VeraCrypt icon indicating copy to clipboard operation
VeraCrypt copied to clipboard
verified publisher icon veracrypt

BSOD When Mounting FAT-Formatted Volumes

Open makensen opened this issue 11 months ago • 6 comments

Hello,

We are conducting a PoC for VeraCrypt as a new folder encryption tool within our company. Few testers reported that they receive a BSOD when they mount a container created with FAT filesystem. Unfortunately we can't see anything in the Event Viewer and the VeraCrypt folders within %appdata% are empty. We are using version 1.26.15 (64-bit). Is there a chance to get some logs from VeraCrypt that we can analyse internally ? In the UI I can't find such option. Here: veracrypt.eu/en/Troubleshooting.html is said that I can use Help -> Analyze a System Crash, but I don't have such option under Help. We are using Windows 11 and have a Crowdstrike agent locally installed, I wonder if this could be the issue.

Kind regards, Mihai

makensen avatar Jan 20 '25 16:01 makensen

Hi @makensen,

Thanks for the report.

In the case of a BSOD, Windows displays a blue screen with minimal information about the cause of the error. The first step is to configure Windows NOT to reboot automatically when a BSOD occurs, so users can take a picture of the screen.

The second step is to configure Windows to create a kernel memory dump or a complete memory dump. This will generate a dump file, typically located at %SystemRoot%\MEMORY.DMP by default.

When VeraCrypt mounts a volume, it transfers the handling of the filesystem to Windows, as VeraCrypt is responsible only for encrypting and decrypting sectors. It seems that something is triggering an issue with the FAT filesystem. This could be related to how the FAT volume was created, or it might involve another component on the machine mishandling FAT volumes stored within VeraCrypt volumes.

The BSOD message will provide the first clues about the faulting driver. My initial suspicion is that a third-party driver, such as one from an antivirus solution that filters filesystems, might be causing the issue. These drivers can sometimes become confused when FAT volumes are part of VeraCrypt volumes.

Image

idrassi avatar Jan 20 '25 16:01 idrassi

thank you very much for your explanation, @idrassi

makensen avatar Jan 21 '25 20:01 makensen

Image

It may help or not, but this is the printscreen with the BSOD.. the laptop did not instantly reboot, but while it shows this screen you were not able to recover, so a power reset was the only solution to move on

makensen avatar Jan 22 '25 17:01 makensen

@makensen

Thank you for the printscreen.

This BSOD is unusual to me because in previous cases where VeraCrypt driver was causing a crash, BSOD message always mentioned the faulting driver. So for me, this particular BSOD comes from another driver on the machine that trigger a BSOD so deeper than usuat that no event log or even crash dump is captured.

I would recommend to contact Crowdstrike to help you investigate this because they are probably the ones whose driver is crashing.

idrassi avatar Jan 22 '25 18:01 idrassi

PS: what about exFAT volumes? are they also causing BSOD? If it is only FAT, then Crowdstrike may have issue with virtual FAT volume hosted on VeraCrypt volumes.

idrassi avatar Jan 22 '25 18:01 idrassi

@idrassi thank you. only FAT causes the issue, we successfully tested the NTFS filesystem and we have no issues. tomorrow I will be in a call with a sysadmin, hope he can tell me more about the issue and I will share with you some insights. If nothing new appears tomorrow, or nothing valuable that may help you to help me further, I will just Close this issue, as I already got some interesting and detailed replies from your side. Thank you very much, Mihai

makensen avatar Jan 22 '25 18:01 makensen