W10 14971 Certificate is invalid

For discussions related to using VirtualBox on Windows pre-releases (e.g. Windows 10 > build 10240).
soulraventnt
Posts: 3
Joined: 14. Oct 2016, 22:47

W10 14971 Certificate is invalid

Post by soulraventnt »

It seems now with this build the certificate for ntdll.dll is invalid. Any quick fix?
4a8.31c0: VBoxHeadless.exe: timestamp 0x582c8767 (rc=VINF_SUCCESS)
4a8.31c0: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports
4a8.31c0: Error (rc=-23033):
4a8.31c0: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume2\Windows\System32\ntdll.dll
4a8.31c0: Error -23033 in supR3HardNtChildPurify! (enmWhat=5)
4a8.31c0: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume2\Windows\System32\ntdll.dll
Attachments
VBoxHardening.log
(9.82 KiB) Downloaded 300 times
Last edited by socratis on 18. Nov 2016, 20:58, edited 2 times in total.
Reason: rev1: Marked as [Solved] in the title. rev2: Removed it since it didn't apply to all users.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: W10 14971 Certificate is invalid

Post by socratis »

I deleted your other post from the general "VirtualBox on Windows Hosts" forum, since this is a more appropriate one. I will not delete your third post on the same problem, since it's only a redirect to this thread, but remember in the future that duplicate posts are not allowed.

As for the certificate, Microsoft has invalidated itself in the past. Nobody but them can fix it, so my guess is that you'll either have to downgrade your Win10, or wait for a new fix. In any event, you should definitely let Microsoft know about it.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
LtRadar
Posts: 1
Joined: 18. Nov 2016, 14:34

Re: Discussion of Problems due to Hardened Security

Post by LtRadar »

1)Win10 vbox ver Version 5.1.9 r111957 (Qt5.6.2) also in 5.1.8 hence tried latest test build
2)attached log
3)related stuff
Just autoupdated to latest win 10 insider 14971.1000 build and got this message
Image

and "Failed to open a session for the virtual machine xp.

The virtual machine 'xp' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\Virtual Machines\xp\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine

"
was working fine in 14965 and 5.1.8
AVG Internet Security
Intel inbuild graphics
No firewall
UAC disabled
On windows insider program fast channel
developer mode
no issues on sfc or chkdsk
Attachments
VBoxHardening.log
(16.61 KiB) Downloaded 270 times
klaus
Oracle Corporation
Posts: 1110
Joined: 10. May 2007, 14:57

Re: W10 14971 Certificate is invalid

Post by klaus »

Chatted with the user this morning on IRC, and I interpret the messages he wrote at the end as having VirtualBox working as it should after

Code: Select all

sfc /scannow
. Looks like a weird messup in the user's install which got cured by using the proper files.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: W10 14971 Certificate is invalid

Post by socratis »

OK, thanks klaus, good to keep that in mind...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: [Solved] W10 14971 Certificate is invalid

Post by rseiler »

Based on comparing logs anyway (see attached), it sounds like what I mentioned here:
viewtopic.php?p=378466#p378466

...is the same problem.

However, when looking at the cert for that file, it looks valid to me. And it expires May 15, 2017.

I do see some mentions of this in the Feedback Hub, too, so I don't think it's some messup with one (or, two, including me) user's install.

For reference, someone opened this, but it points back here:
https://www.virtualbox.org/ticket/16198

I also tried the 111957 test build.
Attachments
VBoxHardening.log
(9.97 KiB) Downloaded 272 times
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: [Solved] W10 14971 Certificate is invalid

Post by socratis »

rseiler wrote:..is the same problem.
So did you try the same solution that "klaus" pointed to the OP? I.e. run:

Code: Select all

sfc /scannow
rseiler wrote:For reference, someone opened this, but it points back here:
"kalikosmil" opened the bug, "KWierso" simply said me too (with no logs), I took a look at the log of "kalikosmil" and pointed them here. The forums are the true place for discussions, not the bugtracker.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: [Solved] W10 14971 Certificate is invalid

Post by rseiler »

socratis wrote:
rseiler wrote:..is the same problem.
So did you try the same solution that "klaus" pointed to the OP? I.e. run:
Yes:
Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.
It would have been very weird if it found an integrity problem after installing a new build, since that process does its own checking of this type, and the odds of there being that kind of problem afterwards is very low-to-impossible. Usually, that sort of problem develops over time.

