can not detect EFI environment before pretest

[jon12156]

Veracrypt 1.22 was working fine for me. After doing a BIOS update, it failed to boot, and windows automatic repair starts trying to fix it. I found Windows boot manager was currently the first boot option in the BIOS now, so I changed it to the VeraCrypt Boot option and Veracrypt would succeed loading Windows, but on every reboot, it would change back to windows boot manager (and try automatic repair).

I decided to permanently decrypt so I could start fresh. I even uninstalled and reinstalled Veracrypt, but now when I go to encrypt again, I get these errors when it goes to do the pretest, before rebooting. (note: I tried 1.22 and also 1.23BETA8, they are the same messages, but just in case the numbers like 2642 are LOC numbers, these messages are from 1.23BETA8):

can not detect EFI environment
Source: VeraCrypt::EfiBoot::SetStartExec:2642

can not detect EFI environment
Source: VeraCrypt::EfiBoot::DeleteStartExec:2593

An exception occurred in the service when handling the control request.
Source::VeraCrypt::Elevator::RestoreEfiSystemLoader:573

An exception occurred in the service when handling the control request.
Source: VeraCrypt::Elevator::InstallEfiBootLoader:544

Cannot initiate the system encryption pretest.

Note: MSinfo32.exe tells me my BIOS mode is UEFI

[jon12156]

Also, secure boot is off

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity. This probably means that it is not reproducible or it has been fixed in a newer version. If it’s an enhancement and hasn’t been taken on for so long, then it seems no one has the time to implement this. Please reopen if you still encounter this issue with the latest stable version. You can also contribute directly by providing a pull request. Thank you!

[samjackaman]

I have this issue right now, any news?

[curiouskot]

I today installed a clean install of Win11_23H2_EnglishInternational_x64v2.iso, I had put it to an usb stick with rufus-4.5.exe to install a laptop in UEFI mode, then after succesful installation I installed all the latest updates for the Windows and it was working perfectly. Then Veracrypt 64 bit latest version: VeraCrypt Setup 1.26.7.exe which installed normally. I had disabled secureboot and fast boot both from Windows and Bios.

Type of System Encryption - Normal, Encrypt the Windows system partition (chose that because whole drive option was grayed out for some reason?)
However when it was time for the System Encryption Pretest reboot (your computer must be restarted, do you want to restart it now), it did not restart, I got the error:

"can not detect EFI enviroment. Source: VeraCrypt::EfiBoot::DeleteStartExec2642"

And I can only press "OK"

Word "can" is written like that, not starting on capital letters, thats strange also.

After pressing "OK" second error: "can not detect EFI enviroment. Source: VeraCrypt::EfiBoot::DeleteStartExec2691"

After pressing again "OK": Cannot initiate the system encryption pretest."

Then I am back to the System Encryption Pretest screen and if I press "Test" button again, the errors come again.

Since I have the latest and the most official version of Windows 11 and the latest version of Veracrypt, I can confirm, this has not been repaired! It is not working, at all on some configurations.

I don't have any firewall etc software installed, just Windows. Registry has not been edited or anything else. Just clean installation of windows. My user account is local and has admin rights. I also tried to run Veracrypt rightclicking as admin, the same problem. I also tried to then enable secureboot, just to test and clear secureboot keys. But those also did not help.
I also tried reinstalling Veracrypt from VeraCrypt_Setup_x64_1.26.7.msi but I got the same errors.

What should I try next? Only the Veracrypt is the problem the windows otherwise is working perfect, even the hard drive is brand new, so indeed this is a software bug. Previously I have had Windows 7 Pro and Truecrypt installed on the same laptop without problems but then the boot order was legacy and not UEFI. I changed to UEFI setting before the W11 installation.

[idrassi]

Thank you for sharing all these datails.

The error message you shared indicates that the failure is caused by the fact that VeraCrypt is unable to read UEFI environment variables using a standard Windows function.

As you can see in the code screenshot above, it is the function IsEfiBoot that fails: this function is used to confirm that we are under UEFI and also to test the Windows function GetFirmwareEnvironmentVariable which will be used later in the code.

For some reason, the function GetFirmwareEnvironmentVariable return empty value for the variable "BootOrder". This is considered a failure since this variable should not be empty.
Moreover, before calling IsEfiBoot, we are setting the SE_SYSTEM_ENVIRONMENT_NAME privilege as required by the documentation.

There two possibilities:

• GetFirmwareEnvironmentVariable is indeed failing: for that we need GetLastError value which we don't read in current code. For example, some specific configuration on your Windows is blocking the call to GetFirmwareEnvironmentVariable .
• the UEFI variable "BootOrder" is indeed empty: this is something I have never encountered and my understanding of EFI is that it should never happen. But maybe there something special in the EFI firmware of your motherboard.

So basically, it is either a EFI firmware issue or a Windows issue.

You can check first if there is an update of the firmware of your laptop ( can also be called BIOS).

On my side, I will modify the code to display the GetLastError value after the failing GetFirmwareEnvironmentVariable so that next time the issue happens we can have more information.
I will try to publish a new version of VeraCrypt containing this change in the coming days (probably in the weekend).

[curiouskot]

Thank you for the swift reply! I agree, it could be something with the firmware. The laptop HP Elitebook 8570w has the "latest" firmware, but of course it is an old model already, no new updates in years. But since it was a very powerful machine when new, it is still working fine in a normal use (for example the 4K youtube vids play smooth).

When I give the MSInfo32 command, I get the System Information screen that shows
"BIOS Mode - UEFI",
"Secure Boot State - Off",
"Boot device - \Device\HarddiskVolume1"
So at least those are like they should.

