Hi all, I would like to use VirtualBox-6.1.18-142142-Win.exe on a Windows Server 2019 to host some few VMs. The important thing of course is that those VMs need to run automatically besides any interactive user login AND I would like to restrict the user which is running the VMs for security reasons.
In theory this should easily be possible by creating a standard user in Windows and a task in the task scheduler to execute a VM headless using that user and e.g. the following command line: > VBoxManage startvm "[...]" --type headless In practice it's not that easy because of HARDENING: Whenever my user is a member of the group ADMINISTRATORS, VMs start successfully using task scheduler, while they don't as normal user. Though, when creating a cmd.exe interactively as my normal user and executing the above command line manually, the VMs start successfully as well. https://ibb.co/bWyQJCF That makes somewhat sense as well, because Windows assigns a lot of permissions by default to either admins or interactive users otherwise not allowed. That's exactly what we saw e.g. regarding COM components of VirtualBox in some former mail of mine. HARDENING simply refuses to load necessary and otherwise legitimate Windows-DLLs: > 00:00:00.698930 supR3HardenedErrorV: supR3HardenedScreenImage/LdrLoadDll: > rc=VERR_LDRVI_NOT_SIGNED fImage=1 fProtect=0x0 fAccess=0x0 > \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll: Not signed. > 00:00:00.699270 supR3HardenedErrorV: supR3HardenedMonitor_LdrLoadDll: > rejecting 'C:\Windows\System32\NetSetupShim.dll' > (C:\Windows\System32\NetSetupShim.dll): rcNt=0xc0000190 > 00:00:00.699485 NetworkAttachmentType_Bridged: Failed to get NetCfg, > hrc=ERROR_TRUST_FAILURE 0x800706FE (0x800706fe) > 00:00:00.699543 AssertLogRel > F:\tinderbox\win-6.1\src\VBox\Main\src-client\ConsoleImpl2.cpp(5376) int > __cdecl Console::i_configNetwork(const char *,unsigned int,unsigned > int,struct INetworkAdapter *,struct CFGMNODE *,struct CFGMNODE *,struct > CFGMNODE *,bool,bool): !FAILED(hrc) > 00:00:00.699551 hrc=ERROR_TRUST_FAILURE 0x800706FE > 00:00:00.699812 Constructor failed with > rc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR pfnCFGMConstructor=00007ffc15bd1e60 > 00:00:00.825718 VMSetError: > F:\tinderbox\win-6.1\src\VBox\VMM\VMMR3\VM.cpp(318) int __cdecl > VMR3Create(unsigned int,const struct VMM2USERMETHODS *,void (__cdecl > *)(struct UVM *,void *,int,const char *,unsigned int,const char *,const char > *,char *),void *,int (__cdecl *)(struct UVM *,struct VM *,void *),void > *,struct VM **,struct UVM **); rc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR > 00:00:00.825723 VMSetError: The configuration constructor in main failed due > to a COM error. Check the release log of the VM for further details. > 00:00:00.825944 ERROR [COM]: aRC=E_FAIL (0x80004005) > aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} > aText={The configuration constructor in main failed due to a COM error. Check > the release log of the VM for further details. > (VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR)}, preserve=false aResultDetail=-6400 > 00:00:00.826282 Console: Machine state changed to 'PoweredOff' > 00:00:00.842116 Power up failed (vrc=VERR_MAIN_CONFIG_CONSTRUCTOR_COM_ERROR, > rc=E_FAIL (0X80004005)) The logs for HARDENING itself contain the following additional details, which clearly show that some checks didn't succeed. For some reason the hash and digest of the file aren't found in Windows catalogs in this context, while the exact same values are e.g. when executed as admin. > 2798.fc: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 > hMod=00007ffc74d20000 'C:\windows\system32\rsaenh.dll' > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000808 > pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Cached context > 00000000019efab0 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 > wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context > (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0) > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019ef030 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019ef030 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 > wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: > CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062) > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Cached context > 00000000019eef70 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019eef70 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 > wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context > (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0) > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019efab0 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 > wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20 > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile: > CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062) > 2798.fc: supR3HardNtViCallWinVerifyTrustCatFile -> -22900 (org 22900) > 2798.fc: supHardenedWinVerifyImageByHandle: -> -22900 > (\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll) WinVerifyTrust > 2798.fc: Error (rc=0): > 2798.fc: supR3HardenedScreenImage/LdrLoadDll: rc=Unknown Status -22900 > (0xffffa68c) fImage=1 fProtect=0x0 fAccess=0x0 > \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll: Not signed. > 2798.fc: supR3HardenedWinVerifyCacheInsert: > \Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll > 2798.fc: Error (rc=0): > 2798.fc: supR3HardenedMonitor_LdrLoadDll: rejecting > 'C:\Windows\System32\NetSetupShim.dll' > (C:\Windows\System32\NetSetupShim.dll): rcNt=0xc0000190 > 2798.fc: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 > 