"Unable to load process tree", "Failed to analyze sample" and other "Error: disconnected" for the Live interaction

[Gh05t1nB4ud]

Hi,

It's my first time with Xen / Drakvuf / Drakvuf Sandbox installation.

I already uses them a few times in the past but never installed them.

Configuration

The machine was formatted before the installation process.

• Debian 12.11
• Xen 4.19.2 (2 vCPU allocated and 4192Mb of memory)
• Linux analysis 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux

Current state

• Xen is working
• VNC is working
• Windows 10 image is configured with internet access, .NET framework, Visual C++ Redistribuable and https://github.com/ionuttbara/windows-defender-remover to remove UAC / Defender
• Drakvuf is working
• Drakvuf-sandbox web-UI is working

Issues

I tried several analysis on two samples :

• https://bazaar.abuse.ch/sample/6b715e8feeb3258e7b087ec2f6a49c421cfadc55af15a9cd157a6e6c34186d4d/
• https://bazaar.abuse.ch/sample/653f19244a1673490e7c4f4a9eff488a8c94f75049d1eb37be829b923e32d117/

There is the results :

The only "finished" was executed before the modification of the Windows 10 Image to remove UAC / Windows Defender, so, in fact, it's a fail.

{
    "Plugin": "inject",
    "TimeStamp": "1753285748.855491",
    "Method": "CreateProc",
    "Status": "Timeout"
}

But, there is an interesting fact for this analysis : there are several screenshots (thanks to which I understand that Windows do not deactivate correctly the UAC / Windows Defender).

For all the others analysis (without UAC / Windows Defender), I have no screenshot in the UI and I have the same error in drakrun.log :

[2025-07-24 10:21:01,178][drakrun.analyzer.screenshotter][INFO] Connected to VNC localhost:5901
[2025-07-24 10:21:01,432][drakrun.analyzer.screenshotter][INFO] Got screenshot 1: 4R9gH3CfYI8=
[2025-07-24 10:35:41,025][drakrun.lib.vm][INFO] Destroying vm-1
[2025-07-24 10:35:43,719][drakrun.lib.networking][INFO] Bridge drak1 is down
[2025-07-24 10:35:43,777][drakrun.lib.networking][INFO] Deleted drak1 bridge
[2025-07-24 10:35:43,966][drakrun.analyzer.worker][ERROR] Failed to analyze sample
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/worker.py", line 88, in worker_analyze
    extra_metadata = analyze_file(
                     ^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/analyzer.py", line 200, in analyze_file
    with run_tcpdump(network_info, tcpdump_file), run_screenshotter(
  File "/usr/lib/python3.11/contextlib.py", line 144, in __exit__
    next(self.gen)
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/run_tools.py", line 97, in run_screenshotter
    screenshotter.stop()
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/screenshotter.py", line 91, in stop
    self._thread.join()
  File "/usr/lib/python3.11/threading.py", line 1112, in join
    self._wait_for_tstate_lock()
  File "/usr/lib/python3.11/threading.py", line 1132, in _wait_for_tstate_lock
    if lock.acquire(block, timeout):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/rq/timeouts.py", line 63, in handle_death_penalty
    raise self._exception('Task exceeded maximum timeout value ({0} seconds)'.format(self._timeout))
rq.timeouts.JobTimeoutException: Task exceeded maximum timeout value (900 seconds)

Here I don't understand why it timeout on the screenshot process because if I don't have a screenshot in the UI, I have a screenshot in /var/lib/drakrun/analyses/$my_analysis_id/screenshots/, for example :

But the /var/lib/drakrun/analyses/$my_analysis_id/screenshots.json file is empty.

Note that the introspection seems to works fine as I have a lot of data in drakrun.log.

And I checked the dump.pcap. It looks great (with, for example, an HTTP call to checkip.dyndns.org with a 200 HTTP status as answer).

-rw-r--r-- 1 root    root    18229988 Jul 24 10:31 drakmon.log
-rw-r--r-- 1 root    root        2984 Jul 24 10:35 drakrun.log
-rw-r--r-- 1 tcpdump tcpdump   309697 Jul 24 10:35 dump.pcap
drwxr-xr-x 2 root    root       20480 Jul 24 10:21 dumps
-rw-r--r-- 1 root    root         897 Jul 24 10:35 metadata.json
-rw-r--r-- 1 root    root     1025536 Jul 24 10:20 sample
drwxr-xr-x 2 root    root        4096 Jul 24 10:21 screenshots
-rw-r--r-- 1 root    root           0 Jul 24 10:21 screenshots.json

Last issue - Live Interaction

My last issue is about the Live Interaction.

