Offer to mount Bitlocker drive when accessed from TC
Moderators: white, Hacker, petermad, Stefan2
Offer to mount Bitlocker drive when accessed from TC
Suppose there's a non-system drive encrypted by Bitlocked that's not mounted automatically. To mount it (and be able to use it), it's necessary to open Windows Explorer and double-click locked drive to show unlock dialog.
When the same locked drive is selected in TC (on drive bar or from drive combo), it results in TC's standard "Drive not found!" dialog, which is not very helpful. It would be nice if TC could detect such locked drives and offered to unlock them the same way as Explorer does.
When the same locked drive is selected in TC (on drive bar or from drive combo), it results in TC's standard "Drive not found!" dialog, which is not very helpful. It would be nice if TC could detect such locked drives and offered to unlock them the same way as Explorer does.
File dialogs don't work either. Accessing unmounted/locked drive from e.g. Notepad gives very similar result to TC, just an error dialog:
[Location is not available]
F:\ is not accessible.
Access is denied.
Trying to access it from cmd.exe gives at least a little hint:
This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.
I'll try to find some more info.
[Location is not available]
F:\ is not accessible.
Access is denied.
Trying to access it from cmd.exe gives at least a little hint:
This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.
I'll try to find some more info.
I did a little research and it's possible to do something. That system dialog does not seem to be available for use, but there's a WMI interface:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376483%28v=vs.85%29.aspx
I tested it and it works for me:
http://web.hisoftware.cz/sob/tc/DelphiBitLockerTest.7z
I've never done anything with WMI before, so I just modified first example I found. In other words, it might not be pretty or even completely correct.
A little problem I see, there are more methods of unlocking a volume, not just password. It brings a question if it would be worth supporting all of them (I'm thinking about number of potential users). Or if password would be enough for basic support, because it seems that the other methods could require quite a lot of extra code.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376483%28v=vs.85%29.aspx
I tested it and it works for me:
http://web.hisoftware.cz/sob/tc/DelphiBitLockerTest.7z
I've never done anything with WMI before, so I just modified first example I found. In other words, it might not be pretty or even completely correct.
A little problem I see, there are more methods of unlocking a volume, not just password. It brings a question if it would be worth supporting all of them (I'm thinking about number of potential users). Or if password would be enough for basic support, because it seems that the other methods could require quite a lot of extra code.
Nice one, thank you.history.txt wrote:12.08.16 Added: Detect when a drive is locked by bitlocker, and offer to unlock it (32/64)
I tested it and it works fine on Windows 8.1 and Windows 10. The only exception is when instead of entering password, you close the dialog with Esc. TC does not detect that and still shows its "Please enter the Bitlocker password!" dialog. But it's not a major problem.
Windows 7 have some more problems:
1) It does not work with disabled UAC, at all. There's no prompt when switching to locked drive, only the old "Drive not found!" dialog. Out of curiosity, I tested it with disabled UAC on Windows 8.1 and 10 (using EnableLUA=0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System) and it works there, so it looks like bug, not an intended limitation (which would be a little strange if it was).
2) There's a timing problem with switching to newly unlocked drive. It goes like this:
- user selects locked drive
- TC asks to unlock
- user selects Yes
- TC shows its "Please enter the Bitlocker password!" and opens system unlock dialog
- user unlocks the drive
- TC immediately tries to switch to unlocked drive, even before system unlock dialog closes
- TC can't access the drive yet, so it shows "Drive not found! Please choose another:" dialog
- system unlock dialog closes
- user needs to click OK to switch to unlocked drive
- ghisler(Author)
- Site Admin
- Posts: 48196
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
1) Sorry, I can't test this on Windows 7 because my Windows 7 doesn't offer bitlocker. When you right click on the locked drive, what does the context menu show as the bold menu item? It should be something like "Unlock".
2) I couldn't reproduce that either - I'm either getting an error that the drive is locked, or then it reads the drive, but nothing in between...
2) I couldn't reproduce that either - I'm either getting an error that the drive is locked, or then it reads the drive, but nothing in between...
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
1) Right click on locked drive shows popup menu with bold "Unlock drive..." (in English version, otherwise it's of course localized). Interestingly, I just found out that it doesn't work only for the first time:
- boot Windows 7
- try to access locked drive in TC => Drive not found!
- unlock drive in Explorer
- lock drive using "manage-bde -lock f:" command
- try to access locked drive in TC => TC offers to unlock it and it works (*1)
- further locking the drive and unlocking from TC works ok
(*1) Except one time the drive was unlocked, but Explorer somehow didn't understand it. It showed available space (which it only does when drive is unlocked), but at the same time it had locked icon and Explorer couldn't access it (other programs could).
