Hardening Fix (workaround) For Error After Install and Restart

Discussions related to using VirtualBox on Windows hosts.

Hardening Fix (workaround) For Error After Install and Restart

Postby djex81 » 17. Mar 2017, 00:11

Hello all. For a few years now I've had issues upgrading to any version newer than 4.3.12 due to the added security (hardening) in VirtualBox. After many hours of searching the internet and these forums I could not find an anwser and so I decided find a fix myself. I found a relatively simple and quick fix. I'm not sure if this will fix all the hardening issues but I know it will fix the issue I was having and from reading the 33 pages of the "Discussion of Problems due to Hardened Security" thread it should help out quite a few people who were having the same issue. Any ways the details are below.

Related Posts
https://forums.virtualbox.org/viewtopic ... ot#p379939
https://forums.virtualbox.org/viewtopic ... ot#p372996
https://forums.virtualbox.org/viewtopic ... ot#p347196
https://forums.virtualbox.org/viewtopic ... ot#p385653
https://forums.virtualbox.org/viewtopic ... ot#p387357


Problem Replication:
OS: Windows 7 Pro 64bit (updates KB3004394, KB3045999, and KB3081320 NOT INSTALLED)
Anti-Virus: ESET

  • Completely uninstall the currently installed VirtualBox (4.3.12 or anything newer).
  • Reboot the computer to make sure drivers are not loaded
  • Install the latest version of VirtualBox (current is 5.1.18) or any version newer than 4.3.12.
  • After 5.1.18 install completes do not restart the computer. You should be able to run VirtualBox and any VM you had previously.

    The Problem
  • If you then restart the computer after installing a version of VirtualBox newer than 4.3.12, VirtualBox will run but you will not be able to load any of the VMs and will get the error below or something very similar:

    Error relaunching VirtualBox VM process: 5
    Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment intelios --startvm 53f35ed5-907b-4e1f-a86b-e971c2f866d0 --no-startvm-errormsgbox "--sup-hardening-log=C:\SPB_Data\VirtualBox VMs\WinXP\Logs\VBoxHardening.log" (rc=-104)


    Please try reinstalling VirtualBox.

    where: supR3HardenedWinReSpawn what: 5 VERR_INVALID_NAME (-104) -
    Invalid (malformed) file/path name.

Solution (Workaround)
For some reason when the VboxDRV.sys kernel driver gets loaded and started on boot something breaks. Now it may be my anti-virus hooking into it but I have not tested that. I did try disabling (not uninstalling) the AV with no difference. The solution I found was to delay the startup of VboxDRV service by setting its startup type to Demand. This way VboxDRV.sys will load but not start on system boot and will only start when it is needed. Conveniently, running VirtualBox will trigger VboxDRV service to start and by that time the boot process should be complete and everything works without any issues (opening VMs without the error above).

I found this fix works best if done in this order:
  1. Completely uninstall any VirtualBox currently installed
  2. Restart the computer
  3. Install the latest version of VirtualBox
  4. After install completes do not restart the computer
  5. Open the registry editor. Start > Run > regedit
  6. Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv
  7. Edit the key called Start. Change it's value from 1 to 3
  8. Close the registry editor and restart your computer. After your computer restarts you should be able to use VirtualBox without any issues.

Upon restart you can confirm VBoxDrv did not start on boot by opening command prompt > type sc query vboxdrv > under STATE it should say STOPPED

Hope this helps someone. I know it's not a proper fix but it's the best one so far for people where reinstalling Windows or uninstalling their anti-virus is not an option.
Last edited by djex81 on 19. Mar 2017, 17:44, edited 3 times in total.
djex81
 
Posts: 5
Joined: 16. Mar 2017, 23:07

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 17. Mar 2017, 00:30

That's the first time that I've heard of that solution (delayed loading of the VBoxDrv.sys) so I can't comment on its effectiveness (or not), but allow me to have my doubts.

However, I should point out that a couple of days ago the "Discussion of Problems due to Hardened Security" thread was closed, and a new HowTo "Diagnosing VirtualBox Hardening Issues" came to life, which summarizes the collective knowledge of 2.83 years (or, 1034 days as of today) of seeing hardening issues. You might want to check it out.

djex81 wrote:I know it's not a proper fix but it's the best one so far for people where reinstalling Windows or uninstalling their anti-virus is not an option.
I don't believe that re-installing Windows was ever a suggestion. Fixing system DLLs with the known "sfc /scannow" to revert the damage from custom themes to inappropriate updates, was. Uninstalling the antivirus is definitely one of the first ones.

