Bootice is an extremely powerful program that is capable of doing anything you could possibly want with your partition boot record or master boot record on your computer. You can first use Bootice to back up your boot records so you have a clean copy of your boot records before you start experimenting. Bootice can happily work on both your internal and external hard drives as well as virtual drives so you can easily work on any hard drive you have!
It's a great idea to run Bootice on any new external hard drives you purchase. This would allow you to set that hard drive to be fully compatible with your system so it would run as fast and as smoothly as possible. This would make that hard drive more stable in the long run giving you better security over any files you have stored on that hard drive.
Bootice is not necessarily the best program for beginners because it really comes with no instructions. But you can easily find instructions online for all of its features and you can easily learn what everything does with a bit of searching and reading.
The interface is clean, simple, and intuitive. So while you're learning all of its features and how to use them you will never feel overwhelmed or encumbered. You will be able to move at the perfect speed for your skills and thus will learn as you go.
If you are more familiar with this sort of tool you will be able to hit the ground running! You will immediately be able to put Bootice to good use and you will be very happy with all of its output. Some of the more advanced functions that Bootice will allow you to do include editing disk sectors in hex, completely formatting your hard drive, and creating custom boot menus.
Bootice is a completely free program. So you can download it with absolutely no obligations! It requires Windows 7 or later to run.
Bootice is a one stop shop program for accomplishing everything you could possibly want while booting your system.
Download Bootice for Windows PC from FileHorse. 100% Safe and Secure Free Download (32-bit/64-bit) Latest Version 2019.
OK. So I used VeraCrypt to encrypt the system partition and now Windows boots its automated repair only. After the repair in what I think is Windows Recovery Environment I can choose to boot off USB and THERE I can choose to boot the VeraCrypt loader.
I used BOOTICE (latest version) to modify the UEFI boot entries to boot the VeraCrypt loader in the first place by choosing 'Active', 'Boot this entry next time' and by placing VeraCrypt in the first position on the list using the 'Up' button. When I restart the PC, UEFI boots the VeraCrypt Loader as it should but when I switch off the PC and on again, UEFI boots to the Windows Boot Manager which loads the Windows Automated Repair again.This description is probably somewhat inaccurate because I don't exactly know how UEFI booting works [recommend me a good read ;)]. Obviously in my UEFI (in BIOS) I can't find the VeraCrypt boot option, there's only the Windows Boot Manager and EFI shell to choose from. How do I insert the VeraCrypt loader there? I have secure boot disabled.
I also tried to use Windows BCDEdit cmdlet but it is a no go (it does not see the VeraCrypt loader). Neither is Visual BCD Editor. My system is MSI H81-P33 & i5-4690K with the latest BIOS. Only BOOTICE somehow works.
Maybe the workaround would be to just modify the Windows Boot Manager to boot the VeraCrypt loader instead of the Windows loader? Is it a possible solution? How do I do that?
BOOTICE unmodified boot entries screenshot:
4 Answers
OK, I came up with a solution and it works even after I switch off the computer. In BOOTICE I modified the Windows Boot Manager to load 'EFIVERACRYPTDCSBOOT.EFI' (the VeraCrypt loader) instead of the original Windows loader (EFIMICROSOFTBOOTBOOTMGFW.EFI) and saved it. I only modified 'Media file:' text field in BOOTICE. When I reopened BOOTICE to see if the change sticked I noticed that there are now 2 separate Windows Boot Manager entries: the original (which I presume Windows automatically recreated after I changed it) and the one I changed with the VeraCrypt loader path.
My UEFI (BIOS) now sees 2 separate Windows Boot Manager entries (which are named the same, no need to change that I guess). I hope it doesn't compromise my security and Windows performance in any way. And I hope any future Windows Updates won't mess with my solution.
I realize this is a 'dirty' solution, so it would be nice if someone made up with sth better.
My description no longer works for Windows 1709. There are better results with:
Note, as future Win10 update can bypass the patch, including major security patches that alter the firmware, there is no guarantee the machine will always work, such as with the way Truecrypt works with Win7. While you can recover and roll back to the last good OS, it can take much time. Bitlocker works without issue or in Win10 Home, use Veracrypt in file container mode which is reliable and transportable.
