Hello, unfortunately my windows restarts after i enter the password for vc and i have no rescue disk. I tried to add to DcsProp ActionSuccess postexec file(shell.efi). I got access to shell but it's only works with decoy password. On hidden OS i got message
Success
start...
Can't exec EFI\VeraCrypt\Shell.efi start partition bbbbb-bbbb...
Status Not Found
I have decoy and hidden os on different ssd.
I tried to specify guid at actionSuccess. I took guid from map commnd via shell.efi.
postexec file(EFI\VeraCrypt\Shell.efi) guid(aaaaa-aaaa..)
but still got error can't exec(bbbbb-bbb) Not Found
When i get access to efi shell at decoy system via postexec file(shell.efi) i still can't read filesystem(without postexec i can load os normally). So i don't know if it's possible to mount volumes via this shell. So can you give some advice to restore files at this point? Maybe it's possible to generate svh_bak with some script via postexec?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Looks like svh_bak needed to "Restore OS header keys".
Does Decrypt OS function should work fine without svh_bak? I got Auth fail with right password, but got Success if i just try to boot.
Update
Looks like decrypt os function does not work with hiddenOS
" Repair Options > Permanently decrypt system partition/drive. Enter the correct password and wait until decryption is complete. Then you can e.g. boot your MS Windows setup CD/DVD to repair your Windows installation. Note that this feature cannot be used to decrypt a hidden volume within which a hidden operating system resides (see the section Hidden Operating System)"
I was abale to load Shell.efi from hiddenOS with this ActionSuccess:
exec guid(xxxx-xxx...) file(EFI\VeraCrypt\Shell.efi)
But still can't see any partitions from hidden os
So still looking a way to access files of hidden os
Last edit: Ozzy 2021-12-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm not familiar with the hidden OS feature, so I cannot assist on recovering your system. But if you want to rescue valuable data, I would recommend trying to mount your hidden OS using a live Linux and the following mount options:
- Mount volume as read-only
- Mount partition using system encryption (preboot authentication) (try with and without this option)
- Do not mount
If it doesn't work, try again with additional mount option "Use backup header embedded in volume if available".
When you get no error, you can try to mount the filesystem, in case it is not damaged. If everything works out, I'd copy as much valuable data as possible to a safe place. This way you should at least get your data back.
Greets
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You tried all permutations of the mount options above? Strange. This would mean that either the provided credentials for the hidden OS are wrong or the main and backup volume header of the hidden OS volume are both damaged. If that's the case, afaik, there's nothing one could do without a backup of the volume header.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes i tried all.
Hidden os installation requires usb drive to keep keys on it(authorization USB). But there is option to create small partition for keys. So i used separate small partition for keys. And DcsProp has option SecRegionSearch to specify region where to search keys. But at desktop there is no such option. I can only select file or enter key manually. So at this point i hope it's not damaged.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Found descrtibtion of this region.
Security Regions were defined by VeraCrypt creators to support HOS and improve the
concept of the volume encrypted header with keys. SR can contain configuration data (e.g.
GPT). The structure of SR is:
sector 1 - header wit keys (pwd encrypted)
sector 2 - table of extra data (header key encrypted)
sectors with GPT (header key encrypted)
sectors with execute parameters (header key encrypted)
So i used tool DcsFV and it found volume on my small partition. It tells at which number of block it located. Also it shows encryptedAreaStart and EncryptedAreaLenght, They are same when i try to boot and got Success message.
Also i found at manual:
The USB can contain several tools:
1. DCS RE (rescue menu)
2. EFI Shell to boot from the USB and use DcsCfg tool.
3. Windows PE (preinstall environment)
You will be able to test and mount HOS (apply gpt_enc, start veracrypt portable to mount, use
FAR or any other tools to work with encrypted volumes)
Windows PE can be generated via Windows ADK.
Looks like it's possible to mount hidden os from other os. But i don't understand what means "apply gpt_enc" . As i understand gpt_enc is the same as svh_bak and same "sectors with GPT (header key encrypted)" from security region. So in theory it's possible to get it using dd and decrypt it.
Last edit: Ozzy 2021-12-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Solved
I have successfully recovered my os.
I dumped secregion using
DcsCfg -srdump -ds
Then Decrypt dump with
DcsCfg -pd -aa
Then applied decrypted gpt with
DcsCfg -pf -pa -ds
After that i was able to mount my hidden os from live cd with "without pre auth" option
File system was currupted. I clicked repair disk at veracrypt and it fixed file system. After that i was able to boot to my hid os.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello, unfortunately my windows restarts after i enter the password for vc and i have no rescue disk. I tried to add to DcsProp ActionSuccess postexec file(shell.efi). I got access to shell but it's only works with decoy password. On hidden OS i got message
Success
start...
