Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BSOD on Shutdown #871

Closed
LeonXu260 opened this issue Jan 12, 2022 · 7 comments
Closed

BSOD on Shutdown #871

LeonXu260 opened this issue Jan 12, 2022 · 7 comments
Labels
bug

Comments

@LeonXu260
Copy link

LeonXu260 commented Jan 12, 2022
edited

I'm on Windows 11 21H2, VeraCrypt 1.25.7 with Full Disk Encryption. On every shutdown my computer (desktop) I've notice that it produce a BSOD with the stop code: CRITICAL PROCESS DIED. When I shutdown my computer, I need to press the power button again.
I am not sure if this has anything to do with Legacy Mode boot with MBR.
@LeonXu260 LeonXu260 added the bug label Jan 12, 2022
@idrassi
Copy link
Member

idrassi commented Jan 15, 2022

This is an interesting behavior. I suspect that it has to do with the fact that we dismount system volume on shutdown in order to ensure that system encryption keys are erased from RAM before power off. This was added in version 1.24 released on October 6th 2019.
The code for this is at https://github.com/veracrypt/VeraCrypt/blob/master/src/Driver/DriveFilter.c#L989.

	// Dismount the system drive on shutdown on Windows 7 and later
	if (DriverShuttingDown
		&& IsOSAtLeast (WIN_7)
		&& Extension->BootDrive
		&& Extension->DriveMounted
		&& irpSp->MinorFunction == IRP_MN_SET_POWER
		&& irpSp->Parameters.Power.Type == DevicePowerState)
	{
		DismountDrive (Extension, TRUE);
#ifdef _WIN64
		ClearSecurityParameters ();
#endif
	}

I don't recall receiving a similar report so it seems that this change works well for most users.
One thing I can try is add a setting to disable this feature for those having such problem.

For now, I don't have an immediate solution. Once I implement this setting, I can share a build so that you can see if it solves your problem.

@LeonXu260
Copy link
Author

Thank you for your response. I look forward to it.

@idrassi
Copy link
Member

idrassi commented Feb 12, 2022

I have implemented support for a new registry key to disable erasing system encryption keys on shutdown/reboot:

  • Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt", create a REG_DWORD value named "VeraCryptEraseKeysShutdown".
  • Setting this registry value to 0 disables erasing system encryption keys which is the cause of BSOD during shutdown on some machines.

Versin 1.25.8 will contain this change and I have upload the release candidate for 1.25.8 to https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/Windows/ if you want to test it.

@LeonXu260
Copy link
Author

I have implemented support for a new registry key to disable erasing system encryption keys on shutdown/reboot:

  • Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt", create a REG_DWORD value named "VeraCryptEraseKeysShutdown".
  • Setting this registry value to 0 disables erasing system encryption keys which is the cause of BSOD during shutdown on some machines.

Versin 1.25.8 will contain this change and I have upload the release candidate for 1.25.8 to https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/Windows/ if you want to test it.

Thank you, I'll test it out. Would disable erasing system encryption keys on shutdown/reboot compromises the security of that computer?

@idrassi
Copy link
Member

idrassi commented Feb 14, 2022

Erasing the key from RAM on shutdown/reboot protects from so-called "cold boot attacks" where an adversary can access the machine after it is powered off, remove physical RAM modules from the PC motherboard and then analyze their content to try to read their content.

Luckily, thanks to RAM cells decay with time, this attack requires access to the PC not long after it is shutdown.

VeraCrypt contains a feature called RAM Encryption that adds an additional layer of protection again such attacks by applying encrypt over keys stored in the RAM. RAM Encryption is disabled by default because it brings some constraints like impossibility to use hibernate.

in all cases, the decision depends on your threat model. VeraCrypt philosophy is to provide various options to adapt to each user need.

@LeonXu260
Copy link
Author

Erasing the key from RAM on shutdown/reboot protects from so-called "cold boot attacks" where an adversary can access the machine after it is powered off, remove physical RAM modules from the PC motherboard and then analyze their content to try to read their content.

Luckily, thanks to RAM cells decay with time, this attack requires access to the PC not long after it is shutdown.

VeraCrypt contains a feature called RAM Encryption that adds an additional layer of protection again such attacks by applying encrypt over keys stored in the RAM. RAM Encryption is disabled by default because it brings some constraints like impossibility to use hibernate.

in all cases, the decision depends on your threat model. VeraCrypt philosophy is to provide various options to adapt to each user need.

Got it, I've tested out the version 1.5.28 and it works. Thanks :)

@ghost
Copy link

ghost commented Feb 24, 2022
edited by ghost

I applied the registry fix, however I still receive bsod at shutdown and restart - CRITICAL_PROCESS_DIED. Minidump is never created.

Windows 11, VC 1.25.9

@LeonXu260 LeonXu260 mentioned this issue Apr 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@idrassi @LeonXu260