I can tell you one thing: if your antivirus vendor cannot sign their own DLLs with a proper security certificate, they shouldn't be in the antivirus business, or you shouldn't trust them to begin with. Plus on all the supported Windows hosts (>= 7) there is a built-in antivirus that knows how to work properly and not being so invasive.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby djex81 » 17. Mar 2017, 01:00

socratis wrote:That's the first time that I've heard of that solution (delayed loading of the VBoxDrv.sys) so I can't comment on its effectiveness (or not), but allow me to have my doubts.


Well it seems someone did know about this delayed loading. Looking at the VBoxDrv.inf file there is a line commented out under [VBoxDrv_Service]. See below:

C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.inf
Code: Select all   Expand viewCollapse view
[VBoxDrv_Service]
DisplayName    = %VBoxDrv.SVCDESC%
ServiceType    = 1                  ; SERVICE_KERNEL_DRIVER
;StartType      = 3                  ; SERVICE_DEMAND_START
StartType      = 1                  ; autostart to fix Vista problem
ErrorControl   = 1                  ; SERVICE_ERROR_NORMAL
ServiceBinary  = %12%\VBoxDrv.sys


Uncommenting the StartType = 3 line and commenting out StartType = 1 then reinstall the VboxDrv driver will do the same thing as setting the start type in the registry.

socratis wrote:However, I should point out that a couple of days ago the "Discussion of Problems due to Hardened Security" thread was closed, and a new HowTo "Diagnosing VirtualBox Hardening Issues" came to life, which summarizes the collective knowledge of 2.83 years (or, 1034 days as of today) of seeing hardening issues. You might want to check it out.


Yes I am aware of that and I also read the new thread but it did not help.

socratis wrote:I don't believe that re-installing Windows was ever a suggestion. Fixing system DLLs with the known "sfc /scannow" to revert the damage from custom themes to inappropriate updates, was. Uninstalling the antivirus is definitely one of the first ones.


Your right I was mistaken. Reinstalling Windows was a suggestion to fix the issue of a corrupted Windows certificate database due to Windows updates KB3004394, KB3045999, and KB3081320 which produced issues with hardening in VirtualBox. I also ran the sfc but that did not fix the problem.

socratis wrote:I can tell you one thing: if your antivirus vendor cannot sign their own DLLs with a proper security certificate, they shouldn't be in the antivirus business, or you shouldn't trust them to begin with. Plus on all the supported Windows hosts (>= 7) there is a built-in antivirus that knows how to work properly and not being so invasive.


ESET anti-virus has proper signed DLLs. Like you, I still don't understand why delaying the start of the VboxDRV load works and the only thing I can think of is something during boot interfering with loading VboxDRV.sys . As for the built in Windows anti-virus I don't trust them but that's my own opinion.
djex81
 
Posts: 5
Joined: 16. Mar 2017, 23:07

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 17. Mar 2017, 01:29

djex81 wrote:C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.inf

That's a very good find! However, I went back to see when that delayed start was added, and I ended up in Rev. 1 (the first ever check in) and it was still there. Rev. 2676 (the next revision) was on 05/16/2007-05-15, so it wasn't anyone testing the delayed start, I think someone just copied/pasted the whole thing and never actually tested it, at least not publicly.

djex81 wrote:Like you, I still don't understand why delaying the start of the VboxDRV load works
I'm at a loss as well, that's why I can't figure out why the whole concept of the delayed start would work. VirtualBox checks if anything is trying to get itself injected in its own process. When this is happening seems quite clear from the logs, but I may be wrong.

djex81 wrote:Yes I am aware of that and I also read the new thread but it did not help.
Since you only have two posts, both in this thread, I assume you never posted a VBoxHardening.log. Could you zip one from a failed session and upload it?
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby djex81 » 17. Mar 2017, 03:32

socratis wrote:That's a very good find! However, I went back to see when that delayed start was added, and I ended up in Rev. 1 (the first ever check in) and it was still there. ...

Ahh ok just a coincidence then that it was in there.

socratis wrote:I'm at a loss as well, that's why I can't figure out why the whole concept of the delayed start would work. VirtualBox checks if anything is trying to get itself injected in its own process. When this is happening seems quite clear from the logs, but I may be wrong.

