Windows guests prompting 'Safely remove hardware' for critical devices

[QPidduck]

[h=3]Situation[/h] We belive due to an older SEABIOS version in Proxmox our Windows VM's 7 + 2008 servers have the ability to 'Safely remove' critical hardware like the disk and network cards. This is down to the Seabios having hot-swappable PCI enabled.
Could be related to
"

BZ#671544 On a Windows virtual machine it was possible to 'Safely Remove' too many devices, including the graphics adapter, the PCI to ISA bridge device, and the PCI RAM controller, resulting in system instability. This patch uses the _RMV method to indicate whether device can be removed, thus fixing the issue.


"
from https://access.redhat.com/site/docu...Linux/6/html/6.1_Technical_Notes/seabios.html

[h=3]Our 'Fix'[/h]Create a batch file based on the below contents and use Group Policy to run it on start-up
[h=3]Procedure[/h] The below assumes that the SCSI controller, Virtio Balloon Driver and E1000 Network Card are able to be ejected
Open Device Manager
Right click your device, left click properties
Click Details Tab and from that drop down select "Device Instance Path"
Either note this down! or leave on screen as you will need it shortly

• Open notepad (or preferred editor)
• Copy in below contents

:: Disable eject hard disk
:: Original value: 6
reg.exe add "PLACEHOLDER" /v Capabilities /t REG_DWORD /d 2 /f

:: Disable eject ballon
:: Original value: 6
reg.exe add "PLACEHOLDER" /v Capabilities /t REG_DWORD /d 2 /f

:: Disable eject network card
:: Original value: 6
reg.exe add "PLACEHOLDER" /v Capabilities /t REG_DWORD /d 2 /f

• Run Regedit
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
• Search for your device and right lick on the key '3&13c0b0c5&0&XX' or similar and select 'Copy Key Name'
• Use this Copied key name in your notepad instance we have just stated in place of PLACEHOLDER. THe line should now look like

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_100E&SUBSYS_11001AF4&REV_03\3&13c0b0c5&0&90" /v Capabilities /t REG_DWORD /d 2 /f
Important when in the registry editor, look under the Capabilities sextion and check it ends with 6 (ie 0x00000006) if it doesn't the the corresponding entry in your notpad instance nust be changed to four less than that value. ie if the Capabilities section read 0x00000007 you would change the line from /d 2 to /d 3

• Once all eject-able devices have been added save the file as a .bat in a safe place and open the group policy editor.

• >Computer Configuration
• >Windows Settings
• Scripts (Startup/Shutdown)
• Double Click Startup and add your script to the list.

• Reboot
• Smile

Notes:

This workaround is a little time consuming and it would seem that a newer Seabios would solve it.
Posting this just to get your thoughts and help anyone that finds themselves in our shoes.

 

[ebiss]

works.
here is my .bat

:: Disable eject hard disk
:: Original value: 6
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\3&13c0b0c5&0&90" /v Capabilities /t REG_DWORD /d 2 /f


:: Disable eject ballon
:: Original value: 6
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\3&13c0b0c5&0&58" /v Capabilities /t REG_DWORD /d 2 /f


:: Disable eject network card
:: Original value: 6
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AF4&DEV_1002&SUBSYS_00051AF4&REV_00\3&13c0b0c5&0&18" /v Capabilities /t REG_DWORD /d 2 /f

 

[QPidduck]

works.
here is my .bat

Usually my files don't have a space between the c and the 0 when referencing the registry path...

Is this intentional in your example for any reason?

 

[ebiss]

Maybe the forum change something ?

Use CODE seem OK now

 

[RCK]

Just a quick "thanks" to let you know this workaround is still working great

 

[Inglebard]

Hi,

I encounter this problem on a windows server 2012 and 2016.

Is there something new about this issue ?

 

[Inglebard]

Any news about this ?
I have still some users which eject the network card.

 

[_gabriel]

using q35-v6.0 Machine in VM's Hardware instead i440fx (default) disable eject function.

(tested on proxmox 7.2 + 7.3 on Windows 10 22h2 + Windows Server 2019)

 

[_gabriel]

pc-q35-6.0 Machine needed for Windows Server 2022 Guest on Proxmox 8.0.3 to disable "Safely Remove Hardware" like Network and Storage Controller.

 

[ramonv.b]

Same problem here

pc-q35-6.0 Machine needed for Windows Server 2022 Guest on Proxmox 8.0.3 to disable "Safely Remove Hardware" like Network and Storage Controller.

Here with server 2022 guest pc-q35-9.0 the problem still occurs, user can eject critical hardware!. Any solution?

 

[ramonv.b]

Any solution?

 

[_gabriel]

#9 https://forum.proxmox.com/threads/w...rdware-for-critical-devices.17490/post-586107

 

[stw]

Is there a legit reason why Windows must be told that the network card is detachable?
I know you can "downgrade" to pc-q35-6.0, but why do have a to use old hardware (dunno what the implications of that are) to get this fixed?

IMO this is pretty serious, because even non-admin-users can use the detach-hardware feature, and Windows will happily oblige, disabling the VM's network for all the other users that may be using it.

 

[guruevi]

Windows users without admin privileges can eject hardware? That seems more like an exploit/privilege escalation bug in Windows.

The hardware is removable so you can do things like hot swap (virtual) networks and add disks without rebooting which is very useful in server environments. In older hardware version these (and other) features weren’t yet available, so that is why you don’t see that “issue”.

If your users have privileges they shouldn’t be having, Windows may be able to be configured through Group Policy. By default you should always harden Windows in server/production environments, out of the box, exploitable RDP and SSLv3/TLS1.0 is enabled. I have an Ansible playbook with dozens of registry edits, you can find the keys online as well by various people, including Microsoft. It just doesn’t come out of the box secure.

 

[stw]

Yea, you might see it as a bug, or you might see it as Windows trying to be end-user-friendly and letting a non-admin eject hardware under the assumption they're the only user anyway. It doesn't matter.

Proxmox offers a Hotplug Option for each VM, but it doesn't appear to have an effect. That appears to be a bug, especially when people need to downgrade to older hardware, where non-hotswappable devices "worked" (and especially when other virtualizers, such as VMware can do so without making all the hardware hotswappable to the user). While it is possible to do the registry edits found in this thread, it is obviously in the VM host's power to control whether a guest may hot-swap devices or not. And the option is already there, in Proxmox.

 

[_gabriel]

non-admin-users can use the detach-hardware

wrong

 

[stw]

I have zero interest arguing with you, so I'll add you to my ignore list. Thankfully this forum provides once. Have a good one.

Point is, the next time this thread will be seen is when q35-6.0 is deprecated, and people face this issue, and wonder why Proxmox's option doesn't work.

 

[guruevi]

If they are the only user, then what is the problem? I don’t understand why this issue is a problem the hypervisor (KVM) needs to fix. The fact VMware doesn’t have hot-pluggable hardware seems like a deficiency for a server environment, not a feature.

A regular unprivileged user can come in from anywhere, run IIS or Apache in a hosted environment, now code written by a customer or someone breaching the system, can issue kernel-level commands to decouple and crash the entire server? Seems a problem with the OS.

The hardware is hot swappable, as is a lot of server hardware, USB drives, SAS/SATA/NVMe drives, network connections and plugin cards, modern PCIe fabrics, physically you have the option (in real server hardware) to remove while the server is running. With Sun SPARC, some HP stuff and IBM POWER hardware you had/have removable CPU and RAM, which Linux/KVM supports as well.