Windows 4.3.16 specifically for errors due to security

Discussions related to using VirtualBox on Windows hosts.

Windows 4.3.16 specifically for errors due to security

Postby Perryg » 10. Sep 2014, 00:21

4.3.18 has been released, so this topic has been locked and the discussion for 4.3.18 takes place here: https://forums.virtualbox.org/viewtopic.php?f=6&t=64111

This topic is specifically for Windows users that may still have issues seen in version 4.3.14 when the security was strengthened.

Please note that to be taken seriously you need to post a few items as attachments (compressed is preferred)

    1) Host and version
    2) VBoxStartup.log
    3) Host virus software or debugging programs.

Previous post for version 4.3.14 for reference https://forums.virtualbox.org/viewtopic.php?f=6&t=62615

Note that, as in the previous (4.3.14) discussion, the purpose of this topic is to gather diagnostic data needed to solve the hardening issues, and nothing else. Wibble posts, opinion posts, and posts that don't include necessary diagnostics will most likely be deleted. If a test build is created then you'll be expected to have tried it before you post.

Please be explicit about errors. Don't say "same as xxxxx". See list above for what's required.


Test build #9: 4.3.17 r96495

This should address the following issues:
- Deadlock starting VMs that many avast users has reported.
- Exit on c:\windows\system32\comctl32.dll load.
- Log overlow issue.
- Ownership issue with comctl32.dll under WinSxS.
- The VERR_SUPDRV_APIPORT_OPEN_ERROR problem some of you have been seeing.
- Avast problem seen by a couple of users (NtCreateSection patching errors, invalid section protection, ++)
- Better error messages on VBoxDrvStub open errors.
- Combinding Symantec Endpoint Protection and Comodo Firewall should no longer cause crash. (this may fix other problems)
- NAT problems some of you have should be fixed.
- Numerous problems related to refusal to load DLLs owned by the Builtin\Administrator group. For example the non-working NAT issue some of you have been seeing and Nvidia's detoured.dll.
- Error -104 respawn issues seen by ZoneAlarm users on 32-bit hosts.
- Windows 8.1 problems, like sysfer.dll (Symantec Endpoint Protection) showing, NtCreateSection issues with Avast, and others.
- Error reporting improvements (error details for vboxdrv.sys, DLL issues in VBox.log).
- Heap corruption or crash during VirtualBox startup.
- Evil handle problem some AVG users may experience. [not confirmed]
- Attempt at working around the BSODs users of Trend Micro's Data Loss Prevention Endpoint product(s) and some Digital Guardian product(s). [not confirmed]

Please do give the above build a spin before posting.

PS. Yes, you can use the 4.3.16 extension pack with this build.

PPS. Would be great if you could take this build for a spin even things are already working for you. We're getting close to 4.3.18 and would appreciate some additional help testing it. Thanks in advance. :-)
Last edited by bird on 12. Oct 2014, 00:37, edited 23 times in total.
Reason: Add a note
Perryg
Site Moderator
 
Posts: 33876
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Windows 4.3.16 specifically for errors due to securty

Postby quiettime » 10. Sep 2014, 03:11

I installed VirtualBox-4.3.16-95972-Win.exe but I still have the same VERR_SUPDRV_APIPORT_OPEN_ERROR error.

ebc.1780: SUPR3HardenedMain: Respawn #2
ebc.1780: Error -3739 in supR3HardenedWinReSpawn! (enmWhat=3)
ebc.1780: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -3739 (0xfffff165) (rcNt=0xe986f165)

Windows 7 x64 host
MBAM Premium 1.75.0.1300 with database v2014.09.08.05

You can view my post concerning 4.3.14 and 4.3.15 for more information.
quiettime
 
Posts: 29
Joined: 17. Jan 2013, 06:19

Re: Windows 4.3.16 specifically for errors due to securty

Postby Perryg » 10. Sep 2014, 03:29

@quiettime,

We need for you to post the information asked for here. Otherwise your issue will go unresolved.
Perryg
Site Moderator
 
Posts: 33876
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Windows 4.3.16 specifically for errors due to securty

Postby revere521 » 10. Sep 2014, 05:37

WIndows 7 64bit
Avast anti-virus
Microsoft EMET DEP as well, but its not running on the virtualbox processes

Vbox was working with VirtualBox-4.3.15-95713-Win.exe, upgraded to VirtualBox-4.3.15-95923-Win.exe and now also to VirtualBox-4.3.16-95972-Win.exe and i am still experiencing the issue where no VMs will start.

I have several machines, windows, linux, bsd, android etc. and none will start - the dialog "Creating process for virtual machine "xxxxx" (GUI/Qt)...(1/2)" loads after about 30 seconds and hangs.