This is what I have when I run an analysis :

I guess it's related to the overall problem with my installation.

Other issue

Note that I have an other issue but I don't know if it's linked to Drakvuf Sandbox or only Xen.

After each analysis the vm-1 become (null) and I have to kill the process manually before running another analysis.

xl list
Name                                        ID   Mem VCPUs	State	Time(s)
Domain-0                                     0  8192     2     r-----    3975.8
(null)                                      29    18     2     --p--d      43.9

Conclusion

That's it !

If you need any other information to understand the problem, do not hesitate.

I'll keep trying to find new clues, but I hope you'll be able to find the “real problem” through your experience.

Thanks :)

[psrok1]

Hi! Thank you for detailed bug report. It seems that Drakvuf engine doesn't work properly on your instance.

{
    "Plugin": "inject",
    "TimeStamp": "1753285748.855491",
    "Method": "CreateProc",
    "Status": "Timeout"
}

That line means that injector hanged while trying to create a process. If you see Windows Defender alert on screenshot, probably the process was forcefully killed and injector completely lost a track, so the analysis failed. But another reason can be also a BSoD/hang of the machine, I would check what is happening on the machine via VNC when you try to analyze the sample.

[2025-07-24 10:21:01,178][drakrun.analyzer.screenshotter][INFO] Connected to VNC localhost:5901
[2025-07-24 10:21:01,432][drakrun.analyzer.screenshotter][INFO] Got screenshot 1: 4R9gH3CfYI8=
[2025-07-24 10:35:41,025][drakrun.lib.vm][INFO] Destroying vm-1
[2025-07-24 10:35:43,719][drakrun.lib.networking][INFO] Bridge drak1 is down
[2025-07-24 10:35:43,777][drakrun.lib.networking][INFO] Deleted drak1 bridge
[2025-07-24 10:35:43,966][drakrun.analyzer.worker][ERROR] Failed to analyze sample
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/worker.py", line 88, in worker_analyze
    extra_metadata = analyze_file(
                     ^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/analyzer.py", line 200, in analyze_file
    with run_tcpdump(network_info, tcpdump_file), run_screenshotter(
  File "/usr/lib/python3.11/contextlib.py", line 144, in __exit__
    next(self.gen)
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/run_tools.py", line 97, in run_screenshotter
    screenshotter.stop()
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/screenshotter.py", line 91, in stop
    self._thread.join()
  File "/usr/lib/python3.11/threading.py", line 1112, in join
    self._wait_for_tstate_lock()
  File "/usr/lib/python3.11/threading.py", line 1132, in _wait_for_tstate_lock
    if lock.acquire(block, timeout):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/rq/timeouts.py", line 63, in handle_death_penalty
    raise self._exception('Task exceeded maximum timeout value ({0} seconds)'.format(self._timeout))
rq.timeouts.JobTimeoutException: Task exceeded maximum timeout value (900 seconds)

It isn't a timeout on screenshot process, it's an analysis job timeout. Screenshotting is done in separate thread, that's why this part is alive. Main thread is waiting for the monitoring tools to finish. The most possible reason is that Drakvuf hanged at some point as it should finish itself after reaching a timeout (once again, Windows hang/crash?).

Disconnected VNC and (null) domain are another sign that something went wrong with the guest machine. You see (null) because machine normally would be destroyed but LibVMI (Drakvuf) still holds a lock on it.

To debug it further I would try to run some CLI analyses while checking what is happening on the Windows machine via VNC. You can spawn the CLI analysis via drakrun analyze command - it does almost the same as the worker would do, but analysis files are written to the local directory.

You can also run Drakvuf manually via drakrun vm-start to start the machine and drakrun drakvuf-cmdline to generate a base Drakvuf command. You can then modify that command to try different plugins/settings and reproduce your problem. Maybe this will help you to find the root cause.

[Gh05t1nB4ud]

Thanks for your quick answer.

I made numerous attempts to find the potential source of the problem.

