Unable to headless start and detachable start
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
If you provided the ntdll.dll file (outside of this forum, please ), I'd be interested to take a peek.
Re: Unable to headless start and detachable start
I also encountered this problem,i have been unable to solve it.I saw something about vagrant in the reply, my centos was also created through vagrant. So, I tried to create through iso, but unfortunately still can't solve the problem。
- Attachments
-
- centos7-2022-12-31-19-16-55.log
- (24.98 KiB) Downloaded 485 times
Re: Unable to headless start and detachable start
and my vm logmoranrs wrote:I also encountered this problem,i have been unable to solve it.I saw something about vagrant in the reply, my centos was also created through vagrant. So, I tried to create through iso, but unfortunately still can't solve the problem。
- Attachments
-
- centos7-2022-12-31-19-14-36.zip
- (33.99 KiB) Downloaded 497 times
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
The centos7-2022-12-31-19-16-55.log file (VirtualBox hardening log file) indicates that VirtualBox rejected the ntdll.dll, just like in the other users' cases. So far, nobody was interested in me having a look ...
-
- Posts: 71
- Joined: 12. Aug 2021, 19:51
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 11 22H2
- Location: US
Re: Unable to headless start and detachable start
@fth0
Hi there. Happy New Year! Just wanted to let you know I ran a full administrative powershell SFC /SCANNOW on both of my machines (Win10 22H2, Win11 22H2) and they both came back with corrupt system files since the last iteration of updates (they were .net and a part of the new 22H2 version). I did not see what files were corrupted, but I think the SFC in Windows runs more in-depth in admin mode (but I don't know for sure). Might be worth a look if the results of the scan is different.(Admin vs. Normal User Account). Point being, they were both corrupted, even after Windows verified the Update downloads. Weird.
Hi there. Happy New Year! Just wanted to let you know I ran a full administrative powershell SFC /SCANNOW on both of my machines (Win10 22H2, Win11 22H2) and they both came back with corrupt system files since the last iteration of updates (they were .net and a part of the new 22H2 version). I did not see what files were corrupted, but I think the SFC in Windows runs more in-depth in admin mode (but I don't know for sure). Might be worth a look if the results of the scan is different.(Admin vs. Normal User Account). Point being, they were both corrupted, even after Windows verified the Update downloads. Weird.
Re: Unable to headless start and detachable start
I am willing to provide ntdll.dll, how can I contact youfth0 wrote:The centos7-2022-12-31-19-16-55.log file (VirtualBox hardening log file) indicates that VirtualBox rejected the ntdll.dll, just like in the other users' cases. So far, nobody was interested in me having a look ...
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
Look to the right of this forum post.moranrs wrote:I am willing to provide ntdll.dll, how can I contact you
But note that you have to provide the file outside of a PM.
Re: Unable to headless start and detachable start
I'm sorry, due to the forum's posting limit (5 posts are required to send the link) I can't provide the dll via PM, please give me your email, I will send it to you via emailfth0 wrote:Look to the right of this forum post.moranrs wrote:I am willing to provide ntdll.dll, how can I contact you
But note that you have to provide the file outside of a PM.
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
moranrs wrote:I can't provide the dll via PM
Choose some public pastebin service, where I can download the file anonymously, and send the link obfuscated as text in a PM.fth0 wrote:But note that you have to provide the file outside of a PM.