The machine never loads, and if i cancel (clicking on the close 'x') the dialog disappears - but several orphaned VirtualBox.exe process remain running that i can not end in the task manager.

Only a hard shutdown will end the processes (rebooting or shutting down hang waiting for those processes to end)

Here is another example VboxStartup.log for Mint lnux:

Code: Select all   Expand viewCollapse view
1e00.21c8: Log file opened: 4.3.16r95972 g_hStartupLog=0000000000000018 g_uNtVerCombined=0x611db110
1e00.21c8: Calling main()
1e00.21c8: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
1e00.21c8: SUPR3HardenedMain: Respawn #1
1e00.21c8: System32:  \Device\HarddiskVolume3\Windows\System32
1e00.21c8: WinSxS:    \Device\HarddiskVolume3\Windows\winsxs
1e00.21c8: ProgDir:   \Device\HarddiskVolume3\Program Files
1e00.21c8: ComDir:    \Device\HarddiskVolume3\Program Files\Common Files
1e00.21c8: ProgDir32: \Device\HarddiskVolume3\Program Files (x86)
1e00.21c8: ComDir32:  \Device\HarddiskVolume3\Program Files (x86)\Common Files
1e00.21c8: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
1e00.21c8: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe)
1e00.21c8: supR3HardNtEnableThreadCreation:
1e00.21c8: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
1e00.21c8: supR3HardenedWinDoReSpawn(1): New child 2348.1df4 [kernel32].
1e00.21c8: supR3HardenedWinPurifyChild: PebBaseAddress=000007fffffd9000 cbPeb=0x380
1e00.21c8: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000077650000 uNtDllChildAddr=0000000077650000
1e00.21c8: supR3HardNtPuChTriggerInitialImageEvents: uLdrInitThunk=000000007767c340 uNtTerminateThread=00000000776a17e0
1e00.21c8: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
1e00.21c8: supR3HardNtPuChTriggerInitialImageEvents: mapping view of ntdll.dll[2nd]


Debian logs are exactly the same as Mint.

Arch Linux exhibits the same behavior - but the log gives some more detail:

