Safely dismounting TruCrypt volumes and safely removing USB external drive in Windows 10

jana
jana used Ask the Experts™
on
We use an external drive with a TrueCrypt volume (used for backups).  We have noticed recently that when dismounting it gives us a "Volume contains files or folders being used by applications or system" "Force dismount?".

We use Cobian Backup to backup our data to the TC drive.  When this message appears, we just exit the apps and sometimes remove it from memory and done it works.  But this time, that didn't work.

We have googled the problems and in some cases it says that it is Windows Indexing that is causing the problem.  We disabled it, and still problem.

Another finding is setting the drive policy to "Quick Removal", which we already had setup from the start.

Based on our findings, we are understand that even though the message appear, we can remove without problem.

Please advice possible cause & proper steps to follow to resolve it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Since truecrypt is not considered safe anymore (unfixed security issues with its driver), you should switch to veracrypt or bitlocker.
That said, I have seen that message myself but never had any problems with forcing a dismount.
Software and Hardware Engineer
Commented:
unfixed privesc in the TC driver isn't really an issue, but it's symptomatic of the larger problem (that the tc driver isn't maintained any more) so really you should go to veracrypt before there *is* a significant issue. But that aside...

there is a handy utility here that can show you files currently open; Process Explorer also has "find" functionality that can let you find file handles for a substring (such as x:\)

the files held open tend to be harmless, but its good for peace of mind to at least know what they are :D

Author

Commented:
Thanx for the link, we will check those tools out.

TrueCrypt is not considered safe anymore??? Will place another question for this because we use TC in everything.

Back to the question.

Yes we did force the dismount prior seeing your response, connected again and its seems all ok; nothing lost.  Based on you guys experience, why would TC not permit dismount the volume and display the "force" message?  (even though we assured nothing was accessing the volume)

Also, if we have the drive policy to "Quick Removal" active, just disconnecting the USB drive with TC, is it still save? (even though it displays the "force" message))
Dave HoweSoftware and Hardware Engineer
Commented:
Truecrypt is unmaintained, rayluvs - while there is only one known issue in it so far (an unprivileged user can run system-level calls by abusing the truecrypt driver) and it passed the NCC audit with only a few observations on the key schedule. veracrypt is the successor, can open TC volumes, and has had the issues found so far patched (so truecrypt to veracrypt is a simple upgrade)

TC will not allow you to dismount the volume if a file handle is open on it - without using force. the two utilities I mentioned earlier will list open file handles, so let you find which program is holding the volume open.

pulling the volume while mounted is not advised - you can't guarantee any changes to the directory index files are written unless cleanly unmounted (forced or not)

Author

Commented:
Good enough.

Thanx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial