VirtualBox - Error in supR3HardenedWinReSpawn
For completeness I have included a failed and successful log file - I believe they are irrelevant to where this post is going.
The errors this post concerns have been seen many times:
First Error Box
Error relaunching VirtualBox VM process: 5
Command line:
'60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment "Linux Mint 19" --startvm 053ed1c4-3fe2-40a2-8b25-42cf7a360707 --no-startvm-errormsgbox "--sup-hardening-log=E:\VirtualBox VMs\Linux Mint 19\Logs\VBoxHardening.log"' (rc=-104)
Please try reinstalling VirtualBox.
where: supR3HardenedWinReSpawn what: 5
VERR_INVALID_NAME (-104) - Invalid (malformed) file/path name.
Second Error Box
VirtualBox - Error
Failed to open a session for the virtual machine Linux Mint 19.
The virtual machine 'Linux Mint 19' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'E:\VirtualBox VMs\Linux Mint 19\Logs\VBoxHardening.log'.
Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}
Testing procedure:
Host:
- OS: Windows 10 Pro, Version 10.0.18362 Build 18362
- CPU: Intel Core i7-7700K
- Using VirtualBox 5.2.30-130521.
I haven't run it in quite some time because of this recurrent error. I even reverted to version 4.0.36 at one time because of this issue. I hate to say that I have been using VMWare Player v12 for years because of work obligations, but I have the freedom to use what I like now that I have retired. I much prefer the VirtualBox interface and it's so easy to pause the VM, take snapshots and save the machine states at power down, etc. I also prefer to use Open Source whenever possible. I just don't have the ability to debug it!!
Created a new VM: Linux 64-bit (also 32-bit). VM won't start: Errors as above. Uninstalled Avast antivirus. Checked Hyper-V is disabled in "Windows Features".
- WindowsFeatures.png (88.44 KiB) Viewed 6061 times
Tried "sfc /scannow": all OK. Checked "sc.exe query vboxdrv"
SERVICE_NAME: vboxdrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Tried starting headless: only got second error box. Log file contains this (does this indicate that it thinks ntdll.dll is a problem?):
3bf8.35ac: '\Device\HarddiskVolume8\Windows\System32\ntdll.dll' has no imports
3bf8.35ac: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume8\Windows\System32\ntdll.dll)
3bf8.35ac: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume8\Windows\System32\ntdll.dll
3bf8.35ac: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
3bf8.35ac: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007fff1b9e0000 'C:\WINDOWS\System32\ntdll.dll'
3bf8.35ac: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)
3bf8.35ac: Error relaunching VirtualBox VM process: 5
Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment "Linux Mint 19" --startvm 053ed1c4-3fe2-40a2-8b25-42cf7a360707 --no-startvm-errormsgbox "--sup-hardening-log=E:\VirtualBox VMs\Linux Mint 19\Logs\VBoxHardening.log"
also:
1458.ab4: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll' (C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll): rcNt=0xc0000190
1458.ab4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 'C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll'
1458.ab4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -23021 (0xffffa613)) on \Device\HarddiskVolume8\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll [lacks WinVerifyTrust]
179c.2e14: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 2576 ms, the end);
So I stopped Riva Tuner Statistics Server: It still exits with the same error.
Uninstalled VirtualBox 5.2.30. (Note: Even using IOBit Uninstaller, the procedure does not remove any extra registry keys that the VBox uninstaller may leave behind, e.g. file associations, AppIDs, etc.)
Reboot.
Installed VirtualBox-6.1.0-135406-Win.exe as administrator with all defaults. Interestingly it still remembered all my old VMs. Although they have been physically removed from the disk, the locations are still stored somewhere. The <user>\.VirtualBox folder is retained, though the VM location is not stored there! Where is this info saved?
Started the previously created Linux VM. No issues - it started just fine. It forced me to choose an ISO, so I ran a live Linux Mint ISO without installing.
Shut down the VM.
NOTE:
- Riva Tuner Statistics Service is running normally.
- Trusteer Endpoint Protection Console is installed but not running.
- RapportInjService_x64 and RapportMgmtService are both running.
- Avast antivirus is still uninstalled at this stage.
Reboot. Try to start my VM. Same errors as before. WTF? Uninstalled VirtualBox 6.1.0. Reboot. Installed VirtualBox 6.1.0 as administrator again. Did not start it once installed.