Code: Select all   Expand viewCollapse view
2c28.1644: Log file opened: 4.3.16r95972 g_hStartupLog=0000000000000018 g_uNtVerCombined=0x611db110
2c28.1644: Calling main()
2c28.1644: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2c28.1644: SUPR3HardenedMain: Respawn #1
2c28.1644: System32:  \Device\HarddiskVolume3\Windows\System32
2c28.1644: WinSxS:    \Device\HarddiskVolume3\Windows\winsxs
2c28.1644: ProgDir:   \Device\HarddiskVolume3\Program Files
2c28.1644: ComDir:    \Device\HarddiskVolume3\Program Files\Common Files
2c28.1644: ProgDir32: \Device\HarddiskVolume3\Program Files (x86)
2c28.1644: ComDir32:  \Device\HarddiskVolume3\Program Files (x86)\Common Files
2c28.1644: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2c28.1644: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe)
2c28.1644: supR3HardNtEnableThreadCreation:
2c28.1644: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
2c28.1644: supR3HardenedWinDoReSpawn(1): New child 1ff8.2834 [kernel32].
2c28.1644: supR3HardenedWinPurifyChild: PebBaseAddress=000007fffffdb000 cbPeb=0x380
2c28.1644: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000077650000 uNtDllChildAddr=0000000077650000
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: uLdrInitThunk=000000007767c340 uNtTerminateThread=00000000776a17e0
2c28.1644: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: mapping view of ntdll.dll[2nd]
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: ntdll.dll[2nd] mapped at 0000000000260000 LB 0x1a9000
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: mapping view of kernel32.dll
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: kernel32.dll mapped at 0000000077430000 LB 0x11f000
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: mapping view of KernelBase.dll
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: KernelBase.dll mapped at 000007fefd540000 LB 0x6c000
2c28.1644: supR3HardNtPuChTriggerInitialImageEvents: Startup delay kludge #1: 16 ms
2c28.1644: supR3HardNtEnableThreadCreation:
2c28.1644: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
2c28.1644:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
2c28.1644:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
2c28.1644:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
2c28.1644:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
2c28.1644:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
2c28.1644:   0000000000041000-0000000000031fff 0x0001/0x0000 0x0000000
2c28.1644:  *0000000000050000-000000000004efff 0x0004/0x0004 0x0020000
2c28.1644:   0000000000051000-fffffffffff41fff 0x0001/0x0000 0x0000000
2c28.1644:  *0000000000160000-0000000000063fff 0x0000/0x0004 0x0020000
2c28.1644:   000000000025c000-0000000000258fff 0x0104/0x0004 0x0020000
2c28.1644:   000000000025f000-000000000025dfff 0x0004/0x0004 0x0020000
2c28.1644:   0000000000260000-ffffffff88e6ffff 0x0001/0x0000 0x0000000
2c28.1644:  *0000000077650000-000000007764efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   0000000077651000-000000007754efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   0000000077753000-0000000077723fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   0000000077782000-0000000077779fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   000000007778a000-0000000077788fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   000000007778b000-0000000077787fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   000000007778e000-0000000077722fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
2c28.1644:   00000000777f9000-0000000070011fff 0x0001/0x0000 0x0000000
2c28.1644:  *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
2c28.1644:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
2c28.1644:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
2c28.1644:   000000007fff0000-ffffffffc04cffff 0x0001/0x0000 0x0000000
2c28.1644:  *000000013fb10000-000000013fb0efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fb11000-000000013fa91fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fb90000-000000013fb8efff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fb91000-000000013fb59fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fbc8000-000000013fbbefff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fbd1000-000000013fb97fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
2c28.1644:   000000013fc0a000-fffff8037fea3fff 0x0001/0x0000 0x0000000
2c28.1644:  *000007feff970000-000007feff96efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\apisetschema.dll
2c28.1644:   000007feff971000-000007fdff331fff 0x0001/0x0000 0x0000000
2c28.1644:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
2c28.1644:   000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000
2c28.1644:  *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000
2c28.1644:   000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000
2c28.1644:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
2c28.1644:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
2c28.1644: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2c28.1644: '\Device\HarddiskVolume3\Windows\System32\apisetschema.dll' has no imports
2c28.1644: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports
1ff8.2834: Log file opened: 4.3.16r95972 g_hStartupLog=0000000000000014 g_uNtVerCombined=0x611db110
1ff8.2834: Calling main()
1ff8.2834: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
1ff8.2834: System32:  \Device\HarddiskVolume3\Windows\System32
1ff8.2834: WinSxS:    \Device\HarddiskVolume3\Windows\winsxs
1ff8.2834: ProgDir:   \Device\HarddiskVolume3\Program Files
1ff8.2834: ComDir:    \Device\HarddiskVolume3\Program Files\Common Files
1ff8.2834: ProgDir32: \Device\HarddiskVolume3\Program Files (x86)
1ff8.2834: ComDir32:  \Device\HarddiskVolume3\Program Files (x86)\Common Files
1ff8.2834: supR3HardenedWinInit: Startup delay kludge #2/0: 93 ms, 12 sleeps
1ff8.2834: supHardNtVpScanVirtualMemory: enmKind=SELF_PURIFICATION
1ff8.2834:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000010000-ffffffffffffffff 0x0004/0x0004 0x0040000
1ff8.2834:   0000000000020000-000000000000ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1ff8.2834:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000041000-0000000000031fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000050000-000000000004efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000051000-0000000000041fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000060000-ffffffffffff8fff 0x0002/0x0002 0x0040000
1ff8.2834:   00000000000c7000-000000000002dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000160000-0000000000064fff 0x0000/0x0004 0x0020000
1ff8.2834:   000000000025b000-0000000000258fff 0x0104/0x0004 0x0020000
1ff8.2834:   000000000025d000-0000000000259fff 0x0004/0x0004 0x0020000
1ff8.2834:  *0000000000260000-00000000000b5fff 0x0004/0x0004 0x0020000
1ff8.2834:   000000000040a000-00000000003d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000440000-00000000003befff 0x0004/0x0004 0x0020000
1ff8.2834:   00000000004c1000-0000000000441fff 0x0000/0x0004 0x0020000
1ff8.2834:   0000000000540000-ffffffff8964ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077430000-000000007742efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   0000000077431000-0000000077395fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   00000000774cc000-000000007745dfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753a000-0000000077537fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753c000-0000000077528fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007754f000-000000007744dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077650000-000000007764efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077651000-000000007754efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077753000-0000000077723fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077782000-0000000077780fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077783000-0000000077781fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077784000-0000000077782fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077785000-0000000077782fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077787000-0000000077785fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077788000-0000000077786fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077789000-0000000077786fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778b000-0000000077789fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778c000-0000000077789fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778e000-0000000077722fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   00000000777f9000-0000000070011fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000007efe0000-000000007efdafff 0x0002/0x0002 0x0040000
