This project has moved and is read-only. For the latest updates, please go here.

VeraCrypt and the Volume Shadow Copy Service (VSS)

Topics: Technical Issues
Mar 20, 2016 at 2:29 PM
[I am getting VSS errors in my apps event viewer in xp pro. For example:
Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 12289
Date: 20/03/2016
Time: 12:34:02
User: N/A
Computer: TOM-I7
Description:
Volume Shadow Copy Service error: Unexpected error GetVolumeNameForVolumeMountPointW( \?\Volume{23404ed0-edd2-11e5-9f09-00241dc239ef}\, ...). hr = 0x80070003.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 50 52 44 49 46 46 43 SPRDIFFC
0008: 31 31 31 00 00 00 00 00 111.....
0010: 53 50 52 44 49 46 46 43 SPRDIFFC
0018: 39 36 00 00 00 00 00 00 96......


[When I search the registry for the volume name - 23404ed0-edd2-11e5-9f09-00241dc239ef - I find that at HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices I find that volume mentioned with the following value data:
0000 56 65 72 61 43 72 79 70 VeraCryp
0008 74 56 6F 6C 75 6D 65 57 tVolumeW
0010

There are 3 other regularly occurring VSS errors, and they are in the same form except for pointing to different volume names, and the volume names show in the same way in the registry, except that the last pair of characters in the second row is different, and the references beside the 2 rows of digits is to VeraCrypt volumes K and Y respectively.

Although there are 3 different VeraCrypt volumes referred to, corresponding with the different volume names in the event viewer, the errors appearing in the event viewer in respect of all 3 volume names have the following in common, suggesting that it is all to do with VeraCrypt volume W:
GetVolumeNameForVolumeMountPointW

I have no VeraCrypt volumes mounted, having so far only created the "bins".

Can any body shed light, please, on this possible conflict between VeraCrypt and the VSS?
Mar 20, 2016 at 5:39 PM
What version of VeraCrypt are you using on your PC?

Is it 32 or 64-bit OS?

Did you upgrade your existing volumes from TrueCrypt to VeraCrypt?

Did you previously use VeraCrypt version 1.15?

Regarding the last two questions, if you answered yes, perform the following.

First upgrade to latest version. I include this statement for the benefit of other users reading this thread.

With the all volumes dismounted, perform the following.

Using a modified version of Idrassi's instructions:
Check the registry key "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" using regedit. Scroll down and you'll find entries starting with "\DosDevices\" which indicate the drive letters that are taken by the system. Before mounting any volume, double click on each one and remove the ones contains the name "VeraCrypt" and "TrueCrypt".
Also, there are other entries whose name start with "#{" and "\??\Volume{": double click on each one of them and remove the ones whose data value contains the name "VeraCrypt" and "TrueCrypt".
.
Reboot PC.
Mar 21, 2016 at 2:12 PM
Thanks Enigma.

I am using v1.17 32 bit on a 32 bit xp pro sp3 machine. there was no prior Truecrypt volume, and I did not previously have v1.15 installed.

I could not find Idrassi's instructions. Could you please provide a reference?

Can you say in general terms, please, what might be going wrong here?

"Before mounting any volume, double click on each [entry starting with "\DosDevices\"] and remove the ones contains the name "VeraCrypt" and "TrueCrypt"." - I will check this out when I next mount volumes. Do you mean that contains both "VeraCrypt" and "TrueCrypt" or that contains either of those terms?

"Also, there are other entries whose name start with "#{" and "\??\Volume{": double click on each one of them and remove the ones whose data value contains the name "VeraCrypt" and "TrueCrypt"." - I estimate that there are over 1500 such entries, and so it is not a very appealing task. However, I have already identified 3 such entries, as mentioned in my post, if you mean entries that contain either VeraCrypt or TrueCrypt. Do you mean that, or entries that contain both VeraCrypt and TrueCrypt?

I might find the entries with the data values you mention more easily with a registry editor that searches the data values, but it appears that the native windows editor does not do so. Do you know of one that does?
Mar 21, 2016 at 5:46 PM
Edited Mar 21, 2016 at 5:46 PM
atdkb wrote:
I could not find Idrassi's instructions. Could you please provide a reference?
Do you mean that contains both "VeraCrypt" and "TrueCrypt" or that contains either of those terms?
Idrassi's modified instructions are quited in my post above about removing the registry settings.
Sorry, I should have changed the instructions to say "or".

With your volumes dismounted, you want to remove from the "\DosDevices\", "#{" and "\??\Volume{" entries that have VeraCrypt or TrueCrypt in registry key "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" location. Not the entire registry.

Then reboot your PC.

The reason I am having you perform this step is to remove any possible duplicate mapping for the same volume mapping with two or more drive letters which may be causing your issue.

Over 1500 entries in the "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" location. Is that correct?
Mar 21, 2016 at 6:55 PM
Edited Mar 21, 2016 at 8:08 PM
Thanks again.

1500+ entries in the Mounted devices folder is correct. The vast majority of them commence "\??\Volume{". Can the entries commencing in that way all be deleted?
Mar 21, 2016 at 10:17 PM
Edited Mar 21, 2016 at 10:17 PM
atdkb wrote:
Can the entries commencing in that way all be deleted?
No.

