Process hardening preventing start up

[Tim W]

Hi All,

VirtualBox with Windows 10 host running a Linux guest is currently failing to start with the following error:

(rc=5640)

Please try re-installing VirtualBox

where: supR3HardenedWinReSpawn: what: 1
VERR_SUP_VP_THREAD_NOT_ALONE (-5640) - Process Verifivation Failure: The process has more than one thread.

The latest Windows updates were installed a few days ago but did not seem to cause any immediate problems. The laptop has been through several reboots since then without any updates installations being shown, VirtualBox has just stopped working for no reason I can tell.

This is a corporately managed laptop, but (unusually) I do have admin access because I'm classed as a developer, so I can make changes. However, uninstalling the anti-virus isn't an option since I don't have any way to re-install it (I suspect it may also precipitate a nasty phone call and removal of admin access) and I can't find an option to temporarily switch it off. (It's McAffee if anybody can point me at the option).

I have tried a complete re-install of VirtualBox twice, using "run as administrator" but this did no good.

I have also tried the "delayed start" registry change from another post (the forum is refusing to let me post links right now, the thread is titled "Hardening Fix (workaround) For Error After Install and Restart")

I have been through the FAQ thread linked from other posts. Hyper-V isn't enabled and the VM is going form a clean start, not a suspended state. As previously mentioned, I haven't touched the Anti-virus, although I did do a forced update on it just in case it was a transient problem with the A/V that has a fix. I have no idea how to interpret the hardening log, so have attached it to this post (zipped because it's too big uncompressed).

The client I'm working for is a "pure windows" shop who insist that I use there windows laptop for work, but they are actually employing me to do Linux work so the VirtualBox VM is critical. So any help would be much appreciated, I'm personally a bit "at sea" when it comes to anything Windows related, especially Windows 10.

Ideally I would like a proper fix, but if there isn't one, is there any way to disable the hardening check in VirtualBox? Since it's really critical that I get this running again (I'm at a total standstill until it is), I'd rather take the risk.

Thank you in advance!

[mpack]

https://www.google.com/search?q=%22proc ... ualbox.org

[Tim W]

I've already done that search, the links that come up include the ones I was referring to in my original post. My browser shows them as "visited". I followed the advice in them, it didn't help. Perhaps I missed something in those threads, if so I would appreciate some guidance as to what it was. I was hoping that somebody here could interpret the attached log file, one of the pieces of advice in those links was to get the log file and post it so that the experts here had something to go on.

[mpack]

"Thread not alone" means that something, IME usually the "safe web filter" component of your antivirus package, is injecting itself into VirtualBox. Nothing more definite can be said, because none of us can know what combination of software exists on your PC. The only solution is to identify what software is causing the problem (think about it, then confirm by disabling it), and then either permanently uninstall that software or configure it to exempt VirtualBox from its activities.

[Tim W]

Yes, I figured that was the case, I tried to do so before posting here. The final piece of advice in the FAQ on this issue was to post a zipped copy of the log file here and ask for help, since I got as far as I could with the FAQ I followed that advice in the hope of expert help.

I was hoping somebody could look at the log file and tell me what the process is that's causing the problem, I can't make any sense of the log since there is no marker that is obvious to me in the log against the various DLL's that says "this one is bad", it just lists a load of stuff and then says there is a problem without linking the error message to the DLL that triggered the error. That link probably is there, but it's not clear how I diagnose it. Alternatively, could somebody tell me what to look for in the DLL listing that would give me a clue. Since VirtualBox is able to detect that this is happening, surely there must be some way to get it to chuck out the name of the offending DLL? What I've not found in the other threads on this topic is a concise description of what to look for in the log to give me a starting point and since I don't have any way to re-install much of what is on the laptop so I can't start removing stuff for the sake of experimentation. I do have admin access to the PC but I'm locked out of the A/V config by the corporate settings, so if the A/V is causing the problem I need proof from the log so that I can raise a support ticket to ask for an exception to be made, or the offending DLL to be updated.

Alternatively, is anybody able to advise on my other question, can I simply disable the process hardening check as a work around?

[mpack]

The final piece of advice in the FAQ on this issue was to post a zipped copy of the log file here and ask for help

In this case the log has done its job. It has identified that "thread not alone" is the error, and it has the solutions already mentioned.

can I simply disable the process hardening check as a work around?

