Unable to upgrade Windows 10 on encrypted volume

Post Reply
DmitryBritanov
Posts: 2
Joined: Mon Oct 26, 2020 10:55 am

Unable to upgrade Windows 10 on encrypted volume

Post by DmitryBritanov »

Hello,
I have an encrypted system volume with Windows 10 installed on it. I use the latest version of DiskCryptor 1.2 Beta 3. When I try to upgrade Windows to next version (in my case, from 1909 to 2009), upgrade crashes after first reboot. I even tried to perform new clean install of Windows 1909, then installed only drivers and updates, installed DiskCryptor 1.2 Beta 3, encrypted system disk, and then tried to upgrade my system to 2009 via Update Assistant from Microsoft.com – with the same result: upgrade crashed after reboot. I didn’t find any logs from Windows about what happened.
I use SSD with MBR boot record. Normally I use PXE boot, but I tried use instead simple password for encryption and place boot record on the same SSD – with the same result. It seams that ReflectDrivers mechanism doesn’t work properly.
Please help with further troubleshooting. We have 1 hundred PCs needs to upgrade from 1809 to 2009 (all encrypted with DiskCryptor), and decrypt system volume, upgrade, and then encrypt again on every single PC is not an option.
Thank you in advance.

DavidXanatos
Posts: 48
Joined: Mon Jan 27, 2020 8:05 pm

Re: Unable to upgrade Windows 10 on encrypted volume

Post by DavidXanatos »

Hi,

I'll test that out, lets hope it can be easily fixed

dcrypt-user
Posts: 3
Joined: Mon Nov 02, 2020 1:25 am

Re: Unable to upgrade Windows 10 on encrypted volume

Post by dcrypt-user »

I was going to write up my own thread but instead decided to hihack this thread since it may be related to the same issues I am having. I have two Win10 PCs that have their boot drives encrypted with DiskCryptor 1.2 Beta 3. I have made repeated attempts on both to get them fully updated to newest Windows Feature Release, but they always fail in different ways depending on how I run the update and which update version I choose to try etc. One is stuck on 1703 and the other is on 1809.

I want to be super clear that I CANNOT BE 100% SURE THAT MY UPGRADE WOES ARE DUE TO DISKCRYPTOR, although I am strongly leaning towards that being the culprit, especially since I have literally already gone through 2 weeks of research and testing, by uninstalling anti-virus, removing all other hdds + usb peripherals, running dism and other sfc-type fixes, wiping windows update download cache and files clean, etc etc etc and the result is always the same.

One important thing to share with the community here is my research on how the ReflectDrivers mechanism is supposedly working with DiskCryptor. I found this website: https://www.asquaredozen.com/2019/08/25 ... nterprise/

The article goes through some advanced usage of the Setupconfig.ini file, including the ReflectDrivers and PostOOBE arguments (which are necessary for use with DiskCryptor), but the most important bit of info is right in the opening paragraph:
Setupconfig.ini is a file that can be used to pass command line arguments to the Windows Setup engine during a Windows installation. When Setupconfig.ini is specified in the command line (/ConfigFile <path to Setupconfig.ini>) or exists in the default location (%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\Setupconfig.ini), any arguments in it will take precedence over arguments specified in the commandline.
After reading that article, I opened the %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows directory on both trouble PCs, and realized that the WSUS directory didn't exist at all! No wonder my updates were failing I thought. Instead of fixing it manually, I downloaded a copy of the latest DiskCryptor source to find out how the ReflectDrivers mechanism is being utilized. I found that the %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\Setupconfig.ini file should be getting created in a few different ways (when encrypting a drive, by issuing the cmd "dcinst.exe -reflect" and from running the PostOOBE.cmd file). I'm not 100% sure yet, but I believe that this WSUS directory and Setupconfig.ini file were created for me at some point, but I believe it must get removed after successful or failed windows updates, which is why the PostOOBE part of this process is supposed to add it back in after each update. With that being said, I believe I discovered the flaw in the PostOOBE.cmd that caused this issue.

