[Solved] HP ASUS DELL VeraCrypt Automatic Repair Loop DcsBoot.efi Bootloader Fix
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
EDIT: It is worth noting that you must have secure boot disabled and legacy support enabled in the BIOS(f10 or f12), preferrably before you perform these steps.
I am posting this because I have only seen partial fixes on several forums, with little explanation. This guide offers a COMPLETE solution that even inexperienced users may follow. HP and other boot loaders are all slightly different from one another. Specifically for this issue,the bootloader tries to load EFI\Microsoft\Boot\Bootmgfw.efi and does not include the VeraCrypt EFI to the list, even after VeraCrypt installation. On most computers, the VeraCrypt EFI is appended to the boot list and a simple change in boot order is needed. The reason windows tries to repair the disk is that it is trying to directly load the encrypted disk without the prior VeraCrypt authentication. In layman's terms, it is trying to load jumbled “encrypted” data, so it thinks that the disk has been corrupted. In the case of HP (or other computers with this issue) we can CAREFULLY change a few things to come to a solution. I don’t know if I need to say this, but just in case: When typing these commands into command prompt add all of the text within the quotations… Not the actual quotations themselves. Spacing and capitalization are important.
To fix the issue you can do the following:
1 Hit windows key, type “cmd”, right click command prompt and select “Run as Administrator”
2 Type: “mountvol o: /s” and hit enter
3 Type: “ren o:\EFI\Microsoft\Boot\bootmgfw.efi bootmgfw_ms.efi” and hit enter
4 Type: “notepad o:\EFI\VeraCrypt\DcsProp” and hit enter
5 A notepad window should have appeared. Enter the following text to the top of the list:
“<config key="ActionSuccess">postexec file(EFI\Microsoft\Boot\bootmgfw_ms.efi)</config>”
It should look like:
<tag>
<config key="ActionSuccess">stuff</config>
<config key="blah">stuff</config>
<config key="blahblah">stuff</config>
<config key="ActionBlah">stuff</config>
</tag>
The "ActionSuccess" config key needs to be at the top. Make sure it is placed within the other tags. Keep the quotes around “ActionSuccess” but not around the whole line (remember what I said at the beginning). Location of text here is important.
Use “ctrl + s” to save and X out of notepad
6 Type: “cd EFI” and hit enter
7 Type: “copy .\VeraCrypt\DcsBoot.efi .\Microsoft\Boot” and hit enter
8 Type: “ren .\Microsoft\Boot\DcsBoot.efi bootmgfw.efi” and hit enter
That is all you have to do. You can restart and you will be prompted to enter in your VeraCrypt password and PIM. What this fix does is trick windows into running bootmgfw.efi like it does normally, which is actually the renamed DcsBoot.efi. After the VeraCrypt password (you created during installation) is entered, DcsProp file uses postexec command to load the real bootmgfw.efi which has been renamed to bootmgfw_ms.efi.
Last edit: Skipper 2017-05-02
Excellent write-up Skipper!
For the novice, the above procedures must be performed after VeraCrypt has completed the system encryption tasks but before the user reboots/shutdown their system. Correct?
If a user reboots or shutdown their system without make the above changes and is stuck in the boot repair loop, then boot into the BIOS setup and try to select VeraCrypt loader from boot menu.
If you cannot find or select the VeraCrypt loader in the BIOS, is there another way to perform the above procedures for a system stuck in the boot repair loop?
EDIT: Fixed typos.
Last edit: Enigma2Illusion 2017-05-02
Yes, although you may not know if your system has this issue until you perform a reboot/restart.
This is why VeraCrypt installation has you save an EFI file to the root directory of a flash drive.
If you get caught in this loop you will need to plug in that flash drive, enter the boot device options by hitting f9 (may be a different function key depending on your system), and select the Boot from flash drive EFI to temporarily gain access back into Windows. Then you can proceed to follow the steps above.
