Question Sporadic BSOD screens appear shortly after "Virtualization-based security... is enabled due to VBS registry configuration" appears in Event Viewer ?

[MaskedCabana]

I'm having some issues with my machine where I'm getting BSOD screens that seemingly are always generated around the entry "Virtualization-based security (policies: VBS Enabled,VSM Required,Hvci,Boot Chain Signer Soft Enforced) is enabled due to VBS registry configuration." appearing in the Event Viewer > Windows Logs > System.

I'm also frequently getting OUT_OF_MEMORY and STATUS_BREAKPOINT errors in my web browser, typically when I have a YouTube or Rumble stream running.

Also in the Event Viewer, there is a warning "The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled. To enable mitigations for virtual machines, disable HyperThreading." and an error "Dump file creation failed due to error during dump creation."

Can anyone offer some insight here? Any help is much appreciated. Thanks!

System:
OS Name: Windows 11 Home
System Manufacturer: HP
System Model: OMEN 25L Desktop GT12-0xxx
System Type: x64-based PC
Processor: Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz, 2901 Mhz, 8 Core(s), 16 Logical Processor(s)

 

[Ralston18]

Is a VM running? Hyper Threading?

https://www.intel.com/content/www/u...per-threading/hyper-threading-technology.html

Start here:

https://learn.microsoft.com/en-us/w...ualization-based-protection-of-code-integrity

The immediate objective simply to discover the current and relevant settings on your machine.

Make no changes. Just look in the registry and make note of the settings.

I tested the Powershell results. From my system:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\WINDOWS\system32> Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard


AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties : {0}
SecurityFeaturesEnabled : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 0
VirtualMachineIsolation : False
VirtualMachineIsolationProperties : {0}
PSComputerName :

Your results may or may not be different.

If something is not as expected or otherwise unexpected then that issue can be specifically researched.

More needs to be known.

 

[MaskedCabana]

Thanks for responding! I appreciate your input very much.

It appears the hypervisor is starting, but I have never modified any of these settings.

No, I don't have any VM's running. Here are the results on my machine after running that command:

AvailableSecurityProperties : {1, 2, 3, 5...}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties : {0}
SecurityFeaturesEnabled : {0}
SecurityServicesConfigured : {2}
SecurityServicesRunning : {2}
UsermodeCodeIntegrityPolicyEnforcementStatus: 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
VirtualMachineIsolation : False
VirtualMachineIsolationProperties : {0}
PSComputerName :

In that sequence leading up to those Event Viewer logs I mentioned in my first post, I see some potentially relevant events: (These occurred immediately after logging into my machine first thing in the morning, after it had been put to sleep the night before.)

Information Theiommu fault reporting has been initialized.

Information Theleap second configuration has been updated.

Reason:Leap second data initialized from registry during boot
Leapseconds enabled: true
Newleap second count: 0
Oldleap second count: 0

Information SecureKernel started with status STATUS_SUCCESS and flags HvciEnabled,HvciStrictMode.

Warning The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled. To enable mitigations for virtual machines, disable HyperThreading.

Information Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126,CVE-2018-12127, CVE-2018-12130 for virtual machines.

Processor not affected: true
Processor family not affected: false
Processor supports microarchitectural buffer flush: false
Buffer flush needed: true

Information Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.

Processor not affected: true
Processor family not affected: false
Processor supports cache flush: true
HyperThreading enabled: true
Parent hypervisor applies mitigations: false
Mitigations disabled by bcdedit: false
Mitigations enabled: true
Cache flush needed: false

Information Hypervisor initialized I/O remapping.

Hardware present: true
Hardware enabled: true
Policy:0x0
Enabled features: 0x43
Internal information: 0x0
Problems:0x0
Additional information: 0x0

Information Hypervisor scheduler type is 0x4.

Information Hypervisor successfully started.

Information Virtualization-basedsecurity (policies: VBS Enabled,VSM Required,Hvci,Boot Chain SignerSoft Enforced) is enabled due to VBS registry configuration.

 

[ubuysa]

You'd do better uploading the logs themselves rather than pasting extracts.

 

[ubuysa]

Oh heck no, not like that. You should export the log files and upload them to a cloud service for us to download and investigate. However, we may need more data than just the logs so please do the following...

Download and run the SysnativeBSODCollectionApp and upload the resulting zip file to a cloud service with a link to it here. The SysnativeBSODCollectionApp collects all the troubleshooting data we're likely to need. It DOES NOT collect any personally identifying data. It's used by several highly respected Windows help forums (including this one). I'm a senior BSOD analyst on the Sysnative forum where this tool came from, so I know it to be safe.

You can of course look at what's in the zip file before you upload it, most of the files are txt files. Please don't change or delete anything though. If you want a description of what each file contains you'll find that here.

 

[MaskedCabana]

Oh heck no, not like that. You should export the log files and upload them to a cloud service for us to download and investigate. However, we may need more data than just the logs so please do the following...

Download and run the SysnativeBSODCollectionApp and upload the resulting zip file to a cloud service with a link to it here. The SysnativeBSODCollectionApp collects all the troubleshooting data we're likely to need. It DOES NOT collect any personally identifying data. It's used by several highly respected Windows help forums (including this one). I'm a senior BSOD analyst on the Sysnative forum where this tool came from, so I know it to be safe.

You can of course look at what's in the zip file before you upload it, most of the files are txt files. Please don't change or delete anything though. If you want a description of what each file contains you'll find that here.

Thanks. I put the zip file in Google drive. SysnativeFileCollectionApp.zip

 

[ubuysa]

Please make it public.

 

[MaskedCabana]

Please make it public.

Sorry. It should be public now.

 

[ubuysa]

Taking all the dumps as a whole I think bad RAM is the most likely cause here. Three of the dumps are typical RAM failure bugchecks, one is definitely down to bad RAM...

FAULTY_HARDWARE_CORRUPTED_PAGE (12b)
This BugCheck indicates that a single bit error was found in this page.  This is a hardware memory error.
Arguments:
Arg1: ffffffffc00002c4, virtual address mapping the corrupted page
Arg2: 00000000000002a6, physical page number
Arg3: 000002791ddc4310, zero
Arg4: ffff80005d2af000, zero

None of the dumps are hypervisor related so I don't know where that idea came from.

Sadly you only have one RAM card installed, which means we can't test RAM by removing one RAM card. You will need to thoroughly test your RAM with Memtest86...

1. Download Memtest86 (free), use the imageUSB.exe tool extracted from the download to make a bootable USB drive containing Memtest86 (1GB is plenty big enough). Do this on a different PC because you can't fully trust yours at the moment.
2. Then boot that USB drive on your PC, Memtest86 will start running as soon as it boots.
3. If no errors have been found after the four iterations of the 13 different tests that the free version does, then immediately restart Memtest86 and do another four iterations. Even a single bit error is a failure.

 

[MaskedCabana]

Thanks for the feedback! I had initially mentioned the hypervisor issue, because every time the machine would BSOD, those errors from the hypervisor were always present, then it would say creation of the dump file failed. Could be the the hypervisor switching on hit those faulty memory registers? I'll run those tests soon. Thanks again!

Edit: I'm not even sure why the hypervisor kicks on. I'm not running a VM.

 

[ubuysa]

Windows runs a hypervisor for itself, as long as hardware virtualization is enabled. The hypervisor runs a parent partition, that hosts all the device drivers, and a child partition, that hosts the user applications. The purpose is to prevent malware applications interfering with device drivers. This is all independent of any Hyper-V guest systems.