If you are like me and you installed DiskCryptor to the default location (C:\Program Files\dcrypt) then trying to run the PostOOBE.cmd file will do nothing but quickly display an error msg on the screen:

Code: Select all

C:\Program Files\dcrypt>PostOOBE.cmd

C:\Program Files\dcrypt>C:\Program Files\dcrypt\\dcinst.exe -reflect
'C:\Program' is not recognized as an internal or external command,
operable program or batch file.
Here's what the contents of the original PostOOBE.cmd file from Beta 3 looks like:

Code: Select all

%~dp0\dcinst.exe -reflect
The 1st (major) issue is the fact that it doesn't support paths with spaces. The 2nd (minor) issue is that it adds a double slash to the cmd which is unnecessary. I fixed these issues and updated the PostOOBE.cmd file to read as follows:

Code: Select all

"%~dp0dcinst.exe" -reflect
Now I can double-click the file and it creates the missing %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\Setupconfig.ini.

I realize this is beta software, so I hope this helps some people get their Windows Updates working again.

Unfortunately for me, this didn't resolve anything, and I'm right back to the same place with 2 PCs that absolutely refuse to upgrade properly. I'm really at my wits end and am actually thinking about decrypting my drives to see if that will help. Before I get to decrypting, David, or anyone, can you absolutely 100% confirm that it is possible to upgrade Win10 to the newest Windows Feature Release (2004 or above) while having the boot drive encrypted with DiskCryptor? There's just so little feedback around here lately that I cannot be sure if the current DiskCryptor should be able to do this or not. Perhaps I should open my own thread and we can discuss windows update error logs, but I don't want to create unnecessary clutter if this is a general computer issue as opposed to a DiskCryptor issue.

DmitryBritanov
Posts: 2
Joined: Mon Oct 26, 2020 10:55 am

Re: Unable to upgrade Windows 10 on encrypted volume

Post by DmitryBritanov »

My problem hasn't resolved yet. I want to add some details.
I use this article as a manual of how setupconfig.ini file is working:
https://docs.microsoft.com/en-us/window ... n-overview
I tried to upgrade via ISO file that I download from Microsoft.com, so I opened CMD with administrative privileges and type “d:\Setup.exe /ConifgFile c:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini”. The file exists, of course.

In log file C:\$Windows.~BT\Sources\panther\setupact.log I see that all Diskcryptor files were copied to C:\$WINDOWS.~BT\Drivers\Reflect In this file I noticed this error:
“GatherDeviceIDsInDriverPackage:Failed to gather device ID's from [C:\$WINDOWS.~BT\Drivers\Reflect\dcrypt.inf]. Error code is [0xE0000102]
No targeted device IDs found in driver package C:\$WINDOWS.~BT\Drivers\Reflect\dcrypt.inf, but it has a DefaultInstall section”
I don’t know if that important or not. Other than that, I haven’t noticed any errors in this file according to reflectdrivers mechanism.

Upgrade process crashes every time right after first reboot. If I run CMD before shut down PC and then run DiskPart and type “list disk”, there is no disks at all. Because of that there is no error logs after first reboot – Windows couldn’t write them down on disk.

DavidXanatos
Posts: 48
Joined: Mon Jan 27, 2020 8:05 pm

Re: Unable to upgrade Windows 10 on encrypted volume

Post by DavidXanatos »

I haven't seen many reports of windows generally not being able to upgrade, so the issue is most likely on one way or an other DC related.
When I have some time on the weekend I'll do some experiments with upgrading in a virtual machine, lets see how that will work.

DavidXanatos
Posts: 48
Joined: Mon Jan 27, 2020 8:05 pm

Re: Unable to upgrade Windows 10 on encrypted volume

Post by DavidXanatos »

@DmitryBritanov
DC does not have device ID's as its not a driver that supports some hardware that would have an ID, its just a filter driver.