Tried the VBoxDrv "delayed" start (see Start values below):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv\Start changed from 1 to 3 as in
viewtopic.php?f=6&t=82277&hilit=delay+start+vboxdrv
Reboot.
sc query vboxdrv
SERVICE_NAME: vboxdrv
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Try to start VM. New error:
NtCreateFile(\Device\VBoxDrvStub) failed: 0x0000034
STATUS_OBJECT_NAME_NOT_FOUND (0 retries) (rc=-101)
Make sure the kernel module has been loaded successfully.
where: supR3HardenedWinReSpawn what: 3
VERR_OPEN_FAILED (-101) - File/Device open failed. Driver is probably stuck stopping/starting...
"sc query vboxdrv" still says it is STOPPED. There obviously isn't any demand from the VirtualBox app.
sc start vboxdrv
SERVICE_NAME: vboxdrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
Try to start VM. Got two User Account Control pop-ups to allow VirtualBox to make system changes. (?) VM is running! Of course it doesn't have a system installed and the ISO is not mounted, but otherwise looks OK.
Reboot just to check. Try to start VM. Same -101 error.
Manually start VBoxDrv
sc start vboxdrv
No UAC pop-ups this time.
Try to start VM. Success. Again, WTF?
Conclusion:
- Try the registry edit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv
Change the "Start" value from 1 to 3 as in viewtopic.php?f=6&t=82277&hilit=delay+start+vboxdrv
- Any time you boot your computer (and want to use VirtualBox) open a command prompt by typing "cmd" at the start menu, then click on "Run as administrator" or use Ctrl-Shift-Enter.
(You need elevated priviledges to alter the service state - an administrator account is not enough.)
- Type "sc start vboxdrv" at the command line and hit Enter.
- Start your VM as normal.
Works for me. YMMV. Now we just need to find out why...
I found this ticket
https://www.virtualbox.org/ticket/13187 which is quite old but still relevant. Is it worth adding to that discussion? Are there other tickets you guys are already adding to?
Useful info follows:
https://docs.microsoft.com/en-gb/window ... -directive
Start can have values as follows:
VALUE LOADER MEANING
0x0 (Boot) Kernel Part of the driver stack and must be loaded by the Boot Loader
0x1 (System) I/O Driver to be loaded at Kernal initialization
0x2 (Automatic) SCM Loaded or started automatically for all startups
0x3 (Demand) SCM Available, but will not be started until called upon
0x4 (Disabled) SCM Not to be started under any conditions
A Start value of 2 does not work because the service is Type 1 and is not controlled by SCM (services.msc), similarly inserting a registry value for delayed start does nothing (AutoStartDelay). So for us the only option is a Start value of 3 and a manual request.
StartType=start-code
Specifies when to start the driver as one of the following numeric values, expressed either in decimal or, as shown in the following list, in hexadecimal notation.
0x0 (SERVICE_BOOT_START)
Indicates a driver started by the operating system loader.
This value must be used for drivers of devices required for loading the operating system.
0x1 (SERVICE_SYSTEM_START)
Indicates a driver started during operating system initialization.
This value should be used by PnP drivers that do device detection during initialization but are not required to load the system.
For example, a PnP driver that can also detect a legacy device should specify this value in its INF so that its DriverEntry routine is called to find the legacy device, even if that device cannot be enumerated by the PnP manager.
0x2 (SERVICE_AUTO_START)
Indicates a driver started by the service control manager during system startup.
This value should never be used in the INF files for WDM or PnP device drivers.
0x3 (SERVICE_DEMAND_START)
Indicates a driver started on demand, either by the PnP manager when the corresponding device is enumerated or possibly by the service control manager in response to an explicit user demand for a non-PnP device.
This value should be used in the INF files for all WDM drivers of devices that are not required to load the system and for all PnP device drivers that are neither required to load the system nor engaged in device detection.
0x4 (SERVICE_DISABLED)
Indicates a driver that cannot be started.
This value can be used to temporarily disable the driver services for a device. However, a device/driver cannot be installed if this value is specified in the service-install section of its INF file.
Service Type:
Interestingly, vboxdrv.sys does not appear in services.msc nor Task Manager nor in SysInternals PsService because it is set to Type = 1 (SERVICE_KERNEL_DRIVER).
The services that are controlled by the Service Manager (services.msc) are listed as Type 16 (0x10), Type 32 (0x20) (can share a process with other services), Type 272 (0x110) or Type 288 (0x120) (usually third party services).
ServiceType=type-code
The type-code for a kernel-mode device driver must be set to 0x00000001 (SERVICE_KERNEL_DRIVER).
The type-code for a Microsoft Win32 service that is installed for a device should be set to 0x00000010 (SERVICE_WIN32_OWN_PROCESS) or 0x00000020 (SERVICE_WIN32_SHARE_PROCESS). If the Win32 service can interact with the desktop, the type-code value should be combined with 0x00000100 (SERVICE_INTERACTIVE_PROCESS).