1ff8.2834:   000000007efe5000-000000007eee9fff 0x0000/0x0002 0x0040000
1ff8.2834:  *000000007f0e0000-000000007e1dffff 0x0000/0x0002 0x0020000
1ff8.2834:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1ff8.2834:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1ff8.2834:   000000007fff0000-ffffffffc04cffff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000013fb10000-000000013fb0efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb11000-000000013fa91fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb90000-000000013fb8efff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb91000-000000013fb59fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbc8000-000000013fbbefff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbd1000-000000013fb97fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fc0a000-fffff803822d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fefd540000-000007fefd53efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd541000-000007fefd4f6fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd58b000-000007fefd574fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a1000-000007fefd59efff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a3000-000007fefd599fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5ac000-000007fefb1e7fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007feff970000-000007feff96efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\apisetschema.dll
1ff8.2834:   000007feff971000-000007fdff331fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1ff8.2834:   000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000
1ff8.2834:   000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1ff8.2834:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1ff8.2834: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
1ff8.2834: '\Device\HarddiskVolume3\Windows\System32\apisetschema.dll' has no imports
1ff8.2834: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports
1ff8.2834: kernel32.dll: Differences in section #1 (.text) between file and memory:
1ff8.2834:   000000007748ef8d / 0x005ef8d: 60 != 62
1ff8.2834:   Restored 0x2000 bytes of original file content at 000000007748d000
1ff8.2834: supR3HardenedWinInit: Startup delay kludge #2/1: 93 ms, 12 sleeps
1ff8.2834: supHardNtVpScanVirtualMemory: enmKind=SELF_PURIFICATION
1ff8.2834:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000010000-ffffffffffffffff 0x0004/0x0004 0x0040000
1ff8.2834:   0000000000020000-000000000000ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1ff8.2834:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000041000-0000000000031fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000050000-000000000004efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000051000-0000000000041fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000060000-ffffffffffff8fff 0x0002/0x0002 0x0040000
1ff8.2834:   00000000000c7000-000000000002dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000160000-0000000000064fff 0x0000/0x0004 0x0020000
1ff8.2834:   000000000025b000-0000000000258fff 0x0104/0x0004 0x0020000
1ff8.2834:   000000000025d000-0000000000259fff 0x0004/0x0004 0x0020000
1ff8.2834:  *0000000000260000-00000000000b5fff 0x0004/0x0004 0x0020000
1ff8.2834:   000000000040a000-00000000003d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000440000-000000000034efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000531000-0000000000521fff 0x0000/0x0004 0x0020000
1ff8.2834:  *0000000000540000-0000000000443fff 0x0004/0x0004 0x0020000
1ff8.2834:   000000000063c000-0000000000637fff 0x0000/0x0004 0x0020000
1ff8.2834:  *0000000000640000-00000000005d1fff 0x0004/0x0004 0x0020000
1ff8.2834:   00000000006ae000-000000000051bfff 0x0000/0x0004 0x0020000
1ff8.2834:  *0000000000840000-000000000071ffff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000960000-ffffffff89e8ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077430000-000000007742efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   0000000077431000-0000000077395fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   00000000774cc000-000000007745dfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753a000-0000000077537fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753c000-0000000077528fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007754f000-000000007744dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077650000-000000007764efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077651000-000000007754efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077753000-0000000077723fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077782000-0000000077780fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077783000-0000000077781fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077784000-0000000077782fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077785000-0000000077782fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077787000-0000000077785fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077788000-0000000077786fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077789000-0000000077786fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778b000-0000000077789fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778c000-0000000077789fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778e000-0000000077722fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   00000000777f9000-0000000070011fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000007efe0000-000000007efdafff 0x0002/0x0002 0x0040000
1ff8.2834:   000000007efe5000-000000007eee9fff 0x0000/0x0002 0x0040000
1ff8.2834:  *000000007f0e0000-000000007e1dffff 0x0000/0x0002 0x0020000
1ff8.2834:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1ff8.2834:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1ff8.2834:   000000007fff0000-ffffffffc04cffff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000013fb10000-000000013fb0efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb11000-000000013fa91fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb90000-000000013fb8efff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb91000-000000013fb59fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbc8000-000000013fbbefff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbd1000-000000013fb97fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fc0a000-fffff803822d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fefd540000-000007fefd53efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd541000-000007fefd4f6fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd58b000-000007fefd574fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a1000-000007fefd59efff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a3000-000007fefd599fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5ac000-000007fefb1e7fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007feff970000-000007feff96efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\apisetschema.dll
1ff8.2834:   000007feff971000-000007fdff331fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1ff8.2834:   000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000
1ff8.2834:   000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1ff8.2834:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1ff8.2834: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe)
1ff8.2834: supHardNtVpScanVirtualMemory: enmKind=VERIFY_ONLY
1ff8.2834:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000010000-ffffffffffffffff 0x0004/0x0004 0x0040000
