Unable to access Hidden OS during Windows update

[cari]

It appears that every single time I try to install the "2023-04 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5025221)" Windows fails to apply it and when it reboots the hidden OS does no longer boot (decoy OS and outer volume works fine).

Have tried installing the update multiple times without luck. Restoring the whole partition using Macrium fixes the issue, but I cant install this update.

Is there anyway to prevent this from happening? Im using veracrypt version 1.25.9

Any help is highly appreciated!

[crbrac]

Decrpyt > Install Update > Reencrypt, maybe OR give the CU a miss and hope the next one behaves (assuming it's Windows related). Don't count on Windows to hunker down though.

[cari]

Thank you for the quick reply, I really appreciate it. I didn't know I could decrypt a Hidden OS, do I do this from within the decoy OS?

I'm sorry, what's the OR/CU meaning?

[crbrac]

I didn't know I could decrypt a Hidden OS

Nor do I. Couldn't find anything in the documentation. You're better off waiting for inputs from those who have experience with Hidden OS, which I don't. You can only hope some of the nerds on here drop by, eventually. It's usually a deserted place this.

OR = or and CU = Cumulative Update :)

[Jack Reece]

bump, I am interested in knowing the correct method to decrypt and then re-encrypt a Hidden OS using the recovery key?

[millerb78]

I originally posted this on github and thought it would be useful here as well, if some references don't make sense it's probably referring to a post from github, sorry. All other info should be useful.

After some testing on new hidden OS installs and old installs, my hypothesis is that the veracrypt hidden OS feature has a bug in the driver or the read-only feature enabled in the hidden OS on non-hidden encrypted volumes and will prevent any future windows security or defender updates in the future until it is fixed. Let me explain why and also that if the above happens in the original post how to at least fix that and get back to the OS before the update stopped the system from booting.

Fixing the boot OS hanging at "Booting..." after the hidden OS password is entered.
You can fix this by either using the decoy OS (not recommended to keep plausible deniability) or by using a separate functioning hidden OS. First you will need to mount the hidden OS partition in veracrypt using the mount option "Mount partition using system encryption without pre-boot authentication". Next you will need to take ownership of a few protected hidden system files (many online resources how to do this), at least one to start if it doesn't work there are up to 3 more. I've had success with it working by just doing the one and others required all 4. Here is the list of files and locations that need to be replaced in order to fix the booting hang up issue (rootdrive is letter you assigned during the mounting process):
Main cause of the issue is a corrupt bootmgr file during the update process (file 1), other files may be corrupt as well, but not always (files 2-4).

1. rootdrive\Windows\Boot\PCAT\bootmgr to rootdrive
2. rootdrive\Windows\Boot\PCAT\bootuwf.dll to rootdrive\Boot
3. rootdrive\Windows\Boot\PCAT\bootvhd.dll to rootdrive\Boot
4. rootdrive\Windows\Boot\PCAT\qps-ploc\bootmgr.exe.mui to rootdrive\Boot\qps-ploc

After the file has been replaced, unmount the drive and than boot to the hidden OS, you should see that it no longer hangs at "Booting..." and continue to load in to windows where it will complete the undoing process of the failed update install. If you have the Pro version recommend using a group policy to pause all future Feature and Quality updates until this gets fixed.

Reasons I've come to the conclusion that there is a bug with veracrypt and some change caused by the new Cumulative Update
All testing was done using veracrypt version 1.25.9 and both windows 10 pro, builds 21H2 and 22H2 (ran tests twice for each build).
After getting lucky and getting the 2023-05 Cumulative Update to install on an old hidden OS install the system started having other issues. I noticed that I was no longer able to update windows defender with new protection updates and also that I could no longer copy files larger than approximately 250KB using the copy/paste method, the new copied files would not work and got corrupted, I used 7-zips built it checksum and the files no longer matched. Tried all the usual fixes to fix each, but nothing worked. As for the copy/paste issue, it would work normally if copying from the hidden OS drive to an external encrypted hidden volume and vice versa. The copy/paste function seems to be broken with the built in windows explorer, because I was able to copy/paste files larger than 250KB on the same hidden OS drive using a program like Teracopy.

With these weird issues I decided to do a fresh hidden OS install, but first update the OS to the latest 2023-05 Cumulative Update before using veracrypt to create the hidden OS. Everything went smoothly during the install process and it completed successfully. Once I booted in to the newly created hidden OS everything seemed fine, until I tried to copy/paste a file larger than 250KB and the same issue occurred. Same thing happened when I tried to update windows defender, the new protection updates failed to install, just like before.

To confirm my hypothesis I made sure the Cumulative Update would still install successfully on an encrypted OS using veracrypt. All decoy OS installs would install the update with no issues and all functions worked fine. Also confirmed that they would install on full system encryption drives (no hidden OS present) and UEFI encrypted systems, even one with a NVME drive, again no issues.

This is what lead me to my hypothesis that the read-only feature enabled in the hidden OS or driver is causing the updates to fail and causes the bootmgr system file to become corrupted, which causes the hanging at "Booting..." when trying to boot into the hidden OS. Hopefully @idrassi or someone who is much better at coding than me will be able to find the time to look into this issue and be able to fix it, but as of now I don't see the hidden OS feature in veracrypt being an option in the future.

[gebars]

It looks like the same bug still exists with VeraCrypt version 1.26.7:
after installing recent Windows 10 update for the hidden os VeraCrypt boot loader stopped working for the hidden os. After all I decided to fresh install both decoy and hidden os. So I've installed Windows 10 Pro 22H2, applied all available Windows updates, installed VeraCrypt 1.26.7 and created hidden os and decoy os partitions.
I can boot into both partitions, the decoy os is working perfectly fine but the hidden os has the same problems, which were mentioned by @millerb78: windows defender updates don't work, windows updates don't work either, some files got corrupted, i.e. digital signatures were changed and WSL stopped working altogether.
@millerb78 Do you know what was the last Windows update, which still didn't have these problems? Was it May 2023 Windows update, which first stopped working as a hidden os?
Does anyone else is having these problems with recent versions of Windows 10 installed as a hidden os?