4.3.16 specifically for errors due to security

Post by RelakS »

r96342 (TB #4)
On Windows 7 SP1 64bit with McAfee pack: Host Intrusion Precention 8.0 (8.0.0.2151), McAfee Agent 4.6.0.3122, Endpoint Encription Agent 1.2.1.315, Endpoint Encryption for PC 6.2.1.315, GTI Proxy Agent 1.1.0.550, Virus Scan Enterprise 8.8.0 (8.8.0.849)
VM extension pack 4.3.10 r93012

Error message:

Code: Select all

Failed to open a session for the virtual machine BentlyTestPC.

The virtual machine 'BentlyTestPC' has terminated unexpectedly during startup with exit code 1 (0x1).  More details may be available in 'C:\Users\105038609\VirtualBox VMs\BN3500 and System1\BentlyTestPC\Logs\VBoxStartup.log'.

Result Code: E_FAIL (0x80004005)
Component: Machine
Interface: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}
Startup Log attached.

bird, how can I get that minidump? Or if it is created automatically, where can I find it?
Attachments
VBoxStartup.zip
(10.57 KiB) Downloaded 19 times
khagaroth
Posts: 5
Joined: 6. Nov 2008, 18:01

Re: Windows 4.3.16 specifically for errors due to security

Post by khagaroth »

bird wrote:@khagaroth: Your windows\system32\uxtheme.dll seems to have been modified locally. Do you have any StarDock software installed for modifying the themes or similar?
I have patched DLLs (on disk) - themeservice.dll, themeui.dll and uxtheme.dll, this allows to use custom themes without any additional software running. StarDock and similar tools use in-memory patching if I remember correctly.
MikeDiack
Posts: 75
Joined: 20. Mar 2009, 15:57
Primary OS: MS Windows 8.1
VBox Version: PUEL
Guest OSses: Win 10, Win 7, XP, Linux, Win 8.1, Win 2000, Win NT 4
Location: UK

Re: Windows 4.3.16 specifically for errors due to security

Post by MikeDiack »

Test build 4 (4.3.17 build 96342) is confirmed as working well on a Windows 7 SP1 x64 host system with Symantec Endpoint Protection 12.1.4112.4156 for Windows XP and Windows 7 guest systems.
Docfxit
Posts: 129
Joined: 23. May 2014, 12:35
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: XP Pro, Win7, Win10

Re: Windows 4.3.16 specifically for errors due to security

Post by Docfxit »

Thank you very much for the update.
I have installed Test build #4: 4.3.17 r96342
I have re-booted
I have all firewalls off
I have all anti-virus off

I'm having trouble running the Vboxheadless. The command window opens. The Vbox window doesn't open
These are the errors I am getting:

Code: Select all

VBoxHeadless: supR3HardenedScreenImage/Imports: rc=Unknown Status -22919 (0xffffa679) fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume2\Windows\System32\igdusc64.dll: WinVerifyTrust failed with hrc=CERT_E_CHAINING on '\Device\HarddiskVolume2\Windows\System32\igdusc64.dll'
VBoxHeadless: supR3HardenedScreenImage/NtCreateSection: cached rc=Unknown Status -22919 (0xffffa679) fImage=1 fProtect=0x10 fAccess=0xf cErrorHits=1 \Device\HarddiskVolume2\Windows\System32\igdusc64.dll
This is the bat file I am running:

Code: Select all

CD C:\Programs\VirtualBox
VBoxHeadless --startvm XPVirtualMachine >VBoxHeadlessConsole.log
VBoxStartup.zip
(31.52 KiB) Downloaded 22 times
VBox.log
(62.63 KiB) Downloaded 23 times
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
This is an update 10/2/2014

I have tried all kinds of things in a desperate effort to get this running. I'm not trying to rush you. I'm trying to help resolve this problem.

My latest results to get this running are:
~*~*~* Test 1
Running this bat file:

Code: Select all

CD C:\Programs\VirtualBox
VBoxHeadless --startvm XPVirtualMachine >VBoxHeadlessConsole.log
The cmd window stays open, Nothing gets written to the log(even when I force the cmd window closed), No console window or application window opens.

