Win 10 Pro supR3HardenedWinReSpawn rc -5640 Cannot Launch VMs

[JackDBR]

I've gone through these forums and done my best to troubleshoot on my own. If I have missed something, my apologies in advance.

Description of Problem
For weeks I've been running version 5.1.x with no problems. Last week I tried to fire up one of my Ubuntu guests and started getting this error dialog when trying to start a VM:

error-dialog-1.PNG (10.71 KiB) Viewed 3713 times

Followed by this second error dialog:

error-dialog-2.PNG (17.26 KiB) Viewed 3713 times

All of the guest VMs (all Ubuntu 16.04) had the same errors.

What I've Tried

• Created brand new guest VMs
• Installed version 5.2.8 (multiple times, uninstalling via Add-Remove/restarting/powering off each time)
• Installed version 4.3.12 (same approach as above)
• Installed all Windows updates
• Read through other topics on this issue (82106, 8379) and searched this forum and other sites
• ran sfc /scannow as an administrator which returned no issues
• ran dism.exe /online /Cleanup-Image /scanhealth as an administrator which returned no issues
• verified Hyper-V is disabled
• verified virtualization, etc is correctly set in BIOS
• tried launching guest VM via cli, both normally and headless, unsuccessful
• tried to make sense of the hardening log, unsuccessful, attached to this post
• cursed my corporate IT department, as they are sure to blame for this

What I Have NOT Tried

• Removing any temporary data files (are there any?) after uninstall
• Removing any registry entries (should I?) after uninstall
• Removing/disabling A/V (I cannot)
• Re-installing Windows (have to go through corporate IT, which would be painful)

Host Specs

• HP Z240 Tower Workstation
• Intel Core i7
• Windows 10 Pro 1709 build 16299.251 64bit
• A/V: Sophos Endpoint Security and Control, version 10.7 (note: I CANNOT DISABLE OR UNINSTALL THIS)

Hopefully this is sufficient information. Please let me know what else I can try! I'm at a total loss, at this point. I AM a local admin on this machine, and if it turns out to be a problem with A/V I can try to see if our IT will list Virtual Box as an exception, I just want to be as sure as possible that A/V is a problem before I make that request (it took them 3 months to make a simple DNS change for me).

Help me VirtualBox Kenobis ---- you're my only hope!!

[socratis]

I'm afraid that you already know the answer deep inside you Luke... but you're afraid to look.
Search your feelings Luke... it's your antivirus.

• Obiwan

First of all thank you for the detailed and clean way that you tried to tackle this. Kudos!

Yesterday, after struggling back and forth with a user that couldn't (for the life of him) install a perfectly looking Win2K guest, it turned out that it was his Avast antivirus. Mind you, there was no error messages, nothing. Simply stuck (for hours) at the "installing..." phase. Turned off the antivirus? Flies like an eagle...

I vowed that every conversation from now on will start with "Uninstall all 3rd party antivirus, then we can talk". And you know why? Because these pests, these infecting pests are becoming harder and harder to track. It's like they're trying to become rootkits, the very thing that they are claiming to protect you from!

If you can't uninstall your Antivirus, ask how you can add an exception for the VirtualBox directory and/or executables involved. Talk to Sophos. Tell them why this is happening by pointing them to the root problem that they're causing; they'll figure it out. The procedure that VirtualBox follows is not only legitimate, it's 100% justified and if every program said "Don't get into my process without proper authorized certificate", they'd be out of business.


PS. One thing that hasn't been included in the FAQ yet, is an experimental, hocus-pocus proposal to change the startup order of the "VBoxDrv.sys". See "Hardening Fix (workaround) For Error After Install and Restart" for more information. You could try this since you're an admin of your box, There's no logic in this, but... it has been reported as working sometimes, so I include it in cases where even an exorcism has failed.

[JackDBR]

Ugggh, bummer. Ok. *sigh* To corporate IT I will go and beg for an exception.

I tried the registry change per your referenced thread but had no luck. Appreciate the exposure to the black magic, but apparently my cauldron is broken.

Thanks for the reply. Will post back here with results if I'm able to get the exception.

[JackDBR]

@socratis

Reporting back. IT has granted me permission to disable my Sophos AV.

Steps I have taken:

• Stopped ALL Sophos running services
• Disabled ALL Sophos services (see attached screenshot)
• Same error as my original post
• Uninstalled VirtualBox via Add/Remove
• Restarted computer
• Confirmed Sophos services are still disabled and not running
• Re-installed VB 5.2.8 (as Administrator)
• Created new VM
• run

  sfc /scannow

• Still getting the exact same error

I'm not sure what else to try or how to see exactly what is blocking this. I'm fairly technical so is there something I can check in terms of logs, event viewer, traces, registry, etc? I uploaded the latest version of my hardening log.

services-disabled.PNG (18.97 KiB) Viewed 3641 times

[socratis]

IT has granted me permission to disable my Sophos AV.

But not to completely uninstall it, right?

I have a feeling that the drivers are still loading and are still causing something in the system. The drivers don't show up in the usual services app, even though they are services. The command to list all drivers is "sc query type= driver" - and yes, the strange syntax is required (space after = but not before). Run (as Administrator) the following:

• sc stop <drivername>

where "<drivername>" is your Sophos drivers. The failure (that I suspect will follow) might tell you something more about the whole thing...

[yomansaurabhj]

Hi,

I am also facing the exact same issue with only below differences

Host Specs
Dell Latitude
Intel Core i5
Windows 10 Enterprise 64bit
A/V: Symantec Endpoint Protection (note: I CANNOT DISABLE OR UNINSTALL THIS)

My Virtualbox was also running perfectly fine till few days back and all of sudden system had to be restarted and some Windows update took place.
Post that the box is giving same errors as mentioned by Jack.

One more thing, my colleagues are still able to run their VMs while running same A/V and company forced windows updates as well.

Could you please help.

[JackDBR]

IT has granted me permission to disable my Sophos AV.

But not to completely uninstall it, right?

No not to completely uninstall it.

The command to list all drivers is "sc query type= driver" - and yes, the strange syntax is required (space after = but not before). Run (as Administrator) the following:
sc stop <drivername>
where "<drivername>" is your Sophos drivers.

Ok I tried this. There was one service listed, and trying to stop it failed. So, I disabled it via

SC CONFIG <drivername> start= disabled

After a restart the Sophos service was no longer listed in SC query. In fact, NOTHING with "Sophos" in the name is listed.

I went through clean uninstall (uninstall via Add+Remove, then also deleted driver files and registry keys) and re-install. Launched the GUI, created a Linux VM with default settings (didn't even attach an ISO) and still the same error persists. I attached the latest hardening log, but I'm assuming it doesn't tell us anything new.