If you are willing to use the DriveCleanup utility below to remove all currently non present USB Storage Devices, Disks, CDROMs, Floppies, Storage Volumes and WPD devices from the device tree. Furthermore it removes orphaned registry items related to these device types.

I request you use version 0.9.0 since I have not tested 1.2.0 version that was recently released. The 1.1 version did not wipe existing devices from the registry.

Create a directory and unzip the software files into the directory.
Start a command line prompt as Administrator.
In the command window, change into the directory where you unzipped the files. If you are using 64-bit Windows OS, change into x64 subdirectory.
Dismount all VeraCrypt/TrueCrypt volumes.

Use the following command to view what the DriveCleanup utility will remove from the registry:

drivecleanup -T

To remove items the registry:

drivecleanup

Reboot PC after running utility.

Any USB that was not currently connected to your PC will be install again by Windows and you may have to manually reassign the drive letters in Windows Disk Management if you had certain drive letters for an external hard drive or thumbdrives.

http://www.uwe-sieber.de/drivetools_e.html

http://www.uwe-sieber.de/files/drivecleanup090.zip

I have performed this numerous times on my Win 7 Pro 64-bit Windows system to remove all registry entries including valid devices due to tests with file containers.

If anyone knows of a better free utility, please post it.
Mar 22, 2016 at 6:51 PM
Thanks Enigma, for that most useful advice.

I ran driveclean.exe by double clicking it, and what a lovely clean out it gave my mounted devices folder in the registry, and some
other parts of the registry, and lots of usb devices seemed to be being removed somehow. I am down to just 46 entries in the
mounted devices folder now.

Are there any standard problems that flow from the usb devices and entries in the mounted devices folder accumulating in that way?
Is it normal for them to do so?

I think that if I use it again I would write a batch file and add some logging to the script.

I was unable to run it following your advice about going to a directory. I assume you meant me to run
cd[space][file path of directory], and then to run drivecleanup -T, as you stated, but nothing happened. Where did I go wrong?

So far as my original problem is concerned, it looks at the moment like my vss was getting jammed up somehow by dtSearch
running on a schedule and writing to folder being cloned at the same time by ViceVersa. I am only guessing, and I don't know why it
should do that, and we shall see.
Mar 22, 2016 at 7:19 PM
atdkb wrote:
Are there any standard problems that flow from the usb devices and entries in the mounted devices folder accumulating in that way?
Is it normal for them to do so?
.
Yes, it is normal for Windows to keep in the registry the previous devices that you connected to Windows and the assigned drive letter.

I am guessing that over the years of connecting various USB devices and external HDDs has caused you to accumulate so many entries in the registry.
.
I was unable to run it following your advice about going to a directory. I assume you meant me to run
cd[space][file path of directory], and then to run drivecleanup -T, as you stated, but nothing happened. Where did I go wrong?
.
Using the command line Window, did you change directory into the Win32 directory when you attempt to run the drivecleanup -T command?

See if the T option is available for the Win32 by running the help option of: drivecleanup /?
Mar 22, 2016 at 9:49 PM
I imagine that the computer has unnecessary work to do when the registry is groaning with superfluous entries, Does the system for recognising usb devices tend to run into problems when the number of keys in the mounted devices folder rises to such a high number as over 1500?

Strangely, when I repeated the cd[space][directory path] just now, it worked fine. I must have made some mistake before. The drivecleanup -T command then worked fine. What a great tool. Thank you again. Maybe next time I will try adding [space]>>[space]"Z:\D drive\drivecleanuplogs\drivecleanup.log" to the end of the string, or something like that, and get a log of what had been removed.
Mar 22, 2016 at 11:27 PM
Does the system for recognising usb devices tend to run into problems when the number of keys in the mounted devices folder rises to such a high number as over 1500?
.
I do not know the ramifications of such a high number of devices in the registry. Only that there is the possibility that an old entry had the same GUID as one of the current devices which will problems.
Mar 23, 2016 at 12:40 AM
Thanks.

I looked around Uwe Sieber's site and found another tool that looked very useful - USB Tree. The Windows device manager is rather frustrating because it does not provide enough information to enable you to identify the devices it refers to. I found an error showing there in relation to one of my hard drives, which error did not show in the Windows device manager. I appear to have fixed that by restarting the port and the device, whereupon the correct drive letter showed in USB Tree, and so perhaps that is another wrinkle ironed out.

I think I now just have to watch the system for a few days to see how it runs. I'll report back if I find anything of interest. I still think the vss error report was probably due to a conflict between dtSearch and ViceVersa running at the same time. I reinstalled the vss recently for good measure, but I did not get the impression that that made any difference.

Thanks again for all your help. I am delighted to have found Devicecleanup and USB Tree.

Incidentally, I have recently been reviewing my encryption software and installed VeraCrypt for the first time, and I like it a lot. I think that dynamic drives would be much more convenient (since the bins otherwise take so long to create) if the danger of corruption could be avoided in case of the encrypted bins filling the drive. I wonder if there is some way to automate a guard against that problem if not eliminate it.