What is needed is a way to break into the PE Environment started after reboot, may be one can add something to the SetupConfig.ini to first open a cmd shell before proceeding with the setup such that one would be able to inspect the state and registry of the booted PE that seemingly fails to mount the encrypted C partition.

dcrypt-user
Posts: 3
Joined: Mon Nov 02, 2020 1:25 am

Re: Unable to upgrade Windows 10 on encrypted volume

Post by dcrypt-user »

I did my own vm testing today and here are the results:

Attempt 1/3:

-Clean install of Win10 1703 - took a snapshot at this point

-Install DiskCryptor 1.2 Beta 3, install bootloader to c drive and encrypt c drive. Fix PostOOBE.cmd as described above and make sure that C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\Setupconfig.ini file exists and looks valid

-Open windows update and update everything is says (No release update yet). Reboot. Unlock bootloader with password and windows boots without issue

-Do windows updates again. It now downloads and installs update for 1903. Reboot. Unlock bootloader with password and windows starts booting but within a few seconds it comes to a blue screen where I need to choose a keyboard layout and then I can only choose Troubleshoot or Shut down. I notice if I go into troubleshoot and open command prompt, only the x drive is available, and no other device (c,d,e drives) are not available - this tells me the drive is still encrypted. I choose shut down and then boot back up and it boots back into Win10 1703 and I find an error msg in the C:\$WINDOWS.~BT\Sources\Rollback\setuperr.log file:

Code: Select all

Error                 SP     CSetupPlatformOSSwitchCheckpoint::Rollback: Failed to read the rollback GUID from file: C:\$WINDOWS.~BT\Sources\Rollback\rollbackinfo.ini. Error: 0x00000002[gle=0x00000002]
Attempt 2/3:

-Restore snapshot back to clean install

-Install DiskCryptor 1.2 Beta 3, but DO NOT run it or encrypt anything

-Open windows update and update everything is says (No release update yet). Reboot. No need to unlock bootloader as it is not encrypted. Windows boots without issue

-Do windows updates again. It now downloads and installs update for 1903. Reboot. Hdd is still unencrypted so no need for password unlock. Windows starts booting and gets to a screen I HAVE NEVER SEEN BEFORE IN TWO WEEKS OF TRYING TO UPDATE MY ENCRYPTED PCs where it says "Working on Updates x%. Don't turn off your PC. This will take a while". I didn't watch it the whole way though, but I checked after about 30 minutes and it was back to windows login, and back inside I see that the update failed and although there is a C:\$WINDOWS.~BT\Sources\Rollback\setuperr.log file, it is completely blank.

Attempt 3/3:

-Restore snapshot back to clean install

-I do not download or install DiskCryptor this time

-Open windows update and update everything is says (No release update yet). Reboot. No need to unlock bootloader as it is not encrypted. Windows boots without issue

-Open windows update and accept update to 1903. Reboot. Windows update run through the "Working on Updates x%. Don't turn off your PC. This will take a while" screen and then boots back to windows login. Check winver and I see that I'm now on Win10 1903, so the update worked this time!! Too bad this means there is definitely an issue with the dcrypt driver either not loading or not working for some reason.

AFTERTHOUGHTS:

The ReflectDrivers mechanism for DiskCryptor is NOT WORKING. At least it is not working in any of my real-life or test scenarios, so if it is working for someone else, I would really really really appreciate some insight into your setup to know what may be different with mine.

I spent a while reading through veracrypt's process of getting this problem fixed and it seems they had a couple different implementations of this before perfecting it. Perhaps that is where the answer can be found? This link seems important: https://github.com/th-wilde/veracrypt-w ... her-method. The original Windows 10 media patcher method seems interesting and overly complicated (maybe it can be applied to DiskCryptor and reveal some hint as to what is going wrong?), although why is the newer and microsoft-supported ReflectDrivers mechanism not working? I'm beginning to think that the actual dcrypt driver needs some kind of update that will allow it to work in these upgrade scenarios.

Post Reply