Bootice Download
[ THIS POST IS OBSOLETE. FOR HISTORICAL PURPOSES ONLY AS EXAMPLE OF THE DIFFICULTY GETTING EARLY VERSIONS OF VC TO RUN]
2On an InsydeH20 V5.0 UEFI 'BIOS' running on Acer E5-575:
Install all latest Win10 updates
Boot to UEFI, press F2 on Acer machines at 2x sec during boot
Turn secure boot off [ A on pics] set it as 'disabled'
IMPORTANT in UEFI: set System Admin and user passwords [1 on pics], and set Password on boot option. Do not set hard disk password as it may interfere with Win10 updates. Admin and user password on UEFI will stop all Win10 reboots at UEFI/BIOS interface so you can interrupt auto-boots to troubleshoot Veracrypt faster, and stop direct writes to UEFI by malware
Run Veracrypt 1.19 disk partition encryption
If it fails one pass, do it again. It should pass the 2nd + attempt. If not boot via rescue disk. This is because UEFI doesn't recognize the location or the file itself 'veracryptb', the bootloader, in the hard disk as 'trusted.'
If Veracrypt fails still: STOP, and proceed only if you know UEFI, Veracrypt and Win10 well as written below.
* If Veracrypt fails still, but boots on rescue disk proceed with caution as noted above. *
Enjoy.
NB: Secure boot must be off permanently because the Veracrypt signature does not reside in a separate UEFI secure boot table in firmware. You can generate one and enter it, as described in the Veracrypt forum or run without secure boot. I suggest leave SECURE BOOT OFF as the Veracrypt signature generating script has bricked some UEFI/BIOS. A malware bootloader cannot run in the UEFI because to boot, it must be added to trusted list which can be done only with SECURE BOOT ON to edit the boot file trusted list; malware cannot do that without the UEFI Admin password to change the UEFI settings from SECURE BOOT OFF. So far, rootkit malware cannot run below or at the UEFI preboot level, as we know today, to hack the admin password in UEFI, so it remains secure even with SECURE BOOT OFF. With SECURE BOOT ON, if the malware signature adds itself to the trust list it still does not exist in SECURE BOOT table in firmware so cannot run. However, Veracrypt has a script to add its signature to the firmware trust table [ with mixed results] so its possible for malware to do the same with SECURE BOOT ON. Malware may boot if its tries to mimic the trusted files in UEFI InsydeH20 table with SECURE BOOT OFF if InsydeH20 doesn't use signatures to secure its integrity. The prior post shows another user renamed veracryptb to Windows Boot Manager and booted, showing mimic ploy can work for the Windows Boot Manager. However its not easy to mimic the veracryptb bootloader due to the keys generated during the creation of the secure partition that is unique to each bootloader, a mimic will likely fail to boot into veracrypt. The above applies only to the INsydeH20 UEFI implementation, for your UEFI, YMMV.
Do not edit the TPM state unless you are sure. If the signatures cannot be generated on-the-fly or are factory supplied only, clearing the state may brick the PC [ 3 on pic].
'VeraCrypt Setup 1.23-Hotfix-2.exe' works reliably with Windows 10 Home, after 6 months of testing which includes:
- weekly security updates
- two major feature updates, 1809 and 1903
Latest Version Yahoo
No customization of the UEFI needed. Just follow the Veracrypt install instructions. Has worked under normal Win10 Home and available menu options, no special changes, scripts or hacks of the registry.
However, YMMV depending on your UEFI version and non-Acer devices, as others on the Veracrypt forum still raise issue. I am unclear as to why their settings do not work, they did not provide enough technical detail.
Tested with:
Default factory configuration on both for TPM and UEFI. The prior post of InsydeH20 V5.0 was reset to factory and remains original UEFI, not updated but passwords are set for altering UEFI.
InsydeH20 V5.0
Acer BIOS Version/Date actually American Megatrends Inc R01-A3, 5/16/2018
Please set the ADMIN PASSWORD of your device to add assurance that no changes are made to UEFI without your expressed knowledge, and use a password unknown to Windows. UEFI specifications support direct writing into UEFI from an external device/app given permissions, and in some reports, Windows feature updates have set some UEFI settings back to default, its unclear if the local ADMIN PASSWORD was set or was bypassed. In any event, setting the password is a good safety feature. You may also toy with setting the hard drive password, if available, as added assurance against 'evil maid' attacks; while the UEFI can write to such drives to set and read the drive password, the drive lock runs proprietary firmware that resides in the drive [ aka, Seagate, Toshiba, WD etc.,] and cannot be controlled by UEFI.