EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Callbacks not being fired on a machine with a TrueCrypt volume

Posted: 10/14/2010 09:28:14
by Leandro Becker (Standard support level)
Joined: 08/18/2010
Posts: 10


I'm working in my dev machine monitoring one volume (E:\*) and it's working fine. Now I'm running on a notebook with a volume mounted with TrueCrypt (the TrueCrypt volume is not the one being monitored!) and nothing happens. The driver is installed and filter instalation for the specific volume has not reported any setup error. I'm using the latest published version.

Can you guys check this out?
Posted: 10/14/2010 09:52:48
by Eugene Mayevski (Team)

Thank you for the report.

It can be that TrueCrypt actively prevents filter operations somehow.

Please turn off TrueCrypt (unmount the volume and close the application) and check whether the problem exists. This way we will know, if it's running TrueCrypt that causes problem, or even having an installed TrueCrypt driver on computer stops the filter from being run.

Sincerely yours
Eugene Mayevski
Posted: 10/14/2010 10:48:57
by Vladimir Cherniga (Team)

how did you reproduce the problem. I have installed TruCrypt on my system with 2 partitions and encrypt a non-system volume. Then using FileMon sample from CallbackFilter installation i am successfully get notifications from both volumes. How can i reproduce the issue described by you, please specify in more details. Thanks in advance.
Posted: 10/16/2010 13:13:11
by Leandro Becker (Standard support level)
Joined: 08/18/2010
Posts: 10

I installed TrueCrypt and created a encrypted volume based on a file, not encrypting an existing disk partition. The problem happens besides the volume is mounted or not. My system is Windows 7 64 bits on a Dell Vostro 1320 laptop.

I will try the FileMon sample next week to check if I made any misconfigurations. For now, keep this post in stand by until I post again with results of my tests.

Thank you.
Posted: 10/28/2010 07:13:50
by Leandro Becker (Standard support level)
Joined: 08/18/2010
Posts: 10


I've found a clue. Before continue, let me explain how my program works: I install the callback when my program, that is a Windows Service, receives SERVICE_CONTROL_DEVICEEVENT with event type as DBT_DEVICEARRIVAL looking for removable volumes.

Inside this notification, I get the volume letter and attach the filter (no error reported). In my notebook, this is not working, but in my desktop works fine (same OS). My notebook runs TrueCrypt, so this is why I was wondering if there is some sort of conflict.

I tested the FileMon sample and it works, and also, if I attach the filter a long time after the SERVICE_CONTROL_DEVICEEVENT was triggered or in my program initialization, it works too.

Looks to me that is a problem related with CallbackFilter trying to setup a removable volume as soon as it arrived. This is possible?

Posted: 10/28/2010 07:59:38
by Vladimir Cherniga (Team)

Seems that you trying to attach filter before file system mount a volume to the attached storage. May be you should filter DBT_DEVTYP_VOLUME events, or better try to subscribe on CbFltFilterAttachToFsVolumeEvent() - it should guarantee that filter already attached to file system volume.
Posted: 10/29/2010 09:39:04
by Leandro Becker (Standard support level)
Joined: 08/18/2010
Posts: 10

This sounds nice! I've no knowledge of this method.

One question to satisfy my curiosity. While the callback filter is handling the CbFltFilterAttachToFsVolumeEvent events, files on the media can be accessed by applications or only after all CbFltFilterAttachToFsVolumeEvent events are processed?
Posted: 10/29/2010 11:39:18
by Vladimir Cherniga (Team)

This event rises right after the filter is attached to the mounted volume. After that any rules for the target volume may be assigned.



Topic viewed 4976 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!