1

A recent optional Windows 10 update (2021-08 Cumulative Update for Windows 10 version 21H1 for x64-based systems (KB5005101)) destroyed my Windows installation on my fully encrypted disk (VeraCrypt).

The most similar issues on the internet seem to address a problem with "switching bootloaders". In my case, my VeraCrypt bootloader is still called first and is working fine. After the successful provision of my password, the VeraCrypt bootloader calls Windows, but it crashes immediately (BSoD: Your PC/Device needs to be repaired.).

On a fresh boot, the first error code is different than on subsequent retries:

  • First error: 0xc0000225: A required device isn't connected or can't be accessed.
  • Subsequent error: 0xc000007b: The operating system couldn't be loaded because a critical system driver is missing or contains errors. File: \WINDOWS\System32\Drivers\ksecpkg.sys

Windows then proposes 9 different actions (boot into safe mode etc.). All options immediately fail with the above error codes.

The problem now is, I cannot boot from a Windows 10 boot stick to try to repair Windows, because in this stage, the system partition is still encrypted. After decryption, I might need the Windows 10 boot stick, but I cannot use it, because VeraCrypt does not offer to boot somewhere else after I provided my password for decryption.

So, how can I repair my Windows 10 on a fully encrypted disk?

stackprotector
  • 1,467

1 Answers1

1

This might not be the most efficient solution, but at least a working solution:

  1. Use your VeraCrypt Rescue Disk1 to permanently decrypt your disk. This will take a while. After that, the VeraCrypt bootloader will still be active, but instead of providing a password, you can just press Esc and Windows will boot (as it is decrypted already) and most probably fail again.
  2. As your system drive is now readable, you can boot from a Windows 10 installation medium and repair your Windows installation. In my case, most options did not help and I had to revert to a previous Windows Recovery Point. After that, I was able to boot into Windows again.
  3. (Optional) Reapply all Updates. This time, they worked in my case.
  4. As the VeraCrypt bootloader was not removed through the permanent disk decryption, you can do it now: Just open VeraCrypt and click on System > Permanently Decrypt System Partition/Drive. This will not decrypt anything again in this case, but it will remove the VeraCrypt bootloader.
  5. After that, you can reapply full-disk-encryption.

1 As long as you do not have to restore the VeraCrypt Boot Loader, key data (volume header) or the original system loader, you do not even have to use the original VeraCrypt Rescue Disk, that has been created for your particular disk. You can use any VeraCrypt Rescue Disk. Well, you should probably use at least a matching VeraCrypt version. This question confirmed this earlier. I can confirm it for VeraCrypt 1.24-Update7.

stackprotector
  • 1,467