Guide: integrate DiskCryptor into Windows installation media and encrypt the system partition before installing Windows

[RadarNyan]

(This isn't an issue, but I'm having trouble accessing my forum account, so I decided to just post it here.)

How to integrate DiskCryptor into Windows installation media

It is possible to run DiskCryptor from Windows setup, from there you can encrypt the system partition before installing Windows to it, which saves time and ensures no unencrypted data is ever written to the disk.

Disclaimer: this guide is written by me, an average DiskCryptor user, who isn't related to the original author ntldr or the current maintainer DavidXanatos. As such, this guide lacks some technical details and may contain errors, please do point out any errors you find.

This guide is based on the information on the original DiskCryptor wiki (down now, you can access it from the Internet Archive. Do note: the wiki is very old, doesn't even reflect the last version released by ntldr.

Preparation

To follow this guide, you need a USB drive (at least 8 GB) to hold the Windows installation files.

Also, you'll need access to a system, preferably the same version as which you're about to integrate DiskCryptor into. I recommend you do this in a fresh installed virtual machine to avoid any problem, we'll need to install DiskCryptor onto this system to get the files and registry entries needed.

This guide has been tested with Windows 7 SP1 and Windows 10 LTSC 2021 (21H2).

Basic usage of Dism

We'll use Dism (which is included in Windows) to manipulate the boot.wim and install.wim from the Windows installation media.

This tool is very powerful, but we only need the following 3 basic commands:

dism /get-wiminfo /wimfile:boot.wim

This command will list the content of the wim file, so we know which index to use when mounting the wim.

dism /mount-wim /wimfile:boot.wim /index:2 /mountdir:c:\mount

This command will mount the wim into a (empty) NTFS folder, will have to create the folder in advance.

dism /unmount-wim /mountdir:c:\mount /commit

This command saves the changes we made to the mounted image and unmount it.

Step-by-step guide

1. First, install DiskCryptor. You don't need to reboot, as we can already get the registry and files we need at this stage.

2. Open Registry Editor (regedit.exe), find dcrypt under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ , right click on it and select Export, save the exported content as dc.reg .

3. Right click on dc.reg and choose Edit, remove the section "Enum" if any, and replace "SYSTEM" with "DC", you should get something like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000003
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,64,00,63,00,72,00,79,00,70,00,74,\
  00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DiskCryptor driver"
"Group"="Filter"
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt\config]
"Flags"=dword:00000580
"Hotkeys"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"sysBuild"=dword:0000034e

[HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt\Instances]
"DefaultInstance"="dcrypt"

[HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt\Instances\dcrypt]
"Altitude"="87150"
"Flags"=dword:00000000

The above registry is the default values after installing DiskCryptor 1.1.846.118 on Windows 7 SP1. At the time of writing, version 1.1.846.118 is the latest stable release by ntldr, which doesn't have UEFI support. If you have to use UEFI, choose the latest beta release by DavidXanatos instead.

4. Create two folders: c:\wim and c:\mount. Copy boot.wim and install.wim from the Windows Installation media to c:\wim and leave c:\mount empty.

5. Open PowerShell with Admin privilege, run the following commands:

cd c:\wim
dism /get-wiminfo /wimfile:boot.wim

The last command would return something like this:

Index : 2
Name : Microsoft Windows Setup (x64)
Description : Microsoft Windows Setup (x64)

The index for Windows Setup is what we're looking for, in this case it's 2.

6. Mount boot.wim with the following command

dism /mount-wim /wimfile:boot.wim /index:2 /mountdir:c:\mount

Wait for mounting to finish, then proceed.

7. Open Registry Editor, click on HKEY_LOCAL_MACHINE , then head to menu bar and click on File - Load Hive...

Load C:\mount\Windows\System32\config\SYSTEM and type DC when prompt for a name.

Then you'll find a new key DC under HKEY_LOCAL_MACHINE , this is where we begin to edit the registry.

