VeraCrypt hanging on dismount
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi all,
I'm running VeraCrypt v1.19 on Windows 10 Pro. I have internal one SSD and internal one HDD. On each drive I created 5 GB partitions and encrypted them with VeraCrypt. Each day I copy the contents of the SDD encrypted volume to the HDD encrypted volume.
Sometimes when I dismount the HDD volume on the HDD, VeraCrypt hangs. Windows writed (Not Responding) in the caption bar and I get the cirlcing cursor from hell while hovering over the app. According to Windows, the volume is fully dismounted (e.g., does not appear in Windows Explorer).
When I kill the VeraCrypt app and restart it, it shows the volume dismounted. When I mount it again, everything works fine. When I dismount the volume, everything is fine.
I started using TrueCrypt a few weeks ago. I see the dismount hang on the HDD every few days. I've never seen a hang on the SSD. CHKDSK reports the drive is fine.
Any ideas?
As a side note, the mounting time is painfully slow. It's at least 8x slower than TrueCrypt. Anything I can do to improve the mounting time?
Thanks,
Robert
Sounds like the controller on the HDD is going bad which means replacing the HDD. Check the Windows Event Logs for errors related to the HDD during/after the hang.
VeraCrypt uses higher iterations than TrueCrypt for the hash algorithms which results in slower mount times. You can control the number of iterations using the Personal Iterations Multiplier.
https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20(PIM).html
I saw two events in the Application event log related to VeraCrypt (see below). There were no events in any of the event log files indicating an HDD problem or failure. Any other ideas?
Log Name: Application
Source: Windows Error Reporting
Date: 6/24/2017 5:23:05 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DESKTOP-Q7B0HGK
Description:
Fault bucket 50, type 5
Event Name: AppHangXProcB1
Response: Not available
Cab Id: 0
Problem signature:
P1: VeraCrypt.exe
P2: 1.19.4.0
P3: 5804fc98
P4: ba88
P5: 134217760
P6: Amazon Music.exe
P7: 5.5.1.1028
P8:
P9:
P10:
Attached files:
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER719D.tmp.csv
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER71DD.tmp.txt
\?\C:\Users\rober\AppData\Local\Temp\WER844E.tmp.appcompat.txt
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppHang_VeraCrypt.exe_6f3baa12bbd8a93059adbfc24932fa772144d0ac_f75e4061_285e9dbe
Analysis symbol:
Rechecking for solution: 0
Report Id: 436c66b3-5a75-4b25-87d8-d7050c0c9878
Report Status: 268435456
Hashed bucket: 78dcd2f1a2984a8cd144ee72080818e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting"/>
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-06-25T00:23:05.855503000Z"/>
<EventRecordID>2519</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-Q7B0HGK</Computer>
<Security/>
</System>
<EventData>
<Data>50</Data>
<Data>5</Data>
<Data>AppHangXProcB1</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>VeraCrypt.exe</Data>
<Data>1.19.4.0</Data>
<Data>5804fc98</Data>
<Data>ba88</Data>
<Data>134217760</Data>
<Data>Amazon Music.exe</Data>
<Data>5.5.1.1028</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER719D.tmp.csv
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER71DD.tmp.txt
\?\C:\Users\rober\AppData\Local\Temp\WER844E.tmp.appcompat.txt</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppHang_VeraCrypt.exe_6f3baa12bbd8a93059adbfc24932fa772144d0ac_f75e4061_285e9dbe</Data>
<Data>
</Data>
<Data>0</Data>
<Data>436c66b3-5a75-4b25-87d8-d7050c0c9878</Data>
<Data>268435456</Data>
<Data>78dcd2f1a2984a8cd144ee72080818e8</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Hang
Date: 6/24/2017 5:23:05 PM
Event ID: 1002
Task Category: (101)
Level: Error
Keywords: Classic
User: N/A
Computer: DESKTOP-Q7B0HGK
Description:
The program VeraCrypt.exe version 1.19.4.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 1f2c
Start Time: 01d2ec42e7f01e9e
Termination Time: 18
Application Path: C:\Program Files\VeraCrypt\VeraCrypt.exe
Report Id: 436c66b3-5a75-4b25-87d8-d7050c0c9878
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Hang"/>
<EventID Qualifiers="0">1002</EventID>
<Level>2</Level>
<Task>101</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-06-25T00:23:05.934638300Z"/>
<EventRecordID>2520</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-Q7B0HGK</Computer>
<Security/>
</System>
<EventData>
<Data>VeraCrypt.exe</Data>
<Data>1.19.4.0</Data>
<Data>1f2c</Data>
<Data>01d2ec42e7f01e9e</Data>
<Data>18</Data>
<Data>C:\Program Files\VeraCrypt\VeraCrypt.exe</Data>
<Data>436c66b3-5a75-4b25-87d8-d7050c0c9878</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>430072006F00730073002D00700072006F00630065007300730000000000</Binary>
</EventData>
</Event>
I noticed in your first post that you copy using Windows Explorer from SSD to the VeraCrypt HDD and that the window status bar says not responding.
How many files and total size are you copying at once?
Are you using cascade encyption? As one example, Serpent > Twofish > AES?
Might be related to this issue.
https://sourceforge.net/p/veracrypt/discussion/technical/thread/fb8c352d/#06f2
https://veracrypt.codeplex.com/discussions/572258
I noticed that Amazon Music.exe was listed. I wonder if it is preventing the dismount.
I don’t use Windows Explorer for the file copy. I use SyncBack Free. I only copy the files that changed during the day or week (e.g., typically less than fifty files). The total encrypted volume contains 4,705 files, 217 folders, and takes up 1.2 Gb. They are mostly Office documents, QuickBook files, etc.