1ff8.2834:   0000000000020000-000000000000ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1ff8.2834:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000041000-0000000000031fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000050000-000000000004efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000051000-0000000000041fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000060000-ffffffffffff8fff 0x0002/0x0002 0x0040000
1ff8.2834:   00000000000c7000-000000000002dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000160000-0000000000065fff 0x0000/0x0004 0x0020000
1ff8.2834:   000000000025a000-0000000000257fff 0x0104/0x0004 0x0020000
1ff8.2834:   000000000025c000-0000000000257fff 0x0004/0x0004 0x0020000
1ff8.2834:  *0000000000260000-00000000000b5fff 0x0004/0x0004 0x0020000
1ff8.2834:   000000000040a000-00000000003d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000000440000-000000000034efff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000531000-0000000000521fff 0x0000/0x0004 0x0020000
1ff8.2834:  *0000000000540000-000000000043ffff 0x0004/0x0004 0x0020000
1ff8.2834:  *0000000000640000-00000000005d1fff 0x0004/0x0004 0x0020000
1ff8.2834:   00000000006ae000-000000000051bfff 0x0000/0x0004 0x0020000
1ff8.2834:  *0000000000840000-000000000071ffff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000000960000-ffffffff89e8ffff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077430000-000000007742efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   0000000077431000-0000000077395fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   00000000774cc000-000000007745dfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753a000-0000000077537fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007753c000-0000000077528fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
1ff8.2834:   000000007754f000-000000007744dfff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077650000-000000007764efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077651000-000000007754efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077753000-0000000077723fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077782000-0000000077780fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077783000-0000000077781fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077784000-0000000077782fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077785000-0000000077782fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077787000-0000000077785fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077788000-0000000077786fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   0000000077789000-0000000077786fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778b000-0000000077789fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778c000-0000000077789fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   000000007778e000-0000000077722fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834:   00000000777f9000-00000000777f1fff 0x0001/0x0000 0x0000000
1ff8.2834:  *0000000077800000-00000000777fefff 0x0004/0x0004 0x0020000
1ff8.2834:   0000000077801000-0000000070021fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000007efe0000-000000007efdafff 0x0002/0x0002 0x0040000
1ff8.2834:   000000007efe5000-000000007eee9fff 0x0000/0x0002 0x0040000
1ff8.2834:  *000000007f0e0000-000000007e1dffff 0x0000/0x0002 0x0020000
1ff8.2834:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1ff8.2834:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1ff8.2834:   000000007fff0000-ffffffffc04cffff 0x0001/0x0000 0x0000000
1ff8.2834:  *000000013fb10000-000000013fb0efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb11000-000000013fa90fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fb91000-000000013fb59fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbc8000-000000013fbbefff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fbd1000-000000013fb97fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBox.exe
1ff8.2834:   000000013fc0a000-fffff803822d3fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fefd540000-000007fefd53efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd541000-000007fefd4f6fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd58b000-000007fefd574fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a1000-000007fefd59efff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5a3000-000007fefd599fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
1ff8.2834:   000007fefd5ac000-000007fefb1e7fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007feff970000-000007feff96efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\apisetschema.dll
1ff8.2834:   000007feff971000-000007fdff331fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1ff8.2834:   000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000
1ff8.2834:   000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000
1ff8.2834:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1ff8.2834:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1ff8.2834: SUPR3HardenedMain: Respawn #2
1ff8.2834: supR3HardNtEnableThreadCreation:
1ff8.2834: supR3HardenedMonitor_LdrLoadDll: pName=ADVAPI32.DLL *pfFlags=0x1000 pwszSearchPath=0000000000000000:<flags>
1ff8.2834: supR3HardenedMonitor_LdrLoadDll: 'ADVAPI32.DLL' -> 'C:\Windows\system32\ADVAPI32.DLL' [rcNt=0xc0150008]
1ff8.2834: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #0 'msvcrt.dll'.
1ff8.2834: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #12 'rpcrt4.dll'.
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume3\Windows\System32\advapi32.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\advapi32.dll
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll'
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msvcrt.dll'...
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: 'msvcrt.dll' -> '\Device\HarddiskVolume3\Windows\System32\msvcrt.dll'
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume3\Windows\System32\msvcrt.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\msvcrt.dll
1ff8.2834: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume3\Windows\System32\advapi32.dll [lacks WinVerifyTrust]
1ff8.2834: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #4 'msvcrt.dll'.
1ff8.2834: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #14 'rpcrt4.dll'.
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume3\Windows\System32\sechost.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\sechost.dll
1ff8.2834: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefd820000 'C:\Windows\system32\ADVAPI32.DLL'
1ff8.2834: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags>
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume3\Windows\System32\apphelp.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\apphelp.dll
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll'
1ff8.2834: supR3HardenedScreenImage/Imports: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msvcrt.dll'...
1ff8.2834: supR3HardenedWinVerifyCacheProcessImportTodos: 'msvcrt.dll' -> '\Device\HarddiskVolume3\Windows\System32\msvcrt.dll'
1ff8.2834: supR3HardenedScreenImage/Imports: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume3\Windows\System32\msvcrt.dll [lacks WinVerifyTrust]
1ff8.2834: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume3\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
1ff8.2834: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefd260000 'C:\Windows\system32\apphelp.dll'
1ff8.2834: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
1ff8.2834: supR3HardenedWinDoReSpawn(2): New child 2d9c.24d4 [kernel32].
1ff8.2834: supR3HardenedWinPurifyChild: PebBaseAddress=000007fffffdf000 cbPeb=0x380
1ff8.2834: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000077650000 uNtDllChildAddr=0000000077650000
1ff8.2834: supR3HardNtPuChTriggerInitialImageEvents: uLdrInitThunk=000000007767c340 uNtTerminateThread=00000000776a17e0
1ff8.2834: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007767c340 pvNtTerminateThread=00000000776a17e0
1ff8.2834: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports
1ff8.2834: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\ntdll.dll)
1ff8.2834: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\ntdll.dll
1ff8.2834: supR3HardNtPuChTriggerInitialImageEvents: mapping view of ntdll.dll[2nd]