This brings up another point. You should still be able to access the VeraCrypt EFI that is located on the system by similarly entering the boot device options (f9), and selecting the option (Boot from EFI file).
Boot from EFI file ->correctly navigating through the directories (VeraCrypt) and selecting DcsBoot.efi
or
Boot from flash drive EFI ->VeraCrypt and select DcsBoot.efi
There are photos of the Boot from EFI file method here: https://sourceforge.net/p/veracrypt/discussion/technical/thread/5b859040/#34c2
Try looking at file (3).jpg, file (4).jpg, file (5).jpg, file (6).jpg, and file.jpg in that order.
Also note: BIOS(f10 or f12) is different than Boot Device Options(f9)
The main thing to remember here, is that after encryption is finished, Windows cannot boot up without first receiving authentication (your VeraCrypt password and PIM). After these have been received, Windows will boot and you can enter your Windows Password.
I have not tried these steps from safemode (as I am not sure you can enter safe mode after encryption)
Does this answer your questions?
Last edit: Skipper 2017-05-02
Hi Skipper,
thank You
I have encrypted disk partition and everything is running fine. Just yesterday I got a new ssd and the "old" one with encrypted system partition (there are 2 system partitions on that ssd - both win 10 - 1 encrypted and 1 not) wanted to boot from usb - as an external drive. So I connect the ssd box with sdd to usb and go to the boot options - even without it my system sees that usb sdd as veracrypt boot something so I pick this boot options and it promts for password and it accepts the password but than keep restarting or fixing the system, trying to fix and as a result I cant get to windows.... dont know what is wrong... will your method work here? but shall i do it when running my veracrypt system encrypted windows while still in my laptop as I cant do it trough the usb???
do you know how to fix it??
thanks in advance as i am stuck
kind regards
Yes it does and thank you!
An important point that users should create their Rescue USB device and not skip this step which the user can elect to skip. Also print the procedures that you wrote-up.
Last edit: Enigma2Illusion 2017-05-02
If during the system encryption process you want to create a VeraCrypt Rescue Disk to a USB thumbdrive instead of DVD, please see the following link for instructions provided by Mounir Idrassi to allow you to create a USB bootable Rescue Disk by saving the Rescue Disk as an ISO file then follow the instructions in the link below.
https://veracrypt.codeplex.com/discussions/644091
Hello and thank you for the explanation!
Unfortunately, the sixth step doesn’t work for me, the cmd says that the path cannot be found. I have tried changing it in some ways but without success.
Do you have an idea what could be gone wrong?
You must perform all of these steps within the same command window open the whole time. "cd EFI" is simply changing your location from O: to O:\EFI. If you type "dir" in the command line and hit enter, it will return a list of the available directories. If you do this, and EFI is not in the list, you may not be on the correct drive. It is possible that your EFI boot folder may be on a different hidden drive. You can see a list of hidden drives by accessing your partition table when logged into windows. Once you have figured out the correct drive letter just replace 'O' with the letter of your hidden drive. I hope this helps.
Hi Skipper,
Thankyou for posting this !
Still last issue to overcome, long story short, 5 days later I found the solution on your post to change the boot loader in cmd and notepad etc. Entered all correctly, removed the loop, and finally returned back to normal VC login after start up. However upon entering password:
Then instead of loading windows it comes up with (in yellow)
Start \EFI\Microsoft\Boot\Bootmgfw.efi - not found
I'm on a boat in Australia, im pretty average with this end of computers and no expert close by - need to get back into the ssd. Hope you can help.
Cheers Joey
Laptop is a Lenovo, YOGA 910.
BIOS:
Controller - AHCI
Secure - disabled
Boot - legacy
Fast boot - disabled (have tried enabled aswell).
Also, boot start option straight from EFI SSD and VC (DSC) loader - same error as above and USB rescue boot not helping either - using 1.20beta 3 with boot loader updated.
Last edit: Joey 2017-06-04
Hello Joey,
It looks like bootmgfw is not found.
