Fix the VeraCrypt "Automatic Repair" issue on Windows
VeraCrypt is a popular open source encryption tool that may be used to encrypt files, create encrypted containers, encrypt entire hard drives and partitions, and even the system partition. Encryption of the system partition adds a bootloader to the system which loads VeraCrypt on system start. You enter the password, and if configured the PIM, and the system boots if the authentication is correct.
Windows may interfere with the setup as it may add a bootloader of its own to the system which is then used by the device instead of the VeraCrypt bootloader; this is a problem if the system partition is encrypted. Windows' bootloader cannot find any files and loads repair options as a consequence.
Repairs are unsuccessful as no data can be read, and you end up with the automatic repair message "Automatic Repair couldn't repair your PC". Restarting does not address the issue as the system is caught in the bootloop. The same process happens over and over again.
Advice: to avoid the automatic changing of boot information on Windows devices, set a password in the UEFI interface. Windows cannot manipulate the data anymore once you have set a password so that the issue does not happen again.
You may have options to bypass the issue temporarily. If the motherboard includes options to select the bootloader, you may use it to pick the VeraCrypt bootloader; this is not the case for all systems, however. You may also select Advanced Options > Use a device > Veracrypt Bootloader in the Automatic Repair interface to start the system again using the correct bootloader. Type your password and PIM, and the system should boot normally.
Repairing the Automatic Repair issue
You may be able to repair the issue. Basically, what you need to do is "tell" the system to use the VeraCrypt Bootloader on system start. A program like Bootice may assist you. It is a free program that displays UEFI boot entries and gives you some options when it comes to these.
Download the program from this site and extract it after you have done so. Run the application, allow the elevation, and then go to UEFI > Edit boot entries.
All you need to do is move the VeraCrypt Bootloader to the top. Select the bootloader entry and use the "up" button to move it there. Leave everything as is and select close. Exit the application and restart Windows.
If everything worked, you should see the VeraCrypt password prompt on boot. The bootmanager is used from that moment on again. Note that you may still want to set a password to avoid running in the same issue again in the future.
I don’t know how reliable ‘Windows Defender Firewall’, because here on Windows 7 with the OS’s firewall, some applications phone home although I’ve added an inbound and an outbound rule to block them. For instance, ‘EditPad’ Lite which attempts to connect to connect to news.jgsoft.com and which fails to do so only because I block that connection with a DNSCrypt-proxy blacklist rule, and here what shows DNSCrypt-proxy query log :
127.0.0.1 news.jgsoft.com A REJECT 0ms quad9-dnscrypt-ip4-filter-pri
quad9 is the DNS used with DNSCrypt-proxy. This means that Windows Firewall does not prevent an application added to its filters to connect to the Web, not always anyway.
So I do hope Windows Defender Firewall does a better job.
Hi Tom,
You write:”I don’t know how reliable ‘Windows Defender Firewall….”.
Let me tell you, based on my own experience, that firewall is really a POS (Piece Of Shit). It is really unreliable
Every software is able to write a firewall condition under windows i think, Windows Firewall is a trash
The first software that i always install (when i need internet in vboxed windows) is Simple Wall.
https://github.com/henrypp/simplewall
I also really like his version of Chromium https://github.com/henrypp/chromium
https://github.com/henrypp/simplewall
I also, “Simple Wall” is a favorite. That’s enough.
henrypp/chromium: Chromium builds with codecs | GitHub
https://github.com/henrypp/chromium
Chromium builds with codecs https://chromium.woolyss.com/
Download latest stable Chromium binaries (64-bit and 32-bit) |
https://chromium.woolyss.com/
It is very interesting.
And, “Notes” There are must-see value.
https://chromium.woolyss.com/#notes
There’s an easy page for blocking/allowing programs to go out in the main firewall window, click on:
Allow and App or feature through Windows Firewall.
Otherwise, good overview of rules creation. I’ve never had a program sneak out if its rule is set up right.
Yes, Windows defaults to letting most anything through as do other firewalls I’ve used. Probably preferrable to blocking everything except in critical security situations.
To quickly achieve the same end result as the steps above, I always install “OneClickFirewall” – less complex than anything like WFC, it just gives you a right click context menu on any exe for “Block internet access” and “Restore internet access”. Very handy!
https://winaero.com/download.php?view.1886
@ B
I downloaded the OCF program but I did not install it.
Virus Total found one two red engines:
Antiy-AVL – Trojan/Win32.Fuerboos
and
MaxSecure – Trojan.Malware.7164915.susgen
Nice article Ashwin.
Sometimes I like to quit (disable the Internet connection temporarily) all internet connection than I use the free software program for windows Net disabler v.1. 0 ( Latest release ’17-02-21).
https://www.sordum.org/9660/net-disabler-v1-0/
Here is the easiest methode to block Windows programs from accessing the internet ; Application name is FAB (Firewall Application blocker) it is a Portable freeware , usage is just drag and drop the Application icon
https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/
Thanks Ashwin. I always forget about the internals of Windows Firewall.
Just set up some outbound rules to block some apps that shouldn’t have internet access. Thanks again!
Ashwin, it doesn’t work.
Try this. Install steam and login. Rules wil be automatically created to allow steam.
Now log out and close steam. Change the firewall rules to block.
Open steam again and login in.
Go back to the firewall to find new allow rules created for it.
Basically, anyone willing to pay microsoft to be added to a “trusted list” gets a free ticket past the windows firewall wether you want them to or not.
Now go get Windows Firewall Control (I reccomend finding a pre MWB version) and install it and setup it up. Then turn on secure rules. Now repaet the steps with Steam and it will stay blocked.
Fast, free and simple solution for the beginners and non-professional: Firewall App Blocker https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/
Sordum’s Firewall App Blocker is great. Just right-click any exe file and it gets blocked in Windows Firewall, without going through all those steps. Also note, this feature is also in Sordum’s Easy Context Menu. All free.
https://www.tweakhound.com/2018/11/30/blocking-a-programs-internet-access-via-the-windows-firewall/
The heck with all of that. Just use a superior and much easier to use front end for the built in firewall. Malwarebytes Windows Firewall Control is excellent.
I’ll just put this here: TinyWall
What gets me most is that large number of windows processes is trying to get access to internet. Why? Windows DOES not need access to internet even to install it and can run without internet. The only possible exception being network management.
Just another case of spyware?
MS should be legislated to provide full description and reasons for those services demand for access as it is potentially abusing privacy.
@Jafp
Your logic is sketchy and lacks reasonable facts. Perhaps you need to be legislated.