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
Thanks for providing the ntdll.dll file version 10.0.25267.1000. The section information confirms that the file should only use 0x215000 bytes of virtual memory. I don't know why Windows Insider (or some software within it) allocates the additional 8 kB memory region (without access protection bits). The latter also happened for kernel32.dll and KernelBase.dll, BTW.VBoxHardening.log file wrote:30f0.1458: \SystemRoot\System32\ntdll.dll: 30f0.1458: CreationTime: 2022-12-10T11:21:46.101759900Z 30f0.1458: LastWriteTime: 2022-12-10T11:21:46.101759900Z 30f0.1458: ChangeTime: 2022-12-16T11:52:35.091603100Z 30f0.1458: FileAttributes: 0x20 30f0.1458: Size: 0x213b90 30f0.1458: NT Headers: 0xe0 30f0.1458: Timestamp: 0x664ac545 30f0.1458: Machine: 0x8664 - amd64 30f0.1458: Timestamp: 0x664ac545 30f0.1458: Image Version: 10.0 30f0.1458: SizeOfImage: 0x215000 (2183168) 30f0.1458: Resource Dir: 0x19e000 LB 0x75448 30f0.1458: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] 30f0.1458: [Raw version resource data: 0x19e0f0 LB 0x380, codepage 0x0 (reserved 0x0)] 30f0.1458: ProductName: Microsoft® Windows® Operating System 30f0.1458: ProductVersion: 10.0.25267.1000 30f0.1458: FileVersion: 10.0.25267.1000 (WinBuild.160101.0800) 30f0.1458: FileDescription: NT Layer DLL 30f0.1458: Error (rc=-5607): 30f0.1458: ntdll.dll: SizeOfImage (0x215000) isn't close enough to the mapping size (0x217000) 30f0.1458: *00007ffa675d0000-00007ffa675d0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll 30f0.1458: 00007ffa675d1000-00007ffa67700fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll 30f0.1458: 00007ffa67701000-00007ffa67750fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll 30f0.1458: 00007ffa67751000-00007ffa67759fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll 30f0.1458: 00007ffa6775a000-00007ffa677e4fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll 30f0.1458: 00007ffa677e5000-00007ffa677e6fff 0x0000/0x0080 0x1000000 \Device\HarddiskVolume7\Windows\System32\ntdll.dll
Re: Unable to headless start and detachable start
Sorry to be so late to the party. I'm also using Windows 11 Pro Insider Preview, and seeing the same thing with the 8kb differences. Here's a short excerpt of mine VBoxHardening logs, but very similar to previous.
I'm trying my best to piece together some of the pieces and find something useful to someone, but am totally clueless on some of this and am sure maybe some of you have more context.
So is basically what's happening like this?
Code: Select all
1988.239c: supHardenedWinVerifyProcess failed with -5607: ntdll.dll: SizeOfImage (0x239000) isn't close enough to the mapping size (0x23c000)
Thanks so much for taking time to look at this. I was almost ready to throw in the towel until I saw this. I linked this thread on a tech community post (Google tech community "Vagrant up fails with supHardenedWinVerifyProcess failed with -5607: ntdll.dll on Windows 11 Pro Ins") Hopefully there's enough for someone to help us with this on the Microsoft sidefth0 wrote: ↑8. Jan 2023, 14:56 Thanks for providing the ntdll.dll file version 10.0.25267.1000. The section information confirms that the file should only use 0x215000 bytes of virtual memory. I don't know why Windows Insider (or some software within it) allocates the additional 8 kB memory region (without access protection bits). The latter also happened for kernel32.dll and KernelBase.dll, BTW.
I'm trying my best to piece together some of the pieces and find something useful to someone, but am totally clueless on some of this and am sure maybe some of you have more context.
So is basically what's happening like this?
- Something launches VBoxManage or VBoxHeadless (in my case, vagrant, but also if I do startmachine from command line)
- Windows loads up the EXE, including the DLLs it's asking for -- and the program starts running
- The program decides to examine itself, if it is pure and worthy of running a VM -- looking at it's own memory structure through some Windows APIs?
- While looking at it's memory, it finds that Windows mapped out some extra memory for the sections of the DLLs that were loaded, and is not happy with that, so spits out these logs and dies
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
Yes. The executable files are VirtualBoxVM.exe (normal + detachable start) and VBoxHeadless.exe (headless + detachable start). They can use (for example) NtQueryVirtualMemory() to query their virtual memory regions, they can read their own executable files and compare the information in the executable file headers with the in-memory representation.
In the last weeks, a certain amount of VirtualBox users have reported a completely different VirtualBox issue on Windows Insider builds. This amount of users is much larger than the amount of users that have reported your issue, giving the impression that your issue affects only a small fraction of VirtualBox users of Windows Insider builds. Whatever that really means.
Re: Unable to headless start and detachable start
Very interesting. So maybe something is weird on my machine then. Do you have any ideas about how that extra 8kb could be getting mapped? Could it be code outside those DLLs or the VirtualBox EXEs that has it's fingers into Windows, or that somehow injects itself into these processes, or would it have to be either Windows or the VirtualBox/DLL code?
Is it meaningful to you that VBoxHeadless.exe has this issue but that VirtualBoxVM.exe seems to work just fine, do you think?
As far as I can tell, these files are fresh installed from the MSI I got from the VirtualBox website - version 7.0.12.159484. I don't think I've done all that much with this machine that's unique -- I may have installed VirtualBox using Chocolatey at one point, but have since uninstalled and reinstalled it manually. I also tried getting it to start a VM when windows started a while back. I never succeeded, but I did mess with some of my user's privileges and group membership. I'm also running as a local user account vs. whatever the ones are that Microsoft recommends where you have it tied to a Microsoft account.
