"Page fault in nonpaged area" error with Veracrypt 1.23 hotfix 1
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi, I have a one-year-old MSI laptop with Windows 10. I previously used Veracrypt 1.19 for full system encryption, but I decrypted the system in order to do the recent Win10 update to build 1809. After the update I wanted to update Veracrypt, so I uninstalled 1.19, rebooted and installed 1.23 hotfix 1. Now when I open Veracrypt and click on System > Encrypt System Partition/Drive, I get a "page fault in nonpaged area" BSOD error stating that the problem was caused by veracrypt.sys. My computer then restarts. The error happens the moment I click on the menu item - the system encryption wizard doesn't even start. Like I said, Win10 is fully updated, the same is all the drivers I have checked (via Device Manager) and Kaspersky Internet Security, but the problem persists. A while ago I added files from my computer created with Mounir's tool to the topic about Secure Boot keys, but just to make sure, I tried disabling secure boot and tried running the system encryption wizard again, but I still got the error message. Can anyone help? Thanks!
Last edit: John P 2018-10-04
Additional info: I found a website recommending disabling automatic management of the Windows page files as a possible solution to "Page fault in nonpaged area" errors, so I tried that. I was then able to open the system encryption wizard, and I got as far as to the random mouse movements window, but when I had done the mouse movements and clicked Next, I again got the "Page fault in nonpaged area" error. I don't know if this is relevant, but now you know. I hope someone can tell me how to overcome this problem to be able to encrypt my system.
Another update: I tried various things that are recommended when you get the "Page fault in nonpaged area" error, including scandisk and updating the drivers I could find in Device Manager with upgrades available. I also updated my BIOS and (re-)disabled Secure Boot just to make sure that wasn't the problem. Nothing helped. I then replaced VeraCrypt 1.23 Hotfix 1 with version 1.23. I was now able to pass the random mouse movement window, but when I click Next in that window I first get a VeraCrypt error saying: "The VeraCrypt boot loader is already installed on your system. It is possible that another system on your computer is already encrypted. Are you sure you want to continue?" I click Yes, and in the next window when I try to create the rescue disk file I get another error from VeraCrypt saying: "The file was not found. Source: VeraCrypt:: BootEncryption:: CreateRescueIsoImage: 3486". I have tried selecting other folders and entering file names in the window, but nothing helps. This is getting very strange! I really hope someone can help me figure out what is going on.
Thank you for this detailed report.
A bug was indeed introduced in 1.23-Hotfix-1 that was causing BSOD in many cases. I have fixed this issue and I have just published 1.23-Hotfix-2 to nightly builds folder.
Concerning the error you are getting when downgrading to 1.23, it is becausing the bootloader from 1.23-Hotfix-1 is still present after BSOD and it has changed the default Windows bootloader and so 1.23 can not find it.
To fix the problem, you will need to execute several commands in an elevated command prompt. Open a command promp as an administrator (right click followed by run as administrator) and then type the following commands:
After this, reboot the machine and you will be able to encrypt your system as usual.
Hi Mounir,
Thanks a lot for your help. Unfortunately, after I wrote my last message and before I got your reply, I decided to reinstall VeraCrypt 1.19, which is the latest version I have been able to get to work. After installing it and encrypting the system, I had to do a Windows system restore (the one with "restore points") for non-VC-related reasons, but after restart I could not boot (is Windows system restore incompatible with system encryption?). I tried the VC rescue disc followed by the rescue disc 1.19 bugfix, but it did not help, and I had to reinstall Windows.
I then tried to install VC 1.23 hotfix 2, but I still get the error message "The VeraCrypt boot loader is already installed on your system. It is possible that another system on your computer is already encrypted. Are you sure you want to continue?" I tried saying Yes and continued to the test restart, but I could not boot after the test restart (before actual system encryption began), and I once again reinstalled Windows.
By now I had seen your message and tried your list of commands. I got as far as the second-to-last one, which gave an error about Unknown path. I tried to reduce the 4 periods (dots) before the first backslash to 2, and the command was accepted. I got the same error with the last command, again tried to reduce to 2 dots, but this time the command was still not recognized. I tried to reboot anyway, but when starting the system encryption wizard I still get the error message about the bootloader already being installed. This time I aborted the proces as I was tired of reinstalling Windows, and instead I wanted to ask you what the best way forward is.