Both logs seem to suggest the issue is related to ntdll.dll - i am going to try this hotfix: https://support.microsoft.com/kb/261317 correction - this hotfix for Win 7 - https://support.microsoft.com/kb/2582203/en-us

and see if its a windows issue, and if not i will roll back, and report here

EDIT: hotfix has no bearing. rolling back to VirtualBox-4.3.15-95713
Last edited by revere521 on 10. Sep 2014, 07:12, edited 1 time in total.
revere521
 
Posts: 7
Joined: 23. Aug 2014, 14:56

Re: Windows 4.3.16 specifically for errors due to securty

Postby bird » 10. Sep 2014, 10:44

quiettime wrote:I installed VirtualBox-4.3.16-95972-Win.exe but I still have the same VERR_SUPDRV_APIPORT_OPEN_ERROR error.

ebc.1780: SUPR3HardenedMain: Respawn #2
ebc.1780: Error -3739 in supR3HardenedWinReSpawn! (enmWhat=3)
ebc.1780: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -3739 (0xfffff165) (rcNt=0xe986f165)

Windows 7 x64 host
MBAM Premium 1.75.0.1300 with database v2014.09.08.05

You can view my post concerning 4.3.14 and 4.3.15 for more information.


Tried both MBAM 1.75 and 2.0.2 and I'm unable to reproduce the issue with either version here. So, I need some more information from you in order to figure this one out. But first, let me start by explaining what exactly goes wrong here. The driver (vboxdrv) gets an error when trying to reference the "ApiPort" object for the current session. If you use WinObj (from sysinternals) you'll find the "ApiPort" as \Windows\ApiPort for session 0 and \Sessions\*\Windows\ApiPort for the others, or at least that is how we understand it to be. On possible cause here is that we've got this wrong.

Here's what I need: When this error occurs, we print the exact path and error status. Since we're in kernel land, you need to use DebugView from SysInternals/Microsoft to catch it. Make sure to enable both "Capture Kernel" and "Enable Verbose Kernel Output". There will then be a message "vboxdrv: Error opening '\...\ApiPort': 0x????????" in the output.

Would also be cool if you could peek around using WinObj for ApiPort objects, esp at the location given in the vboxdrv message.

Kind Regards,
bird.
Knut St. Osmundsen
Oracle Corporation
bird
Oracle Corporation
 
Posts: 108
Joined: 10. May 2007, 10:27

Re: Windows 4.3.16 specifically for errors due to securty

Postby bird » 10. Sep 2014, 11:17

revere521 wrote:WIndows 7 64bit
Avast anti-virus
Microsoft EMET DEP as well, but its not running on the virtualbox processes

Vbox was working with VirtualBox-4.3.15-95713-Win.exe, upgraded to VirtualBox-4.3.15-95923-Win.exe and now also to VirtualBox-4.3.16-95972-Win.exe and i am still experiencing the issue where no VMs will start.

I have several machines, windows, linux, bsd, android etc. and none will start - the dialog "Creating process for virtual machine "xxxxx" (GUI/Qt)...(1/2)" loads after about 30 seconds and hangs.

The machine never loads, and if i cancel (clicking on the close 'x') the dialog disappears - but several orphaned VirtualBox.exe process remain running that i can not end in the task manager.