Is it meaningful to you that VBoxHeadless.exe has this issue but that VirtualBoxVM.exe seems to work just fine, do you think?
As far as I can tell, these files are fresh installed from the MSI I got from the VirtualBox website - version 7.0.12.159484. I don't think I've done all that much with this machine that's unique -- I may have installed VirtualBox using Chocolatey at one point, but have since uninstalled and reinstalled it manually. I also tried getting it to start a VM when windows started a while back. I never succeeded, but I did mess with some of my user's privileges and group membership. I'm also running as a local user account vs. whatever the ones are that Microsoft recommends where you have it tied to a Microsoft account.
-
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Unable to headless start and detachable start
I don't have a concrete idea yet, but you've asked another interesting question:snydergd wrote: ↑16. Dec 2023, 20:33 Do you have any ideas about how that extra 8kb could be getting mapped? Could it be code outside those DLLs or the VirtualBox EXEs that has it's fingers into Windows, or that somehow injects itself into these processes, or would it have to be either Windows or the VirtualBox/DLL code?
Please start the VM in all three modes (normal, headless, detachable) and save the VBoxHardening.log file after each attempt, so that it doesn't get overwritten. Provide the three log files in a zip file.
PS: The OP already provided two log files, but from different VirtualBox versions, so I couldn't be sure if a comparison was valid.
Re: Unable to headless start and detachable start
Ok, I've tried starting my VM in 3 different modes -- I used VBoxManage.exe to launch. E.g., VBoxManage.exe startvm guid-of-vm --type=headless I used "--help" to see the options for --type and the options listed for that were "gui | headless | sdl | separate". So I went with gui, headless, and separate (it said "Invalid frontend name: 'sdl'", when I tried "sdl").
I've uploaded my zip to filebin dot net / 48l0mtzj9lxruuma. It contains three folders for "gui", "separate", and "headless", each with a VBoxHardening.log in them.
Here is some other interesting news, and I can't tell how it plays in or not. When I first went to create these logs, I was getting the same exact message with "gui", as well as in the GUI interface itself -- and I know for sure that I was not getting this before - so I blamed some things I'd been playing with. I uninstalled VirtualBox, made sure it was gone from Program Files, and installed it again from the same installer as last time. After this I got the same exact result. I tried launching the VM from the UI and was also now getting the message about SizeOfImage not being close enough. I had been messing with Windows Defender in the Windows Settings app, under App & browser controls -> Program Settings, and had added (but not set any overrides for), VirtualBoxVM.exe to that list, so now to try and get it working again, I removed it from the list (again, it said 0 overrides - while here, I also removed VBoxHeadless from the list). After doing this, I could once again launch it from the GUI and VBoxManage with "gui" now works again, and I produced these logs. I added it back to the list again and am still not getting the error on "gui", which has me sketical. I even tried adding back VBoxHeadless.exe and adding some overrides in there, but that doesn't seem to have made a difference.
I can't tell if that is a coincidence or not. However, it's now consistently how it was before -- gui works, and the others have this error. The logs are from how it is now. I also did a separate capture when it was failing the first time if that would be helpful.
I've uploaded my zip to filebin dot net / 48l0mtzj9lxruuma. It contains three folders for "gui", "separate", and "headless", each with a VBoxHardening.log in them.
Here is some other interesting news, and I can't tell how it plays in or not. When I first went to create these logs, I was getting the same exact message with "gui", as well as in the GUI interface itself -- and I know for sure that I was not getting this before - so I blamed some things I'd been playing with. I uninstalled VirtualBox, made sure it was gone from Program Files, and installed it again from the same installer as last time. After this I got the same exact result. I tried launching the VM from the UI and was also now getting the message about SizeOfImage not being close enough. I had been messing with Windows Defender in the Windows Settings app, under App & browser controls -> Program Settings, and had added (but not set any overrides for), VirtualBoxVM.exe to that list, so now to try and get it working again, I removed it from the list (again, it said 0 overrides - while here, I also removed VBoxHeadless from the list). After doing this, I could once again launch it from the GUI and VBoxManage with "gui" now works again, and I produced these logs. I added it back to the list again and am still not getting the error on "gui", which has me sketical. I even tried adding back VBoxHeadless.exe and adding some overrides in there, but that doesn't seem to have made a difference.
I can't tell if that is a coincidence or not. However, it's now consistently how it was before -- gui works, and the others have this error. The logs are from how it is now. I also did a separate capture when it was failing the first time if that would be helpful.