If I go to System Configuration and Boot, it also shows the normal: "Windows 11 (C:\WINDOWS) : Current OS; Default OS"

I also checked folder C:\Windows\Boot\EFI\ and a 1636 KB file "bootmgr.efi" was there, so at least that is not missing.

I also googled and found this: "Firmware variables are not supported on a legacy BIOS-based system. The GetFirmwareEnvironmentVariable function will always fail on a legacy BIOS-based system, or if Windows was installed using legacy BIOS on a system that supports both legacy BIOS and UEFI."

Well at least that mistake I did not do, since I did not install Windows with the legacy setting on. And UEFI is still on, I just now checked from BIOS just in case: "UEFI Native (Without CSM)."
Sata Mode is "AHCI" if that matters.
On UEFI Boot Order I have "OS Boot Manager" as first on the list.

Looking forward for the new version, we will try it for sure when you have it ready. Thanks!

[idrassi]

Thank you for all these details.

I have prepared installers for version 1.26.13 that include the changes I mentioned above. The installers are available at https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/Windows/
I'm also attaching the exe installer here: VeraCrypt Setup 1.26.13.exe.zip

Let me know how things go and please share full error message in case of failure (or screenshot of messagebox).

[curiouskot]

I uninstalled Veracrypt and then downloaded your zip, installed that version and it immediately worked perfect, computer rebooted like it should, and then after that: "The pretest has been succesfully completed." I pressed "Encrypt", "OK" and the encryption started. There were no error messages at all. :)

[idrassi]

Thank you for the feedback; I'm glad it worked.

In addition to adding a more verbose error message, I also modified the code logic as follows:

• Accept an empty BootOrder environment variable.
• Hold the SE_SYSTEM_ENVIRONMENT_NAME privilege only temporarily for the duration of the call, rather than permanently.

I believe what fixed the issue is that the code now accepts an empty BootOrder variable. For years, I never considered that this situation might occur but I now understand why some users were affected by this issue.

Thank you again for your help in addressing this issue and validating the fix.

[curiouskot]

You're welcome. It is nice to see this machine now encrypted with Veracrypt, since back in the day when it was new, I used to deliver hundreds of laptops with the same model to customers and I actually equipped them with Truecrypt in the process. Probably worldwide there are still thousands and thousands of old computers that this fix might help at some point.

[kriegste]

I have similar problems while encrypting a notebook's system partition. Windows 10 is installed on the second hard drive (SSD), while the first hard drive is for storing data. I cannot seem to change the drive order in the BIOS, but Windows did never have a problem with this config.

I previously used TrueCrypt on the notebook, but now I want to move to VeraCrypt. Since the system was installed as non-EFI, booting with VeraCrypt was literally dead slow. So I decrypted again and used the Windows tool "mbr2gpt" to convert it to EFI. This worked well. But now when I try to encrypt the system partition these dialogs appear, one by one:

-> "exception occurred"

-> "exception occurred"

This is with the latest version 1.26.15.

[kriegste]

BTW, my notebook also is an old HP model.

Edit:

Error 0xCB is ERROR_ENVVAR_NOT_FOUND. So the call to GetFirmwareEnvironmentVariable is valid, but there is no such variable. This could be HP specific. Is the content of the "BootOrder" actually used anywhere in VeraCrypt? Maybe there is another solution?

[kriegste]

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getfirmwareenvironmentvariablew

Firmware variables are not supported on a legacy BIOS-based system. The GetFirmwareEnvironmentVariable function will always fail on a legacy BIOS-based system, or if Windows was installed using legacy BIOS on a system that supports both legacy BIOS and UEFI. To identify these conditions, call the function with a dummy firmware environment name such as an empty string ("") for the lpName parameter and a dummy GUID such as "{00000000-0000-0000-0000-000000000000}" for the lpGuid parameter. On a legacy BIOS-based system, or on a system that supports both legacy BIOS and UEFI where Windows was installed using legacy BIOS, the function will fail with ERROR_INVALID_FUNCTION. On a UEFI-based system, the function will fail with an error specific to the firmware, such as ERROR_NOACCESS, to indicate that the dummy GUID namespace does not exist.

This was partly mentioned in an earlier comment.

So the error code could be used to decide if the system is installed under UEFI or not (it is ERROR_INVALID_FUNCTION then). Maybe this is a better strategy?

[kriegste]

I managed to add the missing "BootOrder" variable in my system using Windows' SetFirmwareEnvironmentVariable API. VeraCrypt is working now. This is a hack I cannot recommend to the average user, so the underlying bug in VeraCrypt should be fixed in any case.

There is a new, unrelated problem which I will post in another existing issue.

[idrassi]

@kriegste Thank you for the detailed and helpful feedback.

The issue is indeed caused by the empty "BootOrder" variable in your HP PC. The method EfiBoot::IsEfiBoot in BootEncryption.cpp expects this variable to be present and not empty in order to detect a valid EFI system.

To support cases like yours, I have modified the logic in the EfiBoot::IsEfiBoot implementation to use the error code ERROR_INVALID_FUNCTION, as you pointed out in the documentation, when the BootOrder content cannot be retrieved: eb0eec7.

I will prepare a build that includes this change so that others affected by the issue can use it as well.

[kriegste]

Thanks!

Now, if IsEfiBoot() is false, that means GetLastError() is ERROR_INVALID_FUNCTION any way, so this part can be cleaned up:

if (!IsEfiBoot()) {
	dwLastError = GetLastError();
	if (dwLastError != ERROR_SUCCESS)
	{
...

Lines 2654 and 2723.

[idrassi]

Good point!
I have simplified the code as you proposed: 3808507
Thanks.

[idrassi]

fix included in 1.26.18 release.