virtualbox.org

Hello!

I've got some trouble with a fresh install upon my brand new HP Elitebook.

I'm trying to build a lab and I've installed Virtualbox Version 5.2.0 r118431 (Qt5.6.2) with standard settings. After that I've installed the actual Extension Pack which states version 5.2.0r118431.

After creating a Windows Server 2012R2 VM and trying to fire it up I'm getting the error message:

The virtual machine 'SRV-DC01' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in 'C:\Users\marku\VirtualBox VMs\SRV-DC01\Logs\VBoxHardening.log'.


Fehlercode:
E_FAIL (0x80004005)
Komponente:
MachineWrap
Interface:
IMachine {85cd948e-a71f-4289-281e-0ca7ad48cd89}

I've looked into the VBoxHardening.log and it shows lacksWinVerify Trust for the kernel32.dll.

What I've done so far:

• completely reinstalled VirtualBox (deinstalled - rebootet the system - installed fresh)
  - checked my antivirus solution (I'm using Windows Defender) and created an exception for the kernel32.dll a few steps later (which hasn't got any effect regarding the error message)
  - run an [command]sfc /scannow[/command] with no problems found
  - deinstalled the expansion pack and tried to fire the vm up - same error
  - checked the details of the kernel32.dll - a certificate is attached and it is still ok
  - noticed that "HP Sure Click" (a security software which is part of the standard installation of my notebook) isn't compatible with VirtualBox (as stated by an error message of the software after booting) - deactivated it completely - no luck... the error persists

I'm attaching the ZIP with my Hardening.log. Maybe somenone could point me into the right direction?

As a sidenote: the same Virtualbox installation on my main computer runs without any problems.

Any help would be appreciated.

Thanks in advance.

- Markus

There's no need to add an exception for kernel32. There's no way that DLL is really unsigned. You have to interpret the hardening log as a history, you can't just focus on one line.

0xC0000005 is common error, a memory access crash, probably because of an unsigned graphics DLL or hacked theme DLL.

See FAQ: Diagnosing VirtualBox Hardening Issues.

Thanks for your reply mpack.

I've read the FAQ a few times but I don't know how to find the cause of my problem. My system is up to date (all Windows updates applied and every update applied which the offical HP update software suggests).

Tried to start the VM without GUI but that also fails.

Is there any tool available which can point me into the right direction to find the cause of my problem?

Regards

- Markus

The easiest way to find the cause of the problem is to consider the likely candidates (hacked theme, unsigned graphics drivers, antivirus, Hyper-v, CredentialGuard/DeviceGuard), disable them and add them back one at a time until it breaks VirtualBox.

Except, don't bother adding back Hyper-v, xxxxGuard etc as there's no way those can run at the same time as VirtualBox.

I can tell you that your hardening log is very short, which usually means something fundamental has gone wrong: AV or Hyper-v. Graphics drivers tend to fail much later on, i.e. when the guest OS has booted and tries to use 3D acceleration. You don't seem to have any AV installed (did you temporarily disable Defender?).

I've deactivated Defender yesterday evening via Group Policy but turned it on again after it changes nothing regarding my problem.

Just checked its status: Defender is up and running.

As I do not use any hacked theme (just Windows 10 Standard) I'm confused about how to find the cause.

I think I have to read the manual of VirtualBox regarding extended troubleshooting and have a look at the standard log files. Maybe I found there some tips of what is going wrong.

Could someone please advise me how to debug my problem further? I didn't find any other information which looks like a cause of my problem in the hardening log. Why does it show the message about "lacksWinVerifyTrust" about the kernel32.dll???

It'a bit confusing for me...

Every log shows DLLs as lacking WinVerifyTrust: that's a perfectly normal default state until it has worked through the certificates. This is a red herring.

By the end of the log all of those DLL states should have shifted to verified - but your log doesn't get that far because the process terminates early due to a crash.