Upgrade on the current state

• Windows 10 is fully updated and has now 4 vCPU and 8192Mb of memory
• Windows 10 is now without any opened window (I forgot a Power Shell before the commit...)
• Dom-0 has now 4 vCPU and 8192Mb of memory

Real issue

I means it's certainly the issue because I did a lot of attempts before / after upgrading Windows 10 and Dom-0 resources and the conclusion was the same each time :

• before / after upgrades all my $(drakrun drakvuf-cmdline) -a procmon worked perfectly fine with / without VNC
• before / after upgrades all my drakrun analyze failed with or without VNC

And I understood something... drakrun analyze and drakrun through the Web Interface launch many plugins by default whereas I only try drakvuf with -a procmon to validate that it works.

So I did again new attempts and the result is that I can use all the plugins except of the ones about the Network (tlsmon, socketmon...).

Every time I use them, vm-1 died immediately or after several seconds.

It seemed strange to me because in my first post I was able to get a correct network capture (dump.pcap) but I've tested this theory several times and there is no crash when I don't use a network plugin. And I seem to have the dump.pcap with or without network plugins so I assume it's not module related (certainly a tcpdump running on dom-0 and targeting the dedicated bridge ?).

That's why I tried updating / modifying the Windows 10 image (because Windows is always a problem, so I thought Windows was the problem :D ).

Success but...

Here we can see that the analysis worked fine.

But, even without plugins about the Network, there is an error during the parsing attempt.

[2025-07-25 11:27:14,812][drakrun.analyzer.postprocessing.plugins.split_drakmon_log][WARNING] Failed to parse 694 lines generated by unknown
[2025-07-25 11:27:15,017][drakrun.analyzer.postprocessing.postprocess][WARNING] generate_wireshark_key_file won't be run because tlsmon.log does not exist
[2025-07-25 11:27:33,915][drakrun.analyzer.postprocessing.postprocess][ERROR] capa_analysis failed with uncaught exception
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/postprocess.py", line 38, in run_postprocessing
    plugin_metadata = plugin.function(analysis_dir)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/plugins/capa_plugin/capa_processor.py", line 326, in capa_analysis
    dynamic_capabilities = dynamic_capa_analysis(
                           ^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/plugins/capa_plugin/capa_processor.py", line 150, in dynamic_capa_analysis
    extractor = get_drakvuf_feature_extractor(calls)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/plugins/capa_plugin/capa_processor.py", line 107, in get_drakvuf_feature_extractor
    return DrakvufExtractor.from_report(calls)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/capa/features/extractors/drakvuf/extractor.py", line 95, in from_report
    dr = DrakvufReport.from_raw_report(report)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/capa/features/extractors/drakvuf/models.py", line 127, in from_raw_report
    report.syscalls.append(SystemCall(**entry))
                           ^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/pydantic/main.py", line 214, in __init__
    validated_self = self.__pydantic_validator__.validate_python(data, self_instance=self)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pydantic_core._pydantic_core.ValidationError: 1 validation error for SystemCall
arguments.FromParentModule
  Input should be a valid string [type=string_type, input_value=None, input_type=NoneType]
    For further information visit https://errors.pydantic.dev/2.10/v/string_type
[2025-07-25 11:27:47,360][drakrun.analyzer.postprocessing.plugins.crop_dumps][WARNING] Some dumps were deleted, because the configured size threshold was exceeded.
[2025-07-25 11:27:47,362][drakrun.analyzer.postprocessing.postprocess][WARNING] compress_ipt won't be run because ipt does not exist
[2025-07-25 11:28:00,780][drakrun.analyzer.postprocessing.indexer][ERROR] Failed to process entry
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/indexer.py", line 41, in index_log_file
    raise RuntimeError(
RuntimeError: No process found for event. Bug? (PID=3640 EventUID=41726)
[2025-07-25 11:28:00,780][drakrun.analyzer.postprocessing.indexer][ERROR] Failed to process entry
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/indexer.py", line 41, in index_log_file
    raise RuntimeError(
RuntimeError: No process found for event. Bug? (PID=3640 EventUID=41734)
...
...
[2025-07-25 11:29:12,783][drakrun.analyzer.postprocessing.postprocess][ERROR] index_logs failed with uncaught exception
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/postprocess.py", line 38, in run_postprocessing
    plugin_metadata = plugin.function(analysis_dir)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/plugins/index_logs.py", line 23, in index_logs
    index = index_log_file(
            ^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/drakrun/analyzer/postprocessing/indexer.py", line 23, in index_log_file
    data_start = f.tell()
                 ^^^^^^^^
  File "<frozen codecs>", line 331, in getstate
  File "/opt/venv/lib/python3.11/site-packages/rq/timeouts.py", line 63, in handle_death_penalty
    raise self._exception('Task exceeded maximum timeout value ({0} seconds)'.format(self._timeout))
rq.timeouts.JobTimeoutException: Task exceeded maximum timeout value (900 seconds)

How to solve this issue ?