Is the VC bootloader still on my hard drive after the reinstallations of Windows? Can I change something in your commands to get them to work? If a reinstallation of Windows does not remove the VC bootloader, perhaps this is why I have been unable to get any later versions than 1.19 to work? I have had secure boot disabled just to make sure that it doesn't create problems, but do you know/remember if you added the secure boot data for my computer (which I uploaded some time ago in the forum thread for that purpose) - an MSI GP72 6QF?
Hi Mounir,
Any chance for some further help based on my latest info above?
Thanks!
I read your post several times and I was not able to make sens of the issue, so something is missing that makes it difficult to have a good assessment.
I would need a detailed information about the content the EFI partition. By that, I mean listing of all files inside the folders "EFI\Boot", "EFI\VeraCrypt" and "EFI\Microsoft\Boot" alongside their size and timestamp. This can be done for example by copying the output of the command
dir *in the command prompt once inside each directory.Also, since VeraCrypt 1.23 bootloader is signed by Microsoft, SecureBoot should be enabled and the EFI keys can be reset to factory values. This will also ensure that the machine is running EFI mode and not legacy MBR mode.
Since reinstalling Windows seems to be OK for you, the last resort solution is to format the EFI System partition during the installation process. At one point, Windows installation process will show available disks and partitions and their you can select the EFI System partition and then choose to format it. This way, you will have the guarantee that there will be no traces of previous VeraCrypt bootloader.
That's what I can say for now and sorry for the late answer.
Please don't apologize for helping, even if it takes a while - I am very grateful that you want to spend your time on it! :-)
I have created screendumps of the directories "EFI\Boot" and "EFI\Microsoft\Boot" (attached) - that was the easiest way to do it. There is no VeraCrypt folder in the EFI partition, which I guess sounds strange. In the root of the EFI partition is one folder, EFI, which contains 3 folders, Microsoft (with subfolders Boot and Recovery), Boot (with no subfolders) and MSI (also with subfolders Boot and Recovery - the contents of these subfolders seem almost identical to the contents of the subfolders in Microsoft, except that Microsoft\Boot contains 21 files and 43 directories while MSI\Boot contains 17 files and 43 directories). If you need further info on this, please let me know.
About your instructions in 8 points in your post from 10 October, are you sure they are written correctly? I am confused by your use of "...." (four dots/periods). I am not an expert, but as far as I remember from the good old DOS days, four dots were not used. One dot means current directory, two means one level up - but four? Like I wrote before, I never got them to work with four dots, one of them I got to work using two dots, the other one did not work even with two dots. Did I do something wrong? Was I supposed to replace the four dots with the name of a directory?
With regard to your suggestion to format the EFI partition during installation process, first of all, I assume that would require another reinstallation of Windows (rather than just aborting the installation after the formating of the EFI partition)? Secondly, the last time I reinstalled I wanted to format the c: partition, but that option was grayed out. I did not try to select the EFI partition to see if the Format button was grayed out for that partition, too, but I guess if the c: partition could not be formated, probably the EFI partition could not, either. Any advice on this if I decide to do another reinstallation? If I understand you correctly, VC 1.23 hotfix 2 should work on my PC so it would be worth the trouble (but I really would rather avoid another reinstallation...)? Would it be an option to try to repair the MBR as described here: https://neosmart.net/wiki/fix-mbr/?
Last edit: John P 2018-10-20
Thank you for the screendumps, they explain everything!
You are right: the 4 dots are not correct. I wrote 2 dots followed by a backslash and then 2 dots but somehow Sourceforge system remove the backslash leaving 4 dots and I didn't notice!
The good news is that my first instructions will fix the problem (after fixing 4 dots ). Here they are again in the correct format (I put them in code section to avoid text issues):
So formatting is not needed and you can use 1.23-Hotfix-2 to encrypt your system.
Let me know if you still encounter problems.
I just ran your list of commands, and they worked. Just one thing: I had already installed VC 1.23 hotfix 2 before I ran your commands (to use with file containers). After running your list of commands and rebooting, I un- and reinstalled 1.23 hotfix 2 just to make sure that the installation is OK. Does this change anything, or should I be able to encrypt my system with 1.23 hotfix 2?
Thanks for the confirmation.
You should be able to proceed with encryption normally and reinstalling VeraCrypt has no effect on this.