When setting up the encrypted volume, I took the defaults. Some of the volume properties are:
Type: Normal
Encryption algorithm: AES
Primary Key Size: 256 bits
Secondary Key Size: 256 bits
Block size: 128 bits
Mode of operation: XTS
PKCS-5 PRF: HMAC-SHA-512
Volume format version: 2
I ran the following experiment four times:
1. Mount the primary encrypted volume
2. Mount the secondary encrypted volume
3. Delete all of the files on the secondary encrypted volume
4. Use SyncBack Free to “sync” (aka, copy) all of the files from the primary encrypted volume to the secondary encrypted volume.
5. Dismount the secondary encrypted volume
6. Goto Step 2
Every time the secondary volume mounted and dismounted successfully.
At the start of each round, the physical memory in used foot print was about 5235 MB. During file copy physical memory in use rose to ~5547 MB. After each dismount and after shutting down SyncBack Free, physical memory in use shrank back down to ~5235 MB.
If there is a memory leak, I’m not seeing. Should I use a larger data set (e.g., more files, larger files)? Or should I keep the secondary encrypted volume mounted the whole time?
Regarding Amazon Music… I don’t have any files related to Amazon Music on the encrypted volume. Not sure how it could be adversely affecting the dismount. With the Amazon Music app running, I mounted and dismounted the secondaryencrypted volume 5 times. All operations were successful.
Any other ideas or experiments?
Thanks
You can use Microsoft's Process Explorer to determine what files are open or what is accessing the volume.
https://technet.microsoft.com/en-gb/sysinternals/processexplorer
Okay... the freeze happend again. I used Process Explorer and searched (Ctrl+F) for any files on "O:\" or "N:\" None were found. As mentioned before, accourding to Windows Explorer the encrypted volumes are dismounted. Process Explorer seems to concur.
A few additonal data points:
This time the dismount command froze while I was dismounting an encrypted file volume. Use VeraCrypt to create an encrypted volume in a 5 GB file that I keep in my OneDrive folder. Each time I dismount the encrypted file/volume, OneDrive sends a copy up to Microsoft's could. Yes, I'm a little anal about backups. I have multipe backups. :)
While looking at the Perforamance tab in Process Explorer on the VeraCrypt process, I noticed only the Cycles value is changing; the rest are static. It seems like VeraCrypt is waiting for something to close or free up. Oddly, on the Threads tab I noticed the number of Context Switches is increasing. How can context switches occur without increasing CPU time?
I also noticed one of my Windows Explorer processes is hung. Unlike the VeraCrypt app, I don't get a waiting cursor while hovering over it; I get a normal cursor. However, when I click anywhere within the Windows Explorer windows, nothing happens. When I attempt to move the window via drag and drop, nothing happens. When I attempt to minimize or close the Explorer window via the buttons in the upper right corner nothing happens. When I view the Performance tab for the Windows Explorer process, CPU time is slowly increasing and within the Virtual Memory group Private Bytes and Page Faults continue to climb. I can create new instances that work fine.
A attached screen shots of the VeraCrypt and Windows Explorer processes. The A version was captured. Roughly 30 seconds later the B version was captured.
I also checked the System and Application event logs. There are NO new events.
Next idea?
Oh... and I'll keep the hung VeraCrypt process up and running for a while long, in case you to more information about it.
Have you tried disabling Microsoft OneDrive to see if the hang reoccurs within a time period that you experience the hang?
I "paused" OneDrive sync for 2 hours. Nothing changed. The VeraCrypt app and the Windows Explorer instance are stil hung.
Shutting dow the OneDrive app did nothing either.
Which antivirus software are you using on your PC?
Have you tried disabling the AV?
I'm using MalwareBytes for my AV protection.
I started the Malwarebytes client and then tried to exit the app. It wouldn't so I started Task Manager and tried to kill the Malwarebytes client app process. It didn't want to die. After about 30 seconds or so the Malwarebytes client app died. The VeraCrypt and Windows Explorer window unfroze and appear to be working normally. Interesting. I'm going to uninstall Malwarebytes and continue running the mini "stress" tests I mentioned above (e.g., mount, copy, dismount, etc.). I'll let you know what I find.
I used to run Malwarebytes until 3.x version came out and caused me a lot of slowness and PC instability issues. I have deinstalled Malwarebytes.
http://downloads.malwarebytes.org/file/mbam_clean
Many complaints on the Malwarebytes forums for various issues.
https://forums.malwarebytes.com/forum/41-malwarebytes-3/
I uninstalled Malwarebytes AV software, paused OneDrive sync and conducted the following test 10 times:
Via VeraCrypt’s Mount Favorite Volumes command mounted the following:
Primary encrypted volume, a 5GB non-system partition on the SSD
Backup1 encrypted volume, a 5GB non-system partition on the HDD
* Backup2 encrypted volume, a 5GB encrypted file container on the HDD in a OneDrive folder
Deleted all the files on Backup1 and Backup2
Using SyncBack Free, copied all of the files from Primary to Backup1 and Backup2
Dismounted all encrypted volumes
Each round was successful. No hangs or delays of any kind.
It seems the Malwarebytes AV software was gumming up the works. Bummer. =/
Thanks for all of your help. Much appreciated. Now I can get back to protecting my important files without concern.
Do know of any AV that is effective and works well with VeraCrypt?
I have decided to use Windows built-in Defender and save my money from using other AV solutions that have become bloatware with anti ransomware, firewall, PUP (Potentially Unwanted Programs) etc.