So I'm wondering what exactly TC does to detect locked drive and how locking previously unlocked drive can influence it.
2) It happens only with Windows 7 and it looks like this:
http://web.hisoftware.cz/sob/tc/bitlocker-timing-problem.avi
(ignore the wrong cursor, it's recording software's fault)
- boot Windows 7
- try to access locked drive in TC => Drive not found!
- unlock drive in Explorer
- lock drive using "manage-bde -lock f:" command
- try to access locked drive in TC => TC offers to unlock it and it works (*1)
- further locking the drive and unlocking from TC works ok
(*1) Except one time the drive was unlocked, but Explorer somehow didn't understand it. It showed available space (which it only does when drive is unlocked), but at the same time it had locked icon and Explorer couldn't access it (other programs could).
So I'm wondering what exactly TC does to detect locked drive and how locking previously unlocked drive can influence it.
2) It happens only with Windows 7 and it looks like this:
http://web.hisoftware.cz/sob/tc/bitlocker-timing-problem.avi
(ignore the wrong cursor, it's recording software's fault)
- ghisler(Author)
- Site Admin
- Posts: 48196
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
1. TC calls FindFirstFile and looks for a specific error code returned by GetLastError(): 0x80310000
According to Microsoft, this is error FVE_E_LOCKED_VOLUME.
I don't know why Windows 7 wouldn't return this error code when you access the drive for the first time. There is no other way to detect a bitlocker-encrypted drive.
2. OK, I will try again a few times when I get the wrong error code.
According to Microsoft, this is error FVE_E_LOCKED_VOLUME.
I don't know why Windows 7 wouldn't return this error code when you access the drive for the first time. There is no other way to detect a bitlocker-encrypted drive.
2. OK, I will try again a few times when I get the wrong error code.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
1) I tested it and error returned on first access to locked volume is 0x80310017 (FVE_E_VOLUME_NOT_BOUND).
2) I don't know what you currently do, if you wait for some api function to return, or if you somehow watch the dialog. But if it helps in any way, when I click Unlock button, dialog gets stuck before it closes a second later. It's like when window is busy and not processing messages kind of stuck.
2) I don't know what you currently do, if you wait for some api function to return, or if you somehow watch the dialog. But if it helps in any way, when I click Unlock button, dialog gets stuck before it closes a second later. It's like when window is busy and not processing messages kind of stuck.
- ghisler(Author)
- Site Admin
- Posts: 48196
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Please try beta 12, it will tolerate other errors for a few seconds after the user has entered the password.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Beta 12 fixed the timing problem. Now after unlocking the drive, TC opens it correctly. There's no more false "Drive not found!" dialog.
But nothing changed for first access problem, TC still does not detect encrypted drive and does not ask to unlock it. Is it supposed to work, did you add the other error code (0x80310017) to that condition?
But nothing changed for first access problem, TC still does not detect encrypted drive and does not ask to unlock it. Is it supposed to work, did you add the other error code (0x80310017) to that condition?
- ghisler(Author)
- Site Admin
- Posts: 48196
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
I couldn't use Bitlocker on Windows 7, so I didn't add it yet - but I found out why it wasn't working: I had set the option HideRemovableNoMedia=7 in wincmd.ini to hide card readers with no medium. This was also hiding Bitlocker encrypted flash drives.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
- ghisler(Author)
- Site Admin
- Posts: 48196
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
You can set HideRemovableNoMedia manually to hide removable drives with no medium in it. For example, some 10 in one card readers show multiple drives for SD-Card, Memory Stick, Compactflash etc. It allows to hide the drives where no flash memory is in the slot. The problem is that I was using Bitlocker on a USB stick, and it was hidden due to that option. Therefore I thought that my PC doesn't show unmounted Bitlocker drives.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Beta 13 now works great with Windows 7. I also like the new BitlockerAlwaysDecrypt option.
There's only one last tiny flaw left. When instead of entering password you close system unlock dialog (press Esc or click the window close button), TC does not notice and still shows "Please enter the Bitlocker password!" dialog. Just for the record, I don't really mind myself, as it only takes another Esc press to close it.
There's only one last tiny flaw left. When instead of entering password you close system unlock dialog (press Esc or click the window close button), TC does not notice and still shows "Please enter the Bitlocker password!" dialog. Just for the record, I don't really mind myself, as it only takes another Esc press to close it.