~*~*~* Test 2
Running this bat file:

Code: Select all

CD C:\Programs\VirtualBox
VBoxManage.exe startvm "XPVirtualMachine" --type headless
The cmd window stays open, I get a message saying:
"Waiting for VM "XPVirtualMachine" to power on....
VM "XPVirtualMachine" has been successfully started."
No console window or application window opens.

I expect the startup program to open and it would be nice if the cmd window would close and I would have a way to close the VBox machine.

~*~*~* Test 3
When I start the VirtualBox Manager and select the green Start arrow:
I get the Oracle splash screen, XP starting screen small, XP starting screen maximized, XP wallpaper maximized ON, XP wallpaper maximized Off, XP startup program.
The VirtualBox Manager is still open with a preview of the XP wallpaper and the XP startup program open.
It would be nice if I could configure it to automatically close the VirtualBox Manager and have the X in the upper right corner shutdown VBox.

~*~*~* Test 4
Running this bat file:

Code: Select all

CD C:\Programs\VirtualBox
Start /D "C:\Programs\VirtualBox" /B VBoxHeadless -s XPVirtualMachine -v on  
I get the same results as in Test 1

~*~*~* Test 5
Running this bat file:

Code: Select all

CD C:\Programs\VirtualBox
VBoxManage.exe startvm XPVirtualMachine -type GUI 
The cmd window stays open, I get a message saying:
"Waiting for VM "XPVirtualMachine" to power on....
VM "XPVirtualMachine" has been successfully started.", XP starting screen small, XP starting screen maximized, XP wallpaper maximized ON, XP wallpaper maximized Off, XP startup program opens.
The cmd window is still open. The startup program is showing.
It would be nice if I didn't see all the other windows, I could configure it to automatically close the cmd window and have the X in the upper right corner shutdown VBox.
After selecting the x in the upper right to close the application window and the x in the upper right to close the cmd window I ran this bat file:

Code: Select all

cd C:\Programs\VirtualBox\
VBoxManage controlvm "XPVirtualMachine" acpipowerbutton
The XP wallpaper maximized opens, The XP Shutdown window maximized opens, all windows closes.
It would be nice if I didn't see all the windows.

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
To summarize everything:
It would be nice in Test #1 if it would just show the startup application window without all the other windows opening and closing and the X in the upper right corner would close the Virtual Machine.
This log is from Test #1 Where the startup application doesn't show.
VBox.logVBoxHeadless .zip
(12.8 KiB) Downloaded 20 times
I know this is in the files. I thought it might be more convenient to be listed here also:
Win7 64bit sp1
Bitdefender 2015 Turned off
ZoneAlarm Installed. Not running.
Windows Firewall Off
UAC Off

Thank you for working on it.

Docfxit
Last edited by Docfxit on 2. Oct 2014, 17:29, edited 2 times in total.
cadoretti
Posts: 2
Joined: 1. Oct 2014, 18:00

Re: Windows 4.3.16 specifically for errors due to security

Post by cadoretti »

Windows 7, 64 bit Version 6.1.7601 Service Pack 1

Virtual Box 4.3.17 r96342 ( The latest test build to my knowledge as of writing )

Eset Endpoint Antivirus Version 5.0.2228.1

ESET SPECIFIC VERSIONS:
Virus signature database: 10494 (20141001)
Rapid Response module: 4819 (20141001)
Update module: 1052 (20140801)
Antivirus and antispyware scanner module: 1438 (20140917)
Advanced heuristics module: 1153 (20140915)
Archive support module: 1209 (20140812)
Cleaner module: 1100 (20140827)
Anti-Stealth support module: 1060 (20140514)
ESET SysInspector module: 1243 (20140903)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1232 (20140624)
HIPS support module: 1146 (20140909)
Internet protection module: 1140 (20140806)
Database module: 1060 (20140714)


VirtualBox Error on start

(First dialog)
Error in supR3HardenedWinVerifyP... (cutoff by title)
Failed to verify process integrity: (rc=-5633)

Please try reinstalling virtual box

(Second dialog)
Result Code:
E_FAIL (0x80004005)
Component:
Machine
Interface:
IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}

Please let me know if I omitted important information
Attachments
VBoxStartup.zip
(11.63 KiB) Downloaded 19 times
Locked