Maybe something isn't directly affecting VboxDRV but possibly at that point in boot something is missing or hasn't been loaded yet that VboxDRV is looking for?. Originally the driver is set to a startup type of System which according to Microsoft is:

"Automatic -Starts every time the system starts, after the boot devices and system devices start. Click this option for devices that are not critical to basic system operation.
Boot - Starts every time the system starts, before any other devices start. Click this option for critical devices that are essential to system operation.
Demand - Starts when the device is detected or it is needed for a specific event. Click this option for devices that are not critical to basic system operation nor that are required for device detection.
System - Starts every time the system starts, after the boot devices start. Click this option for critical devices that are essential to system operation."

From: https://technet.microsoft.com/en-us/library/cc725630(v=ws.11).aspx

So the boot order goes Boot > System > Automatic > Demand

Just a guess though. If I knew that this fixed others with the same problem I would do more investigation to find out why.

socratis wrote:Since you only have two posts, both in this thread, I assume you never posted a VBoxHardening.log. Could you zip one from a failed session and upload it?

Sure no problem. I have them all saved (working and non working logs) in hopes I could compare them to find the problem but I did not have any luck with that approach. Attached is a log from a failed session.
Attachments
FailedVBoxHardeningSessionLog.rar
(7.96 KiB) Downloaded 38 times
djex81
 
Posts: 5
Joined: 16. Mar 2017, 23:07

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 20. Mar 2017, 01:26

I didn't see anything in the VBoxHardening.log, but as everyone, we're still trying to reverse engineer the logs, so someone else may have better eyes/luck than me. The funny thing is that I didn't even see any ESET mentions in there...
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby msee » 21. Mar 2017, 08:06

I add this reply to let other users know that this method solves the hardening issue I faced.
This is really a simple and nice solution !!!!

FYI:
When I was using 32bit linux guest, I never face such hardening issue.
These days I need to upgrade to 64bit linux guest to use some pre-build lib, I face this hardening issue.
Don't know are they helpful info just would like to drop it down here.

Anyway, really nice I finally see such a simple solution so I don't need to build the entire lib from scratch.

msee
msee
 
Posts: 1
Joined: 21. Mar 2017, 08:01

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 21. Mar 2017, 11:33

msee wrote:I was using 32bit linux guest, I never face such hardening issue. These days I need to upgrade to 64bit linux guest to use some pre-build lib, I face this hardening issue.

That doesn't make sense at all. VirtualBox doesn't care if you load a 16-, 32- or 64-bit client; if you have a DLL that's rejected due to hardening, it's rejected. Period.

Having the delayed start of the service still doesn't compute, because I haven't seen a logical explanation about it, so I can't "recommend" it, but I'm going to be trying to see how and why it might work.

@msee
Unless I see a VBoxHardening.log, I cannot assume anything. It's just guessing at this point.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby mpack » 21. Mar 2017, 11:58

The type of guest OS installed (32bit vs 64bit) certainly made no difference, so it was something else. Perhaps one uses 3D acceleration, the other not.
mpack
Site Moderator
 
Posts: 28794
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby djex81 » 22. Mar 2017, 19:33

socratis wrote:I didn't see anything in the VBoxHardening.log, but as everyone, we're still trying to reverse engineer the logs, so someone else may have better eyes/luck than me. The funny thing is that I didn't even see any ESET mentions in there...


Yeah I couldn't find any ESET references as well. Like I said previously the logs didn't help to solve my problem. What actually got me onto the solution I found was the fact that any version newer than 4.3.12 will run without any issues with a fresh install but as soon as a restart is done it will error out. So It had to be one of the drivers VirtualBox loads on boot. I confirmed this by:

1. Installing a fresh copy of the latest VirtualBox
2. Confirmed that it opens and runs launches the VMs
3. Restarted computer
4. Confirmed that VirtualBox would run but no longer launch any VMs with error message
5. I then uninstalled VBoxDRV.sys driver so it would not load on next boot
6. Restarted computer
7. Once computer was fully booted I manually installed the VboxDRV.sys and started the kernel driver service
8. Confirmed VirtualBox would run and would launch any VMs without any issues.

I later found out that you can keep VboxDRV.sys installed but disable or delay the startup of the service to get the same result and so which tells me there is something going wrong when the service tries to start early on in boot.

What we need is a log file from VboxDRV.sys detailing it's startup but I don't think that exists.

msee wrote:I add this reply to let other users know that this method solves the hardening issue I faced.
This is really a simple and nice solution !!!!

FYI:
When I was using 32bit linux guest, I never face such hardening issue.
These days I need to upgrade to 64bit linux guest to use some pre-build lib, I face this hardening issue.
Don't know are they helpful info just would like to drop it down here.