Check directory
dir \EFI\Microsoft\Boot\
I guess - bootmgfw.efi is renamed to bootmgfw_ms.efi and DcsProp is not updated with key.
<config key="ActionSuccess">postexec file(EFI\Microsoft\Boot\bootmgfw_ms.efi)</config>
Hi Alex,
Thankyou! for the follow up reply. Slight problem though, i cannot get back into cmd.
Booting normal, via boot system recovery, via VC dsc and via recover disc all leads now to vc password on boot up > ...\bootmgfw.efi - not found, therfore not able to get into windows advanced options etc either.
Last edit: Joey 2017-06-05
can you download and copy EFI shell to VC rescue disk into EFI\Shell\shell.efi?
https://github.com/tianocore/edk2/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi
It is possible to execute the shell from VC rescue menu.
Shell docs:
https://software.intel.com/en-us/articles/uefi-shell
Online help:
help -b
The shell contains copy, ls etc. commands. Also possible to redirect output to file.
I do alot in Command Prompt, and never have issues except for this. The 2nd line rename the bootmgfw.efi file is not found. I don't have O drive so I replace with C. Though there is no EFI folder in the root of c. The file for me is located C:\Windows\Boot\EFI\bootmgfw.efi . Is this the file I need to use? I understand it is supposed to trick windows into running VeraCrypt's efi boot file instead of Microsoft one at least until after successfull decryption. My computer is Windows 10 Pro Creators update x64 bit HP Envy.
Thanks!
Forgot to mention that I tried enabling Legacy Boot Mode, and once it restarts out of BIOS I put in my USB to boot efi file, once entering correct information then it just sits at Authorizing... forever (I let it go for 15 minutes). Tried again, same thing. Again same thing. I then switched back to UEFI and it authorized in 15 seconds. And of course, Secure Boot has been disabled.
Last edit: Anonymous 2017-06-15
Hi all,
I am stuck with the automatic repair loop on an Asus laptop, after upgrading to Win 10 Creators. With the repair disc, and Skippers advice above, I have managed to get the password prompt to show up when booting, and my password is accepted. But then it still goes into the automatic repair mode! When I enter command prompt, it is clear that it doesnt have access to C. Chkdsk says that the file system is RAW. Any tips...?
Regards,
Soren
I have an HP laptop and have issues with the Fall Creators update (1709). After installing updates, Windows restarts and then (after manually selecting VeraCrypt bootloader) Windows starts but upgrade fails, it says "we could not install your updates". Does the upgrade install its own bootloader or something?
Just a note about this method. It will leave your computer in an unbootable state if you ever uninstall VeraCrypt, and you have to uninstall VeraCrypt before you do a Windows upgrade (like the 6-monthly Windows 10 ones). When you uninstall VeraCrypt, at the point where it says to reboot, you will need to undo the change you made in step 3.
I highly recommend doing everything you can to win the fight with your BIOS before using this solution. In about 95% of the cases I've seen where VeraCrypt doesn't appear in your boot list, booting off the VeraCrypt rescue disc/stick and choosing the option to have it redo the bootloader fixes the issue. Try that first, then when you reboot the first time, don't go into the OS right away, go into your BIOS immediately check the boot order. In most cases, if you have VeraCrypt redo the bootload then immediately go into your BIOS, VeraCrypt will appear in the list.
I've not seen many computers absolutely break the EFI standard by not allowing other bootloaders. It just takes some convincing in most cases. Fight the good fight first. Only use this method as a last resort.
EDIT: VeraCrypt v1.23 has been updated so it is compatible with the Windows 10 upgrade process. However, this method will break that. This install procedure will make VeraCrypt continue to be uncompatible with the Windows 10 upgrade, and as such, performing an upgrade or having an upgrade automatically attempt while VeraCrypt is installed using this method is dangerous.
Last edit: Kurt Fitzner 2018-11-21
Does it meant that if I previously used method from first post in 1.19 times to make my HP Pavillion with Win10 Home boot with Veracrypt, now even with 1.23 I'm stuck with Win 10 impossible to upgrade?