I checked the /var/lib/drakrun/profiles/ directory :

-rw-r--r-- 1 root root 5319073 Jul 25 10:19 kernel.json
-rw-r--r-- 1 root root 2937628 Jul 25 10:21 native_clr_profile.json
-rw-r--r-- 1 root root   44406 Jul 25 10:21 native_iphlpapi_profile.json
-rw-r--r-- 1 root root  249312 Jul 25 10:21 native_kernel32_profile.json
-rw-r--r-- 1 root root 3523308 Jul 25 10:21 native_kernelbase_profile.json
-rw-r--r-- 1 root root   27312 Jul 25 10:21 native_mpr_profile.json
-rw-r--r-- 1 root root 1721859 Jul 25 10:21 native_ntdll_profile.json
-rw-r--r-- 1 root root   44148 Jul 25 10:21 native_sspicli_profile.json
-rw-r--r-- 1 root root  435035 Jul 25 10:21 native_tcpip_profile.json
-rw-r--r-- 1 root root 1039827 Jul 25 10:21 native_win32k_profile.json
-rw-r--r-- 1 root root     435 Jul 25 10:19 runtime.json
-rw-r--r-- 1 root root  254588 Jul 25 10:21 wow64_kernel32_profile.json
-rw-r--r-- 1 root root 1669897 Jul 25 10:21 wow64_ntdll_profile.json

It seems that the required native_tcpip_profile.json is generated and I don't know if something else is required (based on the Drakvuf Documentation, it seems that the socketmon plugin do not require other files).

Do you know what I can try to find how to solve this issue ?

About the Live interaction

Note that the issue with the Live interaction in the Web Interface is certainly due to my architecture (the website is exposed on the server on 127.0.0.1 to not be reachable by the whole World, so I use SSH tunneling to reach it and I certainly need a second redirection port to make this Live Interaction working (I seen that it's a websocket on port 6500).

Thanks again for your help :)

[psrok1]

Ok, so it seems that the problem is socketmon plugin that is not starting.

Socketmon has hardcoded offsets for specific Windows versions: https://github.com/tklengyel/drakvuf/blob/168dac3fe0aa8ed95174d53634ba8493883cd5cf/src/plugins/socketmon/socketmon.cpp#L176. I think it would be better to get it from the profile (maybe these types are defined in PDB symbols?) but right now it is what it is.

What version of Drakvuf and what build of Windows 10 do you use? By version of Drakvuf I mean the commit hash that is visible in the banner:

$ drakvuf
1753455659.760046 DRAKVUF v1.1-e5524206 Copyright (C) 2014-2024 Tamas K Lengyel
No domain name specified (-d)!

For me it's DRAKVUF v1.1-e5524206 (currently out of tree, I made some contributions recently).

It also worth to check if there are any errors printed when you try $(drakrun drakvuf-cmdline) -a socketmon and $(drakrun drakvuf-cmdline) -a tlsmon.

Btw, according to "Live interaction" and SSH tunneling, I really appreciate that setup and yes, right now this feature relies on noVNC websocket that is exposed by Xen. I wonder if it would be a good idea to proxy that websocket somehow to have everything accessible from single origin, but right now it's directly reached by the web app

[Gh05t1nB4ud]

So, I tried again something with socketmon and it seems that the plugin is correctly loaded because I have many json outputs when I try $(drakrun drakvuf-cmdline) -a socketmon.

As I didn't find any log about the crash I tried to build again Drakvuf in debug mode to execute gdb --args $(drakrun drakvuf-cmdline) -a socketmon but I have... no error. The VM always crash but there is no information from Drakvuf.

