Offer to mount Bitlocker drive when accessed from TC

Here you can propose new features, make suggestions etc.

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Offer to mount Bitlocker drive when accessed from TC

Post by *Sob »

Suppose there's a non-system drive encrypted by Bitlocked that's not mounted automatically. To mount it (and be able to use it), it's necessary to open Windows Explorer and double-click locked drive to show unlock dialog.
When the same locked drive is selected in TC (on drive bar or from drive combo), it results in TC's standard "Drive not found!" dialog, which is not very helpful. It would be nice if TC could detect such locked drives and offered to unlock them the same way as Explorer does.
User avatar
MVV
Power Member
Power Member
Posts: 8702
Joined: 2008-08-03, 12:51 UTC
Location: Russian Federation

Post by *MVV »

I'm afraid it may be some kind of Explorer-only extension...
I suppose you can't access this drive from e.g. cmd.exe too? Or some other third-party application that doesn't use shell dialogs for opening files?
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

File dialogs don't work either. Accessing unmounted/locked drive from e.g. Notepad gives very similar result to TC, just an error dialog:

[Location is not available]
F:\ is not accessible.
Access is denied.

Trying to access it from cmd.exe gives at least a little hint:

This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.

I'll try to find some more info.
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

I did a little research and it's possible to do something. That system dialog does not seem to be available for use, but there's a WMI interface:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa376483%28v=vs.85%29.aspx

I tested it and it works for me:

http://web.hisoftware.cz/sob/tc/DelphiBitLockerTest.7z

I've never done anything with WMI before, so I just modified first example I found. In other words, it might not be pretty or even completely correct.

A little problem I see, there are more methods of unlocking a volume, not just password. It brings a question if it would be worth supporting all of them (I'm thinking about number of potential users). Or if password would be enough for basic support, because it seems that the other methods could require quite a lot of extra code.
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

history.txt wrote:12.08.16 Added: Detect when a drive is locked by bitlocker, and offer to unlock it (32/64)
Nice one, thank you.

I tested it and it works fine on Windows 8.1 and Windows 10. The only exception is when instead of entering password, you close the dialog with Esc. TC does not detect that and still shows its "Please enter the Bitlocker password!" dialog. But it's not a major problem.

Windows 7 have some more problems:

1) It does not work with disabled UAC, at all. There's no prompt when switching to locked drive, only the old "Drive not found!" dialog. Out of curiosity, I tested it with disabled UAC on Windows 8.1 and 10 (using EnableLUA=0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System) and it works there, so it looks like bug, not an intended limitation (which would be a little strange if it was).

2) There's a timing problem with switching to newly unlocked drive. It goes like this:

- user selects locked drive
- TC asks to unlock
- user selects Yes
- TC shows its "Please enter the Bitlocker password!" and opens system unlock dialog
- user unlocks the drive
- TC immediately tries to switch to unlocked drive, even before system unlock dialog closes
- TC can't access the drive yet, so it shows "Drive not found! Please choose another:" dialog
- system unlock dialog closes
- user needs to click OK to switch to unlocked drive
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

1) Sorry, I can't test this on Windows 7 because my Windows 7 doesn't offer bitlocker. When you right click on the locked drive, what does the context menu show as the bold menu item? It should be something like "Unlock".

2) I couldn't reproduce that either - I'm either getting an error that the drive is locked, or then it reads the drive, but nothing in between...
Author of Total Commander
https://www.ghisler.com
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

1) Right click on locked drive shows popup menu with bold "Unlock drive..." (in English version, otherwise it's of course localized). Interestingly, I just found out that it doesn't work only for the first time:

- boot Windows 7
- try to access locked drive in TC => Drive not found!
- unlock drive in Explorer
- lock drive using "manage-bde -lock f:" command
- try to access locked drive in TC => TC offers to unlock it and it works (*1)
- further locking the drive and unlocking from TC works ok

(*1) Except one time the drive was unlocked, but Explorer somehow didn't understand it. It showed available space (which it only does when drive is unlocked), but at the same time it had locked icon and Explorer couldn't access it (other programs could).

So I'm wondering what exactly TC does to detect locked drive and how locking previously unlocked drive can influence it.

2) It happens only with Windows 7 and it looks like this:
http://web.hisoftware.cz/sob/tc/bitlocker-timing-problem.avi
(ignore the wrong cursor, it's recording software's fault)
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

1. TC calls FindFirstFile and looks for a specific error code returned by GetLastError(): 0x80310000

According to Microsoft, this is error FVE_E_LOCKED_VOLUME.

I don't know why Windows 7 wouldn't return this error code when you access the drive for the first time. There is no other way to detect a bitlocker-encrypted drive.

2. OK, I will try again a few times when I get the wrong error code.
Author of Total Commander
https://www.ghisler.com
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

1) I tested it and error returned on first access to locked volume is 0x80310017 (FVE_E_VOLUME_NOT_BOUND).

2) I don't know what you currently do, if you wait for some api function to return, or if you somehow watch the dialog. But if it helps in any way, when I click Unlock button, dialog gets stuck before it closes a second later. It's like when window is busy and not processing messages kind of stuck.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Please try beta 12, it will tolerate other errors for a few seconds after the user has entered the password.
Author of Total Commander
https://www.ghisler.com
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

Beta 12 fixed the timing problem. Now after unlocking the drive, TC opens it correctly. There's no more false "Drive not found!" dialog.

But nothing changed for first access problem, TC still does not detect encrypted drive and does not ask to unlock it. Is it supposed to work, did you add the other error code (0x80310017) to that condition?
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

I couldn't use Bitlocker on Windows 7, so I didn't add it yet - but I found out why it wasn't working: I had set the option HideRemovableNoMedia=7 in wincmd.ini to hide card readers with no medium. This was also hiding Bitlocker encrypted flash drives.
Author of Total Commander
https://www.ghisler.com
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

If you add it, I'd happy to test it and report the results. :)

I'm not sure what you mean with HideRemovableNoMedia option. I don't have it in my ini. Also my Bitlocker drive is not removable, it's standard internal SATA disk.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

You can set HideRemovableNoMedia manually to hide removable drives with no medium in it. For example, some 10 in one card readers show multiple drives for SD-Card, Memory Stick, Compactflash etc. It allows to hide the drives where no flash memory is in the slot. The problem is that I was using Bitlocker on a USB stick, and it was hidden due to that option. Therefore I thought that my PC doesn't show unmounted Bitlocker drives.
Author of Total Commander
https://www.ghisler.com
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

Beta 13 now works great with Windows 7. I also like the new BitlockerAlwaysDecrypt option.

There's only one last tiny flaw left. When instead of entering password you close system unlock dialog (press Esc or click the window close button), TC does not notice and still shows "Please enter the Bitlocker password!" dialog. Just for the record, I don't really mind myself, as it only takes another Esc press to close it.
Post Reply