The only hint I see in your log is this section:

435c.23bc: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 0000000000370000 (LB 0x1000, 0000000000370000 LB 0x1000)
435c.23bc: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000000370000/0000000000370000 LB 0/0x1000]
435c.23bc: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000000370000 LB 0x90000 s=0x10000 ap=0x0 rp=0x00000000000001

Which is NOT something I typically see. I don't really know what this is, but I can guess: I'm assuming that VirtualBox found a block of RAM marked as executable where it was expecting to find only data. That's a classic trick used by DLL injection mechanisms: write code for a LoadLibrary call into data RAM, copy it to the target process, then flag the RAM block as executable, and jump to it. VirtualBox says "oh no you don't" and discards that block of RAM. When the function is called, we get a crash.

So, some malware or some legit software on your host is trying to a pull a shady stunt. It's up to you to identify what 3rd party software you've installed on your host which might want to pull stunts like that.

I think I've found the cause of my problem: I've deinstalled "HP Sure Click" - a safety tool which provides a high security level against cyber attacks in different browsers - completly. At my first attempt I've just deactivated it... but that wasn't enough. After deinstalling the program completely and restarting my elitebook and re-installing VirtualBox everything runs fine now. I've tried a reinstall of Virtualbox several times before without any effort. So the cause of my problem seems to be HP Sure Click.

I'll have a look at the functionality of Virtualbox on my elitebook for the next days but I think my problem is [solved] right now.

Thanks for telling us. It's a pity that VirtualBox doesn't show HP Sure Click in the "adversaries list" in the hardening log, if it had then we would have been drawn to the cause immediately. Is this a normal host application, i.e. it isn't a BIOS thing that loads before Windows?

p.s. I should mention that both my home PC and my work PC are recent model HP branded. I haven't seen "HP Sure Click", though I usually make a point to discard all bundled software when I set up a new PC, so I may have done that and forgotten.

Edit:  I created a ticket to report this problem. https://www.virtualbox.org/ticket/17229.

Hi mpack,

HP Sure Click is a regular host application which was preinstalled on my HP Elitebook x360 1030 G2. The HP website shows an info about this software that it is only available for the newest x360 Notebooks.

I usually discard also bundled software from my PCs but this time I've read this article https://blogs.bromium.com/hp-sure-click-end-user-help/ regarding HP Sure Click and thought by myself "Uhm... maybe some cool security feature I would like to test...". What I've not seen is that HP Sure Click throws me a note everytime I boot up my notebook (after I installed VirtualBox) which states that HP Sure Click is not compatible with Virtualbox. And just deactivating this tool wasn't enough.

Thanks for your support mpack and for opening the ticket. Maybe some other Virtualbox-Users will get the same error messages and could be helped faster if some message will get shown bei Virtualbox stating "You've using HP Sure Click and Virtualbox won't run with it yet.".

SysAdmin_Markus wrote:HP Sure Click throws me a note every time I boot up my notebook (after I installed VirtualBox) which states that HP Sure Click is not compatible with VirtualBox

And here's why. From the article you linked to:

When Sure Click is installed, it opens websites in a micro-VM (virtual machine). The micro-VM acts as a container that prevents malware from infecting your computer. Sure Click protects your computer every time you open a website because the activity is contained inside the micro-VM. If the site tries to infect your computer with malicious code, it will be contained within the micro-VM. This means your laptop will not be infected. If you see malware attempting to run, close the browser tab to destroy the malware and end the micro-VM session.

I wouldn't be surprised if HP Sure Click is using Hyper V. Unfortunately I can't download it and test that theory, since it isn't a downloadable option, it seems to come bundled with some of their laptops...

HP Sure Click is based on Bromium Isolation which uses a modified/hardened version of Xen (microXen, or uXen). You'll hit the same issues with HP Sure Click as you will with other Xen based products, due to the way that VB locks the VT-x extension. Bromium have introduced support for Virtual Box in their core product, so it wouldn't surprise me if this lands down stream in HP Sure Click at some point.

I was also facing the same issue on hp zbook.

After switching off "Threat Protection" on hp sure scan, the problem got resolved.

Unfortunately, adding a exclusion didnt help.