Any advice?
Correct. IF you followed the directions exactly in the original post, in order to upgrade Windows 10 you need to:
This undoes the change you made to Microsoft's boot loader in the instructions given in the original post.
Unfortunatelly still can't update 10 Home. Before decryption updates were failing on reboot. After decription they started to fail for mirads of reasons, so I went trought all solution (troubleshooting, sfc, dism, stopping-starting service, deleting folders). When I tried reinstall (with keeping apps and files) from ISO, again installation failed on reboot.
I gave up, installed 1.23 Hotfix2 and encrypted system sisk back. Update started again, but failed on reboot reverting to "repair system" instead of VC boot. When manually booted in VC Win10 reversed changes.
Any idea what to try next?
I wanted to make sure it works and came to a stop. Mountvol command gives me incorrect parameter error. Can it be because I have secure boot enabled in BIOS?
I have the same problem.
veracrypt 1.23 Hotfix-2 portable downloaded and installed. Running full disk encryption and after clicking on "Test", restarting, I enter the correct password and it appears:
Success
Start 0 122683392 len 0
and it does not go on
Notebook
IOTA 2320
Windows 10 newest update
What can I do ?
I'm facing the same problem. I hope someone can help me!
I encrypted my entire drive several months ago on a work computer as this was the requirement. Eveything was going fine. However, after a Windows update last night, I'm stuck in a permanent Automatic Repair Loop. I can't get into my computer AT ALL other than the blue screen of death.
I'm a complete and utter novice at anything like this, so I have been reading the solution in detail before attempting anything. Some questions
1-At the top of your solution (first post), you posted the edit:
EDIT: It is worth noting that you must have secure boot disabled and legacy support enabled in the BIOS(f10 or f12), preferrably before you perform these steps.
*
My questions are
1-How do I make sure I have secure boot disabled?
2-How do I make sure I have legacy support enabled in the BIOS?
2-In one of your posts below this, you say:
This brings up another point. You should still be able to access the VeraCrypt EFI that is located on the system by similarly entering the boot device options (f9), and selecting the option (Boot from EFI file).
Boot from EFI file ->correctly navigating through the directories (VeraCrypt) and selecting DcsBoot.efi
or
Boot from flash drive EFI ->VeraCrypt and select DcsBoot.efi
There are photos of the Boot from EFI file method here: https://sourceforge.net/p/veracrypt/discussion/technical/thread/5b859040/#34c2
Try looking at file (3).jpg, file (4).jpg, file (5).jpg, file (6).jpg, and file.jpg in that
I have gone to the link and looked at the pictures. But my question is very basic, how do I even get to Boot Device Options (F9)? While I'm stuck in the blue screen, what should I press?
I really hope someone can help!
Hi,
You must first interrupt booting proces to get to "Boot Menu" and then "F9" from this menu. To do that look up what key or key combination interrupts boot in your computer. In case of my HP Pavilion 15 it is "Esc" key. To do that immediatelly after powering up I start to "frantically mash" this key until "Boot Menu" shows up.
Hope this helps!
Thanks Andy! It worked and I managed to boot from EFI. Finally I can start my shift for today! Thanks to the OP too!
Last edit: AyeshahSyed 2019-10-10
I'd love some help if someone has some time. I'm trying to encrypt my Windows 10 OS on an HP Z800.
I can't match up what I am seeing with the instructions. At this point after a couple weeks of various maneuvers, I have a running Windows 10 instance that I have just encrypted.
I don't see a file called bootmgfw.efi. I don't see a veracrypt anything. I'm scared to reboot at this point because the last time it went into a repair loop and it took a week to unencrypt using the rescue disk. What am I doing wrong?
P.S. This is not a thing in my boot menu "VeraCrypt EFI that is located on the system by similarly entering the boot device options (f9), and selecting the option (Boot from EFI file)."
Last edit: David 2020-08-01