'C:\Windows\System32\NetSetupShim.dll' > 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc2aa90000 LB > 0x000ef000 C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll [flags=0x0] > 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc77240000 LB > 0x00052000 C:\windows\System32\SHLWAPI.dll [flags=0x0] > 2798.36d4: supR3HardenedDllNotificationCallback: Unload 00007ffc15f60000 LB > 0x003c0000 C:\Program Files\Oracle\VirtualBox\VBoxC.dll [flags=0x0] > 2798.36d4: Terminating the normal way: rcExit=0 > 1938.2ca0: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0x0 (rcNtWait=0x0, > rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1448 ms, the end); > 35f4.18b0: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x0 (rcNtWait=0x0, > rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1921 ms, the end); > /* Get the next match. */ > HCATINFO hCatInfo = g_pfnCryptCATAdminEnumCatalogFromHash(hCatAdmin, abHash, > cbHash, 0, &hCatInfoPrev); > if (!hCatInfo) > { > if (!fFreshContext) > { > SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: Retrying with > fresh context (CryptCATAdminEnumCatalogFromHash -> %u; iCat=%#x)\n", > RtlGetLastWin32Error(), iCat)); > if (hCatInfoPrev != NULL) > g_pfnCryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfoPrev, > 0 /*dwFlags*/); > g_pfnCryptCATAdminReleaseContext(hCatAdmin, 0 /*dwFlags*/); > goto l_fresh_context; > } > ULONG ulErr = RtlGetLastWin32Error(); > fNoSignedCatalogFound = ulErr == ERROR_NOT_FOUND && fNoSignedCatalogFound > != 0; > if (iCat == 0) > SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: > CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (%u)\n", ulErr)); > else if (iCat == 0) > SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: > CryptCATAdminEnumCatalogFromHash failed %u\n", ulErr)); > break; > } https://www.virtualbox.org/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp#L2703 The following is how a successful verification of that same file looks like. Specially look at "cbHash" and "wszDigest", which should be the exact same values like for the first attempt in the former logs. So if this verification succeeds, the catalogs contain the necessary data and the state of the DLL is obviously OK. > supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000930 > pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll > supR3HardNtViCallWinVerifyTrustCatFile: Cached context 0000000001433810 > supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=0000000001433810 > supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 > wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58 The following lines are of additional interest because they seem to contain some error code of Windows: > supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context > (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0) > supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash > failed ERROR_NOT_FOUND (1062) Which might the following: > ERROR_SERVICE_NOT_ACTIVE > 1062 (0x426) > The service has not been started. https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1000-1299- Any idea what the not active service might be in the context of a normal, non-interactive user? Any other idea about the root cause of this problem? Thanks! Mit freundlichen Grüßen Thorsten Schöning P.S.: HARDENING has caused a LOT of trouble for people over the years, so you should really reconsider your opinion regarding runtime options to disable it in some environments. Just look at my scenario: A restricted user does not work OOB, while an admin does. That doesn't make any sense regarding security... :-) https://forums.virtualbox.org/viewtopic.php?f=6&t=84697 https://forums.virtualbox.org/viewtopic.php?f=6&t=92045 https://forums.virtualbox.org/viewtopic.php?f=6&t=89937 https://forums.virtualbox.org/viewtopic.php?f=6&t=84523 https://forums.virtualbox.org/viewtopic.php?f=6&t=82277 https://superuser.com/questions/838777/virtual-box-fail-load-virtual-machine-e-fail-0x80004005 -- AM-SoFT IT-Service - Bitstore Hameln GmbH i.G. Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web: http://www.AM-SoFT.de/ Tel: 05151- 9468- 0 Tel: 05151- 9468-55 Fax: 05151- 9468-88 Mobil: 0178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB neu - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung. Mit freundlichen Grüßen Thorsten Schöning Tel: 05151 9468 0 Fax: 05151 9468 88 Mobil: Webseite: https://www.am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK AM-Soft IT-Service - Bitstore Hameln GmbH i.G. Brandenburger Str. 7c 31789 Hameln Tel: 05151 9468 0 Bitstore IT-Consulting GmbH Zentrale - Berlin Lichtenberg Frankfurter Allee 285 10317 Berlin Tel: 030 453 087 80 CBS IT-Service - Bitstore Kaulsdorf UG Tel: 030 453 087 880 1 Büro Dallgow-Döberitz Tel: 03322 507 020 Büro Kloster Lehnin Tel: 033207 566 530 PCE IT-Service - Bitstore Darmstadt UG Darmstadt Tel: 06151 392 973 0 Büro Neuruppin Tel: 033932 606 090 ACI EDV Systemhaus - Bitstore Dresden GmbH Dresden Tel: 0351 254 410 Das Systemhaus - Bitstore Magdeburg GmbH Magdeburg Tel: 0391 636 651 0 Allerdata.IT - Bitstore Wittenberg GmbH Wittenberg Tel: 03491 876 735 7 Büro Liebenwalde Tel: 033054 810 00 HSA - das Büro - Bitstore Altenburg UG Altenburg Tel: 0344 784 390 97 Bitstore IT – Consulting GmbH NL Piesteritz Piesteritz Tel: 03491 644 868 6 Solltec IT-Services - Bitstore Braunschweig UG Braunschweig Tel: 0531 206 068 0 MF Computer Service - Bitstore Gütersloh GmbH Gütersloh Tel: 05245 920 809 3 Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln Geschäftsführer Janine Galonska _______________________________________________ vbox-dev mailing list vbox-dev@virtualbox.org https://www.virtualbox.org/mailman/listinfo/vbox-dev