Hi again, I went through another attempt at encrypting my system. I got to the test restart, but then I could not get my PC to boot. I didn't even get the VC password prompt. My PC would shut down right after the manufacturer logo at the point where the VC password promt would normally be shown. It was a sort of "hard" shutdown that sounded as when you keep the On button pressed to force a pc to shut down if you know what I mean. I made sure that the VC bootloader was first in line in the BIOS (for some reason it always gets added below the Windows bootloader on my PC so I have to change the order manually), and tried many more times while each time switching other options around (Secure Boot on/off, using the Decrypt option from the VC rescue disk etc.), but nothing helped. My Windows installation USB could not even do a start repair. The only reason I was able to get the PC to boot was to open a command prompt from the installation USB and run your 8-point instructions. After that, I was able to boot again. But something is obviously still going wrong. So I am really sorry, but I have to ask: do you have any other ideas?
Normally during Pre-Test, the PC should reboot automaticallt twice. During the first reboot, VeraCrypt bootloader performs some low level tasks and then it forces the machine to reboot and only after the second boot the password prompt is displayed.
If I understand correcly, after the first reboot, the PC shutdown and didn't reboot again and if you try to boot again, it continue to shutdown every time. Is this correct?
I don't see any obvious reason why the PC would shutdown instead of rebooting or displaying VeraCrypt prompt.
At this point, I would propose resetting SecureBoot keys in the BIOS to factory values since you said that you previously loaded VeraCrypt custom EFI keys. It is possible that the fact that VeraCrypt 1.23 bootloader is signed by Microsoft is causing issues with custom SecureBoot keys although it should not. That's why I think that resetting SecureBoot keys to original values might help.
I really appreciate your continued patience with this - it is very strange.
Just to explain in more detail what happened: After finishing the system encryption wizard and shutting down the PC, the PC started up, and I pressed Delete to open Bios settings. Here, I put the VeraCrypt bootloader first in the list of bootloaders with the Windows bootloader as no. 2 - I have found out that I have to do this because for some reason the VeraCrypt bootloader is always added to the list as no. 2 after the Windows bootloader, which obviously does not work. This is "standard procedure" for me with this PC and usually works fine when I use VC 1.19 and successfully encrypt the system. I then saved changes to the Bios, and the PC restarted, showed the manufacturer logo, and did a "hard shut down" - meaning that it turns itself off while making a sound as if the power button was held down to force the PC to shut down. It gives a little "poof" sound which is different from a "normal" shutdown which does not really make any sounds. I mention this because it tells me that it was not a "controlled" shutdown/reboot - something unusual happened and made the PC shut down. After this "hard shut down", it went into an endless cycle of restarts and "hard shut downs". So I don't think it even finishes the first phase you mention where it is supposed to do low-level stuff. The VC passphrase prompt is never shown.
I am not sure what you mean when you write that I should have "loaded VeraCrypt custom EFI keys". I don't know what that means. I earlier wrote that I used the small program that you wrote to extract some info from my PC in order to make PCs compatible with Secure Boot. The extracted files I uploaded to this forum in the thread dedicated to this purpose (you can find my post of 2018-06-07 on page 2 here: https://sourceforge.net/p/veracrypt/discussion/technical/thread/ace1e682/?page=1). Perhaps this is what you are referring to? But afaik this process was an extraction of data from my PC, not a loading of anything into the PC. If you believe that I should reset SecureBoot keys, can you explain how I should do that?
In the BIOS for MSI, arrow over to the Security tab and arrow down to Secure Boot menu. Is there a restore or reset to factory keys once you are in the Secure Boot menu?
There are 2 settings under Secure Boot: Enabled/disabled and Standard/Custom. I am attaching a screenshot of the custom settings. But I am sure that I have never changed any of these settings - I have only switched between enabled and disabled.
Hi Mounir, did you have time to think any more about my case?
Hi again, I don't mean to be pushy but I am still hoping for help solving this strange problem that prevents me from using any version after 1.19.
Hi, I never heard back from anyone on this. Now Windows 10 wants to update to version 1903, and I am pretty sure I can't without decrypting my system. Can anyone tell me if the latest version (beta or official) of Veracrypt will solve this problem? If yes, should I upgrade Veracrypt and then try updating Windows (without decrypting), or should I still decrypt my system, upgrade Windows, and then install the latest version of VC? As you can see above in this thread, previously I have had big problems using any version after 1.19, even after decrypting my system. - have these issues been fixed? Will my security be significantly affected by continuing to use 1.19 if I choose this option in order to avoid the risk of losing access to my harddisk and having to re-install everything?
Thanks!
Last edit: John P 2019-06-04