Only a hard shutdown will end the processes (rebooting or shutting down hang waiting for those processes to end)


I'm unable to reproduce the issue here. Which avast! edition and version are you using?

The symptoms are similar to the issue we had with symantec endpoint protection (SEP) in test build 7. However I was under the impression that recent avast versions didn't invade processes in the synchronous manner that SEP does and thus should not be subject to the same issue. Beside, if they did I would've expected immediate hangs every time, unlike the 2nd log you pasted. In the first case, it's so early we haven't even started talking to our kernel components, it's pure user land. Which means that it's probably avast being responsible for the hang. Now, what's more annoying is that the code that is causing the hang was intended to make avast work better...

Thanks for the report,
bird.
Knut St. Osmundsen
Oracle Corporation
bird
Oracle Corporation
 
Posts: 108
Joined: 10. May 2007, 10:27

Re: Windows 4.3.16 specifically for errors due to securty

Postby wzis » 10. Sep 2014, 14:10

quiettime wrote:I installed VirtualBox-4.3.16-95972-Win.exe but I still have the same VERR_SUPDRV_APIPORT_OPEN_ERROR error.

ebc.1780: SUPR3HardenedMain: Respawn #2
ebc.1780: Error -3739 in supR3HardenedWinReSpawn! (enmWhat=3)
ebc.1780: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -3739 (0xfffff165) (rcNt=0xe986f165)

Windows 7 x64 host
MBAM Premium 1.75.0.1300 with database v2014.09.08.05

You can view my post concerning 4.3.14 and 4.3.15 for more information.

Me got same issue on Win7 x64 with Norton 360, YAC, MacAfee
wzis
 
Posts: 14
Joined: 13. Sep 2008, 05:51

Re: Windows 4.3.16 specifically for errors due to security

Postby dexter86 » 10. Sep 2014, 14:23

Thanks for update, now I can run Virtualbox but noticed something weird.I reported what my problem was with 4.3.14 in here https://forums.virtualbox.org/viewtopic ... 21#p293121. Now it works ok but VBoxStartup.log grows at an alarming rate in every VM I have, after few minutes of running it is 19MB. I attached one from WinXP.
My host is Win 8.1 Update 1 x64, VB version 4.3.16 r95972, software that is causing this is http://www.moo0.com/software/WindowMenuPlus/
Attachments
VBox.zip
(198.43 KiB) Downloaded 177 times
dexter86
 
Posts: 8
Joined: 17. Jul 2014, 11:35

Re: Windows 4.3.16 specifically for errors due to security

Postby MikeDiack » 10. Sep 2014, 15:36

Just wanted to offer positive confirmation that 4.3.16 build 95972 now works CORRECTLY with Windows 7 x64 SP1 host and Symantec Endpoint Protection 12.1.4112.4156.
Well done from me at least - just wanted to confirm that this configuration is fine now.
MikeDiack
 
Posts: 66
Joined: 20. Mar 2009, 15:57
Location: UK
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Win 7, Vista, XP, Linux, Win 8/ Win 8.1, Win 2000, Win NT 4

Re: Windows 4.3.16 specifically for errors due to security

Postby TH0R » 10. Sep 2014, 16:53

I have problems after upgrading to 4.3.16, not sure what my previous version was.

- Running Windows 7 x64 SP1
- Microsoft Forefront Endpoint Protection:
Antimalware Client Version: 4.4.304.0
Engine Version: 1.1.10904.0
Antivirus definition: 1.183.2038.0
Antispyware definition: 1.183.2038.0
Network Inspection System Engine Version: 2.1.10903.0
Network Inspection System Definition Version: 112.5.0.0
- I don't have any other virus software or debugging programs as far as I know

I tried to exclude virtualbox directory from scanning, and the exe-files also. That didn't help.


Error message:

Failed to open a session for the virtual machine OEL 6 MySQL.

The virtual machine 'OEL 6 MySQL' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\VirtualMachines\OEL 6 MySQL\Logs\VBoxStartup.log'.

Result Code: E_FAIL (0x80004005)
Component: Machine
Interface: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}




There was also a question about the following:
When this error occurs, we print the exact path and error status. Since we're in kernel land, you need to use DebugView from SysInternals/Microsoft to catch it. Make sure to enable both "Capture Kernel" and "Enable Verbose Kernel Output". There will then be a message "vboxdrv: Error opening '\...\ApiPort': 0x????????" in the output.