gdb --args $(drakrun drakvuf-cmdline) -a socketmon
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from drakvuf...
(gdb) run
Starting program: /usr/local/bin/drakvuf -o json -F -k 0x1aa000 -r /var/lib/drakrun/profiles/kernel.json -d vm-1 --json-ntdll /var/lib/drakrun/profiles/native_ntdll_profile.json --json-wow /var/lib/drakrun/profiles/wow64_ntdll_profile.json --json-win32k /var/lib/drakrun/profiles/native_win32k_profile.json --json-kernel32 /var/lib/drakrun/profiles/native_kernel32_profile.json --json-wow-kernel32 /var/lib/drakrun/profiles/wow64_kernel32_profile.json --json-tcpip /var/lib/drakrun/profiles/native_tcpip_profile.json --json-sspicli /var/lib/drakrun/profiles/native_sspicli_profile.json --json-kernelbase /var/lib/drakrun/profiles/native_kernelbase_profile.json --json-iphlpapi /var/lib/drakrun/profiles/native_iphlpapi_profile.json --json-mpr /var/lib/drakrun/profiles/native_mpr_profile.json --json-clr /var/lib/drakrun/profiles/native_clr_profile.json -a socketmon
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
1753456425.961549 DRAKVUF v1.1-0fa2fd6 Copyright (C) 2014-2024 Tamas K Lengyel
{"Plugin":"socketmon","TimeStamp":"1753456437.046690","PID":2196,"PPID":664,"TID":680,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","Method":"UdpSendMessages","EventUID":"0xa6","Owner":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","OwnerId":0,"OwnerPID":2196,"OwnerPPID":664,"Protocol":"UDPv4","RemoteIp":"8.8.8.8","RemotePort":53,"LocalIp":"127.0.0.1","LocalPort":56946}
{"Plugin":"socketmon","TimeStamp":"1753456437.074041","PID":2196,"PPID":664,"TID":680,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","Method":"UdpSendMessages","EventUID":"0xa7","Owner":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","OwnerId":0,"OwnerPID":2196,"OwnerPPID":664,"Protocol":"UDPv4","RemoteIp":"1.1.1.1","RemotePort":53,"LocalIp":"127.0.0.1","LocalPort":56946}
{"Plugin":"socketmon","TimeStamp":"1753456438.089605","PID":2196,"PPID":664,"TID":680,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","Method":"UdpSendMessages","EventUID":"0xa8","Owner":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","OwnerId":0,"OwnerPID":2196,"OwnerPPID":664,"Protocol":"UDPv4","RemoteIp":"8.8.8.8","RemotePort":53,"LocalIp":"127.0.0.1","LocalPort":56946}
...
{"Plugin":"socketmon","TimeStamp":"1753456530.549267","PID":2196,"PPID":664,"TID":7128,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","Method":"UdpSendMessages","EventUID":"0x3d3db","Owner":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","OwnerId":0,"OwnerPID":2196,"OwnerPPID":664,"Protocol":"UDPv4","RemoteIp":"1.1.1.1","RemotePort":53,"LocalIp":"127.0.0.1","LocalPort":51125}
^C
Program received signal SIGINT, Interrupt.
0x00007ffff791b1e0 in __GI___poll (fds=0x55555646ef60, nfds=1, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:29
29	../sysdeps/unix/sysv/linux/poll.c: No such file or directory.

To answer your question, the version of Drakvuf is :

1753456425.961549 DRAKVUF v1.1-0fa2fd6 Copyright (C) 2014-2024 Tamas K Lengyel

The last commit on main.

And, for Windows :

About $(drakrun drakvuf-cmdline) -a socketmon and $(drakrun drakvuf-cmdline) -a tlsmon there is no error on the command line (the VM crash but... nothing else).

The only potential clue I see is that when I use the VM without drakrun (drakrun vm-start then I shutdown the VM then I create it again with xl create /var/lib/drakrun/configs/vm-1.cfg to keep the drakrun bridge active), I have Internet as configured in the Windows 10 image but when I keep the instance created by drakrun vm-start I don't have Internet even with net_enable = true in /etc/drakrun/config.toml (I also tried = 1 just in case).

Note that I have internet with drakrun modify-vm0 begin also.

[psrok1]

So it's not the Drakvuf that is crashing, but your guest operating system. It's possible that somehow socketmon causes a BSoD. Does it happen consistently? If you cold-boot the machine after the crash, do you have any clues in Windows event log about the crash?

The only potential clue I see is that when I use the VM without drakrun (drakrun vm-start then I shutdown the VM then I create it again with xl create /var/lib/drakrun/configs/vm-1.cfg to keep the drakrun bridge active), I have Internet as configured in the Windows 10 image but when I keep the instance created by drakrun vm-start I don't have Internet even with net_enable = true in /etc/drakrun/config.toml (I also tried = 1 just in case).

That's actually a different problem: you need to run ipconfig /release and ipconfig /renew on the guest machine to fetch new IP address from DHCP. It just happens faster/automatically when you cold-boot the machine. Simply: Windows restored from snapshot remembers the IP for vm-0 that is an incorrect IP for vm-1 instance.