TrueCrypt dismount on Windows 8.1 keeps prompting: "volume contains files or folders being used by applications or system"
I have a volume mounted by TrueCrypt. All works fine, except when I try to dismount it (after verifying I don't have any application or explorer using anything in it). Every time I click the Dismount
button, I receive this error:
Volume contains files or folders being used by applications or system. Force dismount?
I fired up Sysinternals' Process Monitor, filtered on the path beginning with that drive letter and noticed strange results in which I swear that I have not attempted to access that drive with any of the applications listed (Explorer.EXE, SnippingTool.exe, firefox.exe).
All 3 applications show the same type of "access" (with SUCCESS
result):
- CreateFile: Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened
- QueryNameInformationFile: Name: \
- QueryInformationVolume: VolumeCreationTime: 2/10/2015 10:04:26 PM, VolumeSerialNumber: D753-7E32, SupportsObjects: True, VolumeLabel:
- QueryAttributeInformationVolume: FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00000, MaximumComponentNameLength: 255, FileSystemName: NTFS
- CloseFile:
- CreateFile: Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Free Space Query, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened
- QueryFullSizeInformationVolume: TotalAllocationUnits: 4,194,303, CallerAvailableAllocationUnits: 2,425,717, ActualAvailableAllocationUnits: 2,425,717, SectorsPerAllocationUnit: 8, BytesPerSector: 512
- CloseFile:
I tried disabling indexing for that drive (and all its subfolders and files by unchecking the corresponding checkbox on the drive's properties page, but that didn't help.
The only ACCESS DENIED
on Process Monitor is shown for TrueCrypt's FileSystemControl
operation:
Control: FSCTL_LOCK_VOLUME
Interestingly, if I mount that drive and immediately dismount it (without attempting to access it via Explorer even once), then it dismounts without any error.
The worst part of this problem is that if I go ahead and click Yes
(force dismount), Windows 8.1 crashes with BSOD (the blue screen of the death). Obviously this doesn't make this tool very useful.
Any idea how to get rid of this error message? Disable a Windows service or feature that causes this?
Solution 1:
You might install CrystalRich's LockHunter to see what processes have open file handles for the TrueCrypt volume.
Is your AV accessing files?
re: "TrueCrypt discontinued," it has already been partially audited and no major flaw or backdoor (in AES) has been found. See How-To Geek and E. Ciurana for comments on TrueCrypt. If you do want to switch encryption software, either to resolve the locking issue or for security reasons, aee AlternativeTo: TrueCrypt... currently, VeraCrypt has a slight lead. Note that if you do switch to VeraCrypt, all current TrueCrypt containers will need to be recreated.
Solution 2:
Chiming in a bit late -- I ran into the same problem with VeraCrypt containers created in disk partititions (disk partitioned into three sectors -- one small normal-type drive for storing backups of my software including VeraCrypt, KeePass, and my KeePass keyfiles and also two VeraCrypt partitions on the same portable hard drive). The VeraCrypt partition containers started to dismount properly once I turned off indexing for the normal-drive container -- apparently the indexing process was interpreted as an active access request for all partitions on the same physical disk.