Anyway, really nice I finally see such a simple solution so I don't need to build the entire lib from scratch.

msee


Thank you msee for confirming that this fix does work for more than just myself. Now that I know it works for others I will continue my investigation into why it works.

Though as socratis mentioned it shouldn't matter which guest OS you load 32 or 64 bit. Were you running the 32bit linux on VirtualBox version 4.3.12 and upgraded to the latest version of VirtualBox in order to run your 64bit linux os? Also what OS are you using as a host? Windows 7 Pro 64bit by any chance?
djex81
 
Posts: 5
Joined: 16. Mar 2017, 23:07

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby bruceskyaus » 18. Oct 2017, 03:41

Used the registry fix for version 5.1.28 on a Windows 7 machine on a corporate network. I have admin rights, but the AV is locked down (of course). Rebooted and it worked.

Speculating as to why it was failing, with the benefit of hindsight:

1. Cisco AnyConnect loads late in the boot process. This can cause other apps to crash, if they need the network (or other services) to be available. MS Outlook dies on a regular basis - no surprises there :lol:
2. VirtualBox just expects everything to be squeaky clean and in place before allowing a VM to start. Good for security, but with some corporate networks having a disorderly :cry: approach to Windows GPOs and SOEs, this is more likely to cause a failure.
3. VMware Workstation (free version) was working perfectly. So it couldn't have been the AV or the GPOs blocking the drivers. I switched back to VirtualBox, because I needed snapshots and port forwarding (a must have for NAT use) without paying a license.

Thanks everyone for their hard work figuring this out! 8)
bruceskyaus
 
Posts: 2
Joined: 18. Oct 2017, 03:28

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 18. Oct 2017, 07:35

bruceskyaus wrote:the AV is locked down
Would that antivirus be ESET, like the original poster's? You didn't exactly mention the antivirus' maker. Also, I didn't see a "VBoxHardening.log". ZIPPED please...
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby bruceskyaus » 19. Oct 2017, 03:29

The AV is Symantec Endpoint Protection 12.1.7004.65000. What I mean by "locked down", is that all the options are disabled by the network administrator. Therefore, I am unable to change anything within the AV settings, despite my user being in the local administrators group (standard practice on corporate networks).

I've attached two files in the zip. One with the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv\Start value of 1 (error) and the other with a value of 3 (success).

I am able to toggle the error on and off, by just changing the registry setting and rebooting. Pretty conclusive test for my setup.

I hope that is satisfactory.
Attachments
20171019 - VBoxHardeningLogs.zip
A success and error version of VBoxHardening.log.
(44.04 KiB) Downloaded 88 times
bruceskyaus
 
Posts: 2
Joined: 18. Oct 2017, 03:28

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby socratis » 19. Oct 2017, 16:24

I've been trying to come up with a logical solution, a logical explanation about this since the thread started. I'm drawing a blank. If we think about it for a minute, here are a couple of potential things that are/could be going on:

  • Due to the delayed start, the antivirus has a chance to scan the VirtualBox files and doesn't have to do it while they're in memory later on (?) and force their way in the memory regions of VirtualBox. Can't completely justify it, because the error happens on demand.

  • The certificate database is somehow not loaded/synchronized (?) and when VirtualBox tries to check the certificates it can't come up with a valid one (?) and rejects the antivirus.

  • Something completely different?
I've asked for the developers to have a look at this and help us decipher what's going on. Haven't heard anything back, but it's a crazy time with 5.2.0 and 5.1.30 getting released yesterday.

The VBoxHardening.log is really a cryptic one (maybe on purpose) and I can't say that a lot of people can understand its contents, developer, admins, moderators, volunteers and users alike (yours truly included). From my understanding there is 1 1/2 people in this side of the universe that can take a quick look and figure out the exact problem. The rest of us, that's educated guesses.

I'm still a little bit hesitant to start giving that advice to other users (changing the VBoxDrv service from SERVICE_SYSTEM_START to SERVICE_DEMAND_START), but I will definitely keep it in the back of my head and maybe suggest it as a potential solution from now on. Especially since there are more than one reports, with more than one antivirus vendors.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 22893
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Fix (workaround) For Error After Install and Restart

Postby Hanzaplast » 27. Oct 2017, 21:58

Thanks you djex81 for contournament solution. Works like a charm on VirtualBox 5.2 (Seven 64 ultimate Fr).
"If we were to employ violent means, we would have nothing left to defend."
(Dalaï Lama)
Hanzaplast
 
Posts: 5
Joined: 27. Oct 2017, 21:24

Next

Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: No registered users and 37 guests