For anyone curious, run (from an admin prompt):
sfc /verifyonly
ASM
Posts: 1
Joined: 18. Nov 2016, 19:53

Re: [Solved] W10 14971 Certificate is invalid

Post by ASM »

I have the same problem: "Certificate is invalid".
The proposed solutions not working for me.

Windows 10 14971
VirtualBox 5.1.8 111374 / 5.1.9 111957
Attachments
VBoxHardening.log
(9.88 KiB) Downloaded 269 times
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: W10 14971 Certificate is invalid

Post by socratis »

@rseiler
I went only with information given from a VirtualBox developer with almost identical VBoxHardening.logs (thanks for including yours, btw, so that I could compare them). It seemed like it was worth a shot. Too bad it's not a generic solution...

@ASM
You have an almost identical log. Same things apply to you. Nothing solid at the moment I'm afraid, that's why the only thing that I could do is to remove the "[Solved]" from the topic title...

I still believe that this is a Microsoft mess, as it's not the first time that they've invalidated their own systems. It used to be KB articles, now it's called ... insider builds. I really don't have a clue if the devs can provide a solution or not.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
klaus
Oracle Corporation
Posts: 1110
Joined: 10. May 2007, 14:57

Re: W10 14971 Certificate is invalid

Post by klaus »

To state the obvious: no software vendor can possibly support the Insider Previews. There are simply too many changes in it, many of which have seen only very limited QA. Often changes get pulled once Microsoft realizes that it's having bad side effects.

Another issue is that getting access to Insider Previews requires the authority to sign licensing documents, which is something very hard to do in big corporations. Especially when these documents talk about Microsoft having the right to retrieve pretty much any piece of data from a system which has an IP build running - should Oracle risk having its proprietary information transferred off a Windows 10 IP install?

So never ever expect Insider Preview to be suitable for anything but toying around. It's NOT meant for production use. There's nothing wrong with reporting issues to us, we'll always see what we can do about it.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

@socratis. Thanks for getting back. So this particular flavor, relating to a certificate (apparently), seems to be something new then? I know that there have been epic threads over the years about various hardening issues, so our finding a new variation on that is quite the thing. :)
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: W10 14971 Certificate is invalid

Post by socratis »

@rseiler, you mentioned something before, that made me think twice:
rseiler wrote:It would have been very weird if it found an integrity problem after installing a new build, since that process does its own checking of this type, and the odds of there being that kind of problem afterwards is very low-to-impossible.
That assumes that the integrity check is happening with a known "signature" at the time of the installation, correct? You compare the signature of "ntdll.dll" with the signature that you have on the installer. A match? Proceed and update the system.

But, what if you "forget" at the last step to also update the system known signatures? Or you end up with a mix of signatures? I really don't know how the whole thing works, i.e. is it self signed per file, or it has a database of known files/signatures?

Just thinking out loud...

Update: Then the "sfc /verifyonly" would fail too, wouldn't it? You'd think...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Yeah, I'm not sure of how the checks work in any detail.

I should add that ntdll.dll is one of the more critical dlls in Windows, if not the most important one. You would think that if it had a problem, then there would be problems showing up everywhere. Process Explorer shows that there are an incredible 151 processes on my system at the moment that are using ntdll.dll. Many are system services.

That would seemingly point back to the given app as opposed to Windows itself being the culprit.

(It's actually probably more like 135, since some of those processes are using \windows\syswow64\ntdll.dll, which is a different file used by 32-bit apps.)
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

To me, it seems we do have a "new failure point" here, and we are doing what we can to give details. I would only expect Oracle to put in a fix if they believe Microsoft will commit to whatever was changed with the OS that broke things. And I would only expect that fix to be committed, in the days/weeks leading up to the release of the new OS build to general users, even if we'd prefer it quicker.

In short ... Would never want Oracle to put in a stub or shim to work around a buggy OS build. Would only want fixes they think would "stay committed, relevant for the release OS build."

It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.

I will have to rely on my "Release partition", until the "Fast partition" can do VirtualBox again :)
Post Reply