First, import dc.reg created in step 3. Check if HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt is successfully imported.

Then, head to HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

If you see the value for Class on the right panel is Volume then you're on the correct path. Double-click on LowerFilters then add a new line at the beginning and type in dcrypt. Do not remove any existing lines.

WARNING: the value is different for boot.wim / install.wim and different between Windows versions, this is why we need to edit it manually. Do NOT include this in the dc.reg file.

8. Click on DC under HKEY_LOCAL_MACHINE, then head to menu bar and click on File - Unload Hive...

Close Registry Editor to avoid unmounting failure.

9. Back to the PowerShell window, copy the necessary files with the following commands:

copy C:\Windows\System32\drivers\dcrypt.sys C:\mount\Windows\System32\drivers\
copy "C:\Program Files\dcrypt\dcapi.dll" C:\mount\sources\
copy "C:\Program Files\dcrypt\dcrypt.exe" C:\mount\sources\

Then we save the changes we've made to the wim and unmount it:

dism /unmount-wim /mountdir:c:\mount /commit

We've finished integrating DiskCryptor into boot.wim, now we need to do the same to install.wim in order for Windows to boot successfully if we choose to encrypt the system partition before installing.

10. Find the correct index in install.wim and mount it

dism /get-wiminfo /wimfile:install.wim

The command returns:

Index : 4
Name : Windows 7 ULTIMATE
Description : Windows 7 ULTIMATE

Look for the correct index for the edition of Windows you're about to install, in this guide I'll use Windows 7 Ultimate, so we mount install.wim with index set to 4:

dism /mount-wim /wimfile:install.wim /index:4 /mountdir:C:\mount

11. Modify Registry

Again, we open Registry Editor, load C:\mount\Windows\System32\config\SYSTEM as DC and import dc.reg .

Then we need to manually fill a few values in:

HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

Volume - add dcrypt as the first line of LowerFilters like before, do not remove any existing values.

WARNING: the existing values are different from Windows 7 to Windows 10, thus why we need to manually edit this list.

HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

You'll find a lot of keys starting with "4D36E", just look for the first one which is CDROM.

Add a new REG_MULTI_SZ (right click - New - "Multi-String Value") named UpperFilters, type in dcrypt and end with an empty line.

HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\CrashControl

Add dcrypt.sys as the first line of DumpFilters, do not remove any existing values.

12. Back to PowerShell window, and copy the driver file:

copy C:\Windows\System32\drivers\dcrypt.sys C:\mount\Windows\System32\drivers\

We don't need to copy any program files, as they can be restored by running the installer after we install Windows.

Then we save the changes we've made to the wim and unmount it:

dism /unmount-wim /mountdir:c:\mount /commit

This would take some time, be patient.

13. Now we've finished modifying boot.wim and install.wim, you can replace the same files on the USB drive.

Remember to copy the DiskCryptor installer to the USB drive as well if you want to have access to the GUI after installing Windows.

Encrypt system partition before installing Windows

WARNING: following this guide will wipe your disk.

To install Windows directly on an encrypted partition, we need the following steps:

1. Create the desired partition layout manually

For this, I recommend using DiskPart that came with Windows.

Boot your computer with the modified Windows install USB, wait for Windows Setup to load, hit ⇧ Shift + F10 to open a Command Prompt window.

Type in diskpart then hit enter, wait for DiskPart to load (showing DISKPART >) then enter the following command:

list disk

This will list all the disk detected. If you have only the internal hard drive and the USB drive connected, you can easily tell which one is which by the capacity, usually the internal drive where you'll be installing Windows onto would be the first one, which is Disk 0 (the index starts with 0).

WARNING: if you can't tell which one simply by its capacity, I highly recommend you power off the computer, remove any other drives, then start over.

Select the drive you're about to install Windows on by its index:

select disk 0

WARNING: if you're not sure if this is the desired disk, use command list partition and check if the partition layout is NOT your secondary drive. This is your last chance!