I did that, and I got this:

[28524] supR3HardenedScreenImage/NtCreateSection: rc=Unknown Status -5667 (0xffffe9dd) fImage=1 fProtect=0xf fAccess=0x10 \Device\HarddiskVolume2\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_a4d3b9377117c3df\comctl32.dll: supHardenedWinVerifyImageByHandle: TrustedInstaller is not the owner of '\Device\HarddiskVolume2\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_a4d3b9377117c3df\comctl32.dll'.
[28524] supR3HardenedMainGetTrustedMain: LoadLibrary "C:\Program Files\Oracle\VirtualBox/VirtualBox.dll" failed, rc=1790
Attachments
VBoxStartup.zip
(13.25 KiB) Downloaded 94 times
TH0R
 
Posts: 2
Joined: 10. Sep 2014, 13:03
Location: Groningen
Primary OS: MS Windows 7
VBox Version: OSE other
Guest OSses: RHEL,OEL,W2k8,W2k12

Re: Windows 4.3.16 specifically for errors due to security

Postby drescherjm » 10. Sep 2014, 17:00

VB_4.3.16_error.png
VB_4.3.16_error.png (8.11 KiB) Viewed 79063 times

1. Windows 8.1 Enterprise / Virtual Box 4.3.16r95972

3. Symantec Endpoint Protection 12.1.4100.4126
Attachments
VBoxStartup.zip
(6.86 KiB) Downloaded 111 times
drescherjm
 
Posts: 13
Joined: 30. Apr 2008, 22:44

Re: Windows 4.3.16 specifically for errors due to security

Postby KHG » 10. Sep 2014, 17:53

The same problem has already been seen since version 4.3.14, and it still exists in 4.3.16. Downgrading to 4.3.12 has no such issue.

The log is as follow:
Code: Select all   Expand viewCollapse view
Failed to create the VirtualBox COM object.
The application will now terminate.
Callee RC: E_INVALIDARG (0x80070057)

Failed to open a session for the virtual machine test debian.

The virtual machine 'test debian' has terminated unexpectedly during startup with exit code 1 (0x1).  More details may be available in 'VBoxStartup.log'.


Code: Select all   Expand viewCollapse view
Result Code: E_FAIL (0x80004005)
Component: Machine
Interface: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}


Startup log is attached.

Host: Microsoft Windows [Version 6.1.7601] Windows 7 Enterpise Service pack 1
Antivirus: Microsoft Forefront endpoint protection 2010
And other softwares that might try to inspect running process in the system: Websense enpoint, and EMET.

Thanks.
Attachments
VBoxStartup.7z
(21.68 KiB) Downloaded 69 times
Last edited by KHG on 11. Sep 2014, 03:30, edited 1 time in total.
KHG
 
Posts: 4
Joined: 10. Sep 2014, 17:40

Re: Windows 4.3.16 specifically for errors due to security

Postby jgmp » 10. Sep 2014, 18:27

The problem I saw with 4.3.14 etc. continues. I guess it's considered security-related since I was criticized for posting outside of this string. The same error happens with multiple VMs:

Code: Select all   Expand viewCollapse view
Failed to open a session for the virtual machine Kali Linux.

The virtual machine 'Kali Linux' has terminated unexpectedly during startup with exit code 1 (0x1).  More details may be available in 'C:\Users\xxxxxxx\VirtualBox VMs\Kali Linux\Logs\VBoxStartup.log'.

Result Code: E_FAIL (0x80004005)
Component: Machine
Interface: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}

It's on 64bit Win 7 Enterprise (6.1.7601 SP1 build 7601) with MS Forefront 4.5.216.0 and Windows Firewall
Attachments
VBoxStartup.zip
(9.34 KiB) Downloaded 75 times
jgmp
 
Posts: 4
Joined: 25. Aug 2014, 17:07

Re: Windows 4.3.16 specifically for errors due to security

Postby RockyHorror » 10. Sep 2014, 19:05

. Windows 8.1 64 bit
. Kaspersky Internet Security 14.0.0.4651

VirtualBox - Error in supR3HardenedWinReSpawn

NtCreateFile(\Device\VboxDrcStub) failed 0xc0000034
STATUS_OBJECT_NAME_NOT_FOUND (0 retries)
(rc=-101)

VBoxStartup.log attached. 4.3.12 works fine.

Thank you for your time.
Attachments
VBoxStartup.zip
(6.88 KiB) Downloaded 148 times
RockyHorror
 
Posts: 2
Joined: 10. Sep 2014, 18:56

Re: Windows 4.3.16 specifically for errors due to security

Postby mpack » 10. Sep 2014, 19:13

Please stop mentioning that "4.3.12 works fine". The comment is redundant - we are all perfectly aware of that already.

The hardening feature was introduced in 4.3.14, so the problem cannot exist in earlier versions. But, unless you intend sticking with 4.3.12 forever then it is 4.3.16 and later that we need to diagnose and fix issues with.
mpack
Site Moderator
 
Posts: 24489
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Next

Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: Bing [Bot] and 21 guests