Can't boot into hidden OS after windows update

[cap3pugliese]

Hello,

I have created a Decoy OS + Hidden OS setup with veracrypt successfully a week ago. After a recent windows update on my hidden OS, I can no longer boot into my hidden OS. The veracrypt boot loader appears fine as I can enter my Hidden OS password and it verifies it OK, then a "Booting.." message appears and doesn't go beyond that.

I can boot to the Decoy OS by using the Decoy OS password, mount the hidden system partition and browse any files but can't boot into the Hidden OS. I have created a rescue disk from the Decoy OS and ran the fix header thing but didn't fix any issues, it didn't help.

Any advise? I can happy pay for the efforts in helping me resolve this issue without reinstalling.

Thanks in advance.

[ghost]

Enable verbose boot to see where it hangs or enable minimal mode boot. If updates didn't finish installing, they will fail and the changes will be rolled back.

[cap3pugliese]

Enable verbose boot to see where it hangs or enable minimal mode boot. If updates didn't finish installing, they will fail and the changes will be rolled back.

Thanks for the quick reply, I really appreciate it.

In fact, I recall received a message from Windows 10 after rebooting saying that the update failed so it reverted the changes, then it asked me to reboot the PC again and that's when the "Booting.." appeared and no longer had access to the Hidden OS.

How do I enable verbose boot or minimal mode boot? I assume I need to boot from the decoy OS, mount the hidden OS partition and make the changes manually there?

Any help is appreciated.

[ghost]

https://www.youtube.com/watch?v=ssq0QZNp0Kw

You need to do it for hidden os though

[cap3pugliese]

As I mentioned previously I can't enter the Hidden OS. The only thing I can do is mount the Hidden OS partition from the decoy OS.

[ghost]

Sure, but you can mount it and use some kind of tool like EasyBCD

[cap3pugliese]

Hello,

Unfortunately, that didn't work. I ended up restoring the whole partition using Macrium. It appears that every time I install the "2023-04 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5025221)" then Windows fails to apply it and when it reboots the hidden OS does no longer boot, have tried installing the update multiple times without luck.

Is there anyway to prevent this from happening? Im using veracrypt version 1.25.9

[ghost]

Veracrypt is incompatible with modern hardware and OS. It causes PC freezes on some systems as well as PC unable to post randomly (rare). It also significantly slows down PCIe disks operations. You can wait for cumulative update in May

[patatetom]

hi, I don't know what is meant by "modern hardware" but I can say that on my hardware, a lenovo x1 carbon gen8, I never encountered any problem with VeraCrypt. the only problem I had during my three years of use was linked to a Windows update that had overwritten the VeraCrypt bootloader : its resetting had quickly solved this little problem. the problem I had at first was not related to VeraCrypt which unlocked the system partition without any problem but to Windows which was stalling after deleting a partition. none of my other operating systems was bothered by this deletion : only Windows, which does not know/use UUIDs, was. for my part, I do not use the hidden partition (system) feature. I have since completely decrypted my Windows system partition and Windows still can't boot. regards, lacsaP.

[CloudstationApp]

Hello cap3pugliese,

I have exact same problem. I have decoy and hidden os. Hidden Os wont boot after windows update. Can boot decoy and mount hidden. I also use veracrypt 1.25.9

Can you guide me on how you resolved this issue? Did you lose the hidden OS or files?

Please assist.

[cap3pugliese]

Hello cap3pugliese,

I have exact same problem. I have decoy and hidden os. Hidden Os wont boot after windows update. Can boot decoy and mount hidden. I also use veracrypt 1.25.9

Can you guide me on how you resolved this issue? Did you lose the hidden OS or files?

Please assist.

I didn't lose the hidden OS or files, they are still there. It's just that windows boot thing gets broken after the update, I suspect something withing the C:\Windows\Boot is changing. I ended up reinstalling, installing all the updates and then stopped the "Windows Update" Service so I dont get notified anymore about updates.

[CloudstationApp]

Hello cap3pugliese, I have exact same problem. I have decoy and hidden os. Hidden Os wont boot after windows update. Can boot decoy and mount hidden. I also use veracrypt 1.25.9 Can you guide me on how you resolved this issue? Did you lose the hidden OS or files? Please assist.

I didn't lose the hidden OS or files, they are still there. It's just that windows boot thing gets broken after the update, I suspect something withing the C:\Windows\Boot is changing. I ended up reinstalling, installing all the updates and then stopped the "Windows Update" Service so I dont get notified anymore about updates.

Hi thank you for your response. I have been battling with this the past week.

Please can you tell me how to go about re-installing the hidden OS giving that i cannot access this OS and and it cannot boot. How do i re-install; do you I use a bootable windows on usb? I use a laptop? Will I see the hidden partition giving that its encrypted and the veracrypt boot loader is the default? Please kindly guide me with the basics? Do I need to decrypt anything? If yes, How did you implement when you had the issue? Thank you.