To wipe the disk, use command:

clean

Now we have cleaned the disk, you have two options here: BIOS (Legacy) / MBR or UEFI / GPT. Unless you have to use UEFI, I recommend you go with MBR, which will have a much simpler partition layout.

BIOS / MBR:

If you only want one partition that fill the entire drive, it's very easy:

create partition primary
format fs=ntfs quick

If you want more partitions, say maybe you want a separate data partition or you plan to do multiboot (I won't explain how to use DiskCryptor for multiboot in this guide, maybe I'll write a guide on how to leverage the "First partition with appropriate password" booting method of the DiskCryptor bootloader someday):

create partition primary size=102401
(shown as 100.00GB in Windows explorer, if you use 102400 you'll see it shown as 99.99GB which I hate to see.)
format fs=ntfs quick label=windows
(I recommend you to assign a label here when having multiple partitions.)
create partition primary
(Without size parameter, it will take the remaining spaces.)
format fs=ntfs quick

Don't close this window yet, we'll need it later.

UEFI / GPT:

For windows to boot with UEFI / GPT, you need at least 3 partitions: the EFI System Partition (ESP), The Microsoft Reserved Partition (MSR), and the partition to install Windows on.

We need to first convert the disk to GPT scheme, and create the partitions using the following commands:

convert gpt
create partition efi size=100
format fs=fat32 quick
create partition msr size=16
create partition primary
format fs=ntfs quick label=Windows

Don't close this window yet, we'll need it later.

2. Encrypt the system partition

Hit ⇧ Shift + F10 again to open another Command Prompt window, type in dcrpyt and hit enter, (you can just type in dcr and hit ⇥ Tab which will auto complete to "dcrypt.exe") this will open the DiskCryptor GUI.

If you're using an HDD, and you want to fill the entire partition with random data (if you have written some unencrypted data on it that you want to get rid of), simply encrypt the system partition.

WARNING: do NOT use the "format" feature, the bootloader doesn't support that.

If you're using a SSD or you want to save some time, you can shrink the partition first, encrypt the small partition, then extend it back. This is completely safe and fully supported by DiskCryptor. The reason we create a large partition then shrink it, rather than create a small partition in the first place is to prevent NTFS MFT fragmentation.

Switch back to the DiskPart window, and use the following command:

list partition

This will show all the partitions on the disk, for MBR the first partition is what we want (unlike disk, the partition index starts with 1)

select partition 1

Now shrink the partition, use command:

shrink

Return to the DiskCryptor window (if you can't see it, use Alt + ⇥ Tab ) and encrypt the system partition. The system partition may still be shown as the original size before shrinking, but as soon as the encryption begin it would show the shrank size.

After DiskCryptor finish encrypting the partition, return to DiskPart window and extend the partition back to desired size using command:

extend

Now you can close the DiskPart window as it's no longer needed. Return to the DiskCryptor window, on the menu bar click on Tools - Config bootloader, select the disk, but don't click on the "Install Loader" button yet.

Even if we install the bootloader now, Windows Setup would overwrite it anyway. Leave this window at this state and proceed.

3. Install Windows with Windows Setup

As soon as you click on the "Install Now" button, the DiskCryptor window may disappear. Don't worry, it's still running. You can switch to it with Alt + ⇥ Tab .

Just install Windows using Windows Setup normally, when asked which type of install, select custom and install Windows to the partition we've encrypted.

Wait for Windows setup to finish its job and told you it would reboot in 10 seconds, switch back to the DiskCryptor window using Alt + ⇥ Tab and click on the "Install Loader" button. If you missed this timeframe and your system rebooted, you can fix it by boot the computer with the USB drive again, then run DiskCryptor and install the bootloader.

Finish setup Windows, there won't be any difference from an unencrypted setup. You can choose to run the DiskCryptor installer to restore the program files.