Hardening would be useless if it could easily be disabled. So no.

[Tim W]

In this case the log has done its job. It has identified that "thread not alone" is the error, and it has the solutions already mentioned.

Yes, but which DLL is causing the error, or does the log not show that, what I'm asking is how to identify from the log the DLL that is causing the problem? Surely there must be some kind of marker in the log, or additional debugging I can turn on that will show the DLL name? Fiddling with the A/V and uninstalling/re-installing stuff is not an option.

[mpack]

There's no way to know what DLL causes the problem. Except that it belongs to software which is not part of VirtualBox and not native to Windows.

Do you really have so much spyware installed on your PC that you have difficulty guessing which one (or more than one) it might be?

[Tim W]

Do you really have so much spyware installed on your PC that you have difficulty guessing which one (or more than one) it might be?

To be honest, I have no idea. I'm doing some freelance development work for a large company that has a "Microsoft only" corporate network where you can only use a laptop they provide with there standard corporate software set up pre-installed on the network. So I've been provided with a Windows 10 laptop to do the work, but I'm not that experienced with Windows and have barely used 10 before. I'm a Linux person, I don't really "do" windows, but am currently stuck with it.

The problem is that the work they have asked me to do actually requires a functioning Linux system, that's why I'm there, they need to do some Linux stuff but don't have anybody who understands Linux. So running VirtualBox was the obvious solution and they were happy to agree to that and give me some admin access to the Windows laptop to install software, up to yesterday that solution was working perfectly.

The catch for diagnosing the problem is that I don't have access to the A/V config and there are some other functions that are locked down. I can de-install some of the software, but I don't have any way to put it back again and if I mess about too much with an OS and software setup I don't understand, I'm going to land myself in trouble with the IT support team. If I go through official channels to get permission to start doing that (or have somebody else do it), it could take weeks to get approval. I can try asking for permission to have VirtualBox excluded from the A/V but that could take a while and if it turns out not to be the problem then I'll have to start over and request something else and I'll probably have had to expend a lot of "political" capital to get it approved, considering the corporate security policies excluding software from A/V is probably going to require a lot of convincing. So what I'm desperate for is some kind of logging that actually identifies the DLL that is triggering the error in VirtualBox, that way I can have confidence that when I put in the support request that it will solve the problem.

I can't ask you to provide what doesn't exist, if there really is no way to tell from the logs, then it can't be done. But if there is anything you can suggest that might allow me to glean some information from the logs, it would be much appreciated. If not, I'll try asking for VirtualBox to be excluded from the A/V, but if that doesn't work, then to be honest, I need to look at alternative VM software. I may simply go for the alternate VM software anyway, I really need this working by tomorrow morning and right now that seems like the only solution that will get me going again.

[socratis]

We can't always tell which DLL or process to be more exact might be responsible, because often these processes use sneaky tactics. Just like a virus...

So, unless you can start stopping/uninstalling 3rd party programs, there's not that much we can do. Sometimes even the developers can't do anything with that. They only know that the memory space of VirtualBox has been tainted. Who, what, when? Sometimes it's difficult (if not impossible) to tell...

[mpack]

The log shows McAfee AV installed, so I guess I would start by looking to see if any of their modules are responsible. As I already said above, common culprits are "web safe" Internet browser filters. These inject themselves into every app on the PC on the offchance that the app is an Internet browser.

But, if it's not your PC then I doubt they'll be interested in disabling AV even if you point out that Win10, unlike Win7, has perfectly capable security built in.

[Tim W]

Thanks for the suggestions. As a thought for the future, rather than the ability to switch of the process hardening in the standard binary, would you consider providing an alternative build that has process hardening off by default. That would satisfy the people who feel that providing a way to switch off hardening is a bad idea (I appreciate the reason), while not making things impossible for people like me who have legitimate problems with hardening. I would rather take the risk.

[socratis]

would you consider providing an alternative build that has process hardening off by default.

We're not Oracle developers or employees, we're simple users here, so this is my opinion and my opinion alone.

There's a known security vector, and I (being a multi-billion company) decide to release a non-secure product, while knowing about the security hole???

How do you spell "lawsuit" in your native language?
In mine it's "μήνυση" and it's a royal pain to deal with. You don't want that...

The only realistic way would be to build VirtualBox from the source code, and disable all hardening checks...