[CloudstationApp]

Hello cap3pugliese,

Please I await your comment.

[cap3pugliese]

Just a straight reinstall, delete everything, format and start from the scratch. I didnt have the technical knowledge or guidance from veracrypt docs to resolve this without formatting and re installing. If you need to take a backup, just boot from the decoy OS, then open veracrypt and mount hidden OS by entering your hidden OS password, backup your files and reinstall.

[CloudstationApp]

Thank you. I will get on with it now.

[MillerB78]

After some testing on new hidden OS installs and old installs, my hypothesis is that the veracrypt hidden OS feature has a bug in the driver or the read-only feature enabled in the hidden OS on non-hidden encrypted volumes and will prevent any future windows security or defender updates in the future until it is fixed. Let me explain why and also that if the above happens in the original post how to at least fix that and get back to the OS before the update stopped the system from booting.

Fixing the boot OS hanging at "Booting..." after the hidden OS password is entered. You can fix this by either using the decoy OS (not recommended to keep plausible deniability) or by using a separate functioning hidden OS. First you will need to mount the hidden OS partition in veracrypt using the mount option "Mount partition using system encryption without pre-boot authentication". Next you will need to take ownership of a few protected hidden system files (many online resources how to do this), at least one to start if it doesn't work there are up to 3 more. I've had success with it working by just doing the one and others required all 4. Here is the list of files and locations that need to be replaced in order to fix the booting hang up issue (rootdrive is letter you assigned during the mounting process): Main cause of the issue is a corrupt bootmgr file during the update process (file 1), other files may be corrupt as well, but not always (files 2-4).

1. rootdrive\Windows\Boot\PCAT\bootmgr to rootdrive
2. rootdrive\Windows\Boot\PCAT\bootuwf.dll to rootdrive\Boot
3. rootdrive\Windows\Boot\PCAT\bootvhd.dll to rootdrive\Boot
4. rootdrive\Windows\Boot\PCAT\qps-ploc\bootmgr.exe.mui to rootdrive\Boot\qps-ploc

After the file has been replaced, unmount the drive and than boot to the hidden OS, you should see that it no longer hangs at "Booting..." and continue to load in to windows where it will complete the undoing process of the failed update install. If you have the Pro version recommend using a group policy to pause all future Feature and Quality updates until this gets fixed.

Reasons I've come to the conclusion that there is a bug with veracrypt and some change caused by the new Cumulative Update All testing was done using veracrypt version 1.25.9 and both windows 10 pro, builds 21H2 and 22H2 (ran tests twice for each build). After getting lucky and getting the 2023-05 Cumulative Update to install on an old hidden OS install the system started having other issues. I noticed that I was no longer able to update windows defender with new protection updates and also that I could no longer copy files larger than approximately 250KB using the copy/paste method, the new copied files would not work and got corrupted, I used 7-zips built it checksum and the files no longer matched. Tried all the usual fixes to fix each, but nothing worked. As for the copy/paste issue, it would work normally if copying from the hidden OS drive to an external encrypted hidden volume and vice versa. The copy/paste function seems to be broken with the built in windows explorer, because I was able to copy/paste files larger than 250KB on the same hidden OS drive using a program like Teracopy.

With these weird issues I decided to do a fresh hidden OS install, but first update the OS to the latest 2023-05 Cumulative Update before using veracrypt to create the hidden OS. Everything went smoothly during the install process and it completed successfully. Once I booted in to the newly created hidden OS everything seemed fine, until I tried to copy/paste a file larger than 250KB and the same issue occurred. Same thing happened when I tried to update windows defender, the new protection updates failed to install, just like before.

To confirm my hypothesis I made sure the Cumulative Update would still install successfully on an encrypted OS using veracrypt. All decoy OS installs would install the update with no issues and all functions worked fine. Also confirmed that they would install on full system encryption drives (no hidden OS present) and UEFI encrypted systems, even one with a NVME drive, again no issues.

This is what lead me to my hypothesis that the read-only feature enabled in the hidden OS or driver is causing the updates to fail and causes the bootmgr system file to become corrupted, which causes the hanging at "Booting..." when trying to boot into the hidden OS. Hopefully @idrassi or someone who is much better at coding than me will be able to find the time to look into this issue and be able to fix it, but as of now I don't see the hidden OS feature in veracrypt being an option in the future.

[yangu-hury]

Try to put Hidden OS into a single partition instead of 2 partitions like a system reserved 100MB and a Windows System 250GB.

Try this way. Install a windows into a marked as active partition (System Partition), then create a hidden with it. The problem may be Hidden OS trying to write to System Partition 100MB used by decoy. Sometimes it is EFI partition. Sure Hidden is only for MBR now, So System Partition 100MB and not EFI Partition 100MB

Do like the disk 0 showed in this example instead of disk 1. Please report if this happen with this layout.