Can't exec EFI\VeraCrypt\Shell.efi start partition bbbbb-bbbb...
Status Not Found
I have decoy and hidden os on different ssd.
I tried to specify guid at actionSuccess. I took guid from map commnd via shell.efi.
postexec file(EFI\VeraCrypt\Shell.efi) guid(aaaaa-aaaa..)
but still got error can't exec(bbbbb-bbb) Not Found
When i get access to efi shell at decoy system via postexec file(shell.efi) i still can't read filesystem(without postexec i can load os normally). So i don't know if it's possible to mount volumes via this shell. So can you give some advice to restore files at this point? Maybe it's possible to generate svh_bak with some script via postexec?
Looks like svh_bak needed to "Restore OS header keys".
Does Decrypt OS function should work fine without svh_bak? I got Auth fail with right password, but got Success if i just try to boot.
Update
Looks like decrypt os function does not work with hiddenOS
" Repair Options > Permanently decrypt system partition/drive. Enter the correct password and wait until decryption is complete. Then you can e.g. boot your MS Windows setup CD/DVD to repair your Windows installation. Note that this feature cannot be used to decrypt a hidden volume within which a hidden operating system resides (see the section Hidden Operating System)"
I was abale to load Shell.efi from hiddenOS with this ActionSuccess:
exec guid(xxxx-xxx...) file(EFI\VeraCrypt\Shell.efi)
But still can't see any partitions from hidden os
So still looking a way to access files of hidden os
Last edit: Ozzy 2021-12-25
I'm not familiar with the hidden OS feature, so I cannot assist on recovering your system. But if you want to rescue valuable data, I would recommend trying to mount your hidden OS using a live Linux and the following mount options:
- Mount volume as read-only
- Mount partition using system encryption (preboot authentication) (try with and without this option)
- Do not mount
If it doesn't work, try again with additional mount option "Use backup header embedded in volume if available".
When you get no error, you can try to mount the filesystem, in case it is not damaged. If everything works out, I'd copy as much valuable data as possible to a safe place. This way you should at least get your data back.
Greets
Thanks for reply. Unfortunately it not worked. I was able to mount decoy but not hidden.
You tried all permutations of the mount options above? Strange. This would mean that either the provided credentials for the hidden OS are wrong or the main and backup volume header of the hidden OS volume are both damaged. If that's the case, afaik, there's nothing one could do without a backup of the volume header.
Yes i tried all.
Hidden os installation requires usb drive to keep keys on it(authorization USB). But there is option to create small partition for keys. So i used separate small partition for keys. And DcsProp has option SecRegionSearch to specify region where to search keys. But at desktop there is no such option. I can only select file or enter key manually. So at this point i hope it's not damaged.
Found descrtibtion of this region.
Security Regions were defined by VeraCrypt creators to support HOS and improve the
concept of the volume encrypted header with keys. SR can contain configuration data (e.g.
GPT). The structure of SR is:
sector 1 - header wit keys (pwd encrypted)
sector 2 - table of extra data (header key encrypted)
sectors with GPT (header key encrypted)
sectors with execute parameters (header key encrypted)
So i used tool DcsFV and it found volume on my small partition. It tells at which number of block it located. Also it shows encryptedAreaStart and EncryptedAreaLenght, They are same when i try to boot and got Success message.
Also i found at manual:
The USB can contain several tools:
1. DCS RE (rescue menu)
2. EFI Shell to boot from the USB and use DcsCfg tool.
3. Windows PE (preinstall environment)
You will be able to test and mount HOS (apply gpt_enc, start veracrypt portable to mount, use
FAR or any other tools to work with encrypted volumes)
Windows PE can be generated via Windows ADK.
Looks like it's possible to mount hidden os from other os. But i don't understand what means "apply gpt_enc" . As i understand gpt_enc is the same as svh_bak and same "sectors with GPT (header key encrypted)" from security region. So in theory it's possible to get it using dd and decrypt it.
Last edit: Ozzy 2021-12-27
Sorry, that's out of my scope. Hope the dev will hop in and provide some hints.
Greets
Solved
I have successfully recovered my os.
I dumped secregion using
DcsCfg -srdump -ds
Then Decrypt dump with
DcsCfg -pd -aa
Then applied decrypted gpt with
DcsCfg -pf -pa -ds
After that i was able to mount my hidden os from live cd with "without pre auth" option
File system was currupted. I clicked repair disk at veracrypt and it fixed file system. After that i was able to boot to my hid os.
why so long moderation?
Moderators are volunteers and are not always available due to other obligations.