Home > Uncategorized > Filter driver attachments to volumes, the file server resource manager and whole disk encryption (specifically truecrypt)

Filter driver attachments to volumes, the file server resource manager and whole disk encryption (specifically truecrypt)

I needed to implement Quota reporting on a Windows 2003 R2 system with on a volume protected by truecrypt.

After creating the soft quota policy with File Server Resource Manager, I received the error:

The Quota Management Filter Driver service, or File Screening Filter Driver service is not running.


The drivers:
The filter drivers are kernel drivers.

The two drivers necessary for the services are:

  • DataScrn: Datascren.sys is a kernel-mode mini-filter file system driver that implements the file screening checks in real time on configured volumes and folders.
  • Quota: Quota.sys is a kernel-mode mini-filter file system driver that implements the quota checks in real time on configured volumes and folders.

You can start these by using `net` or `sc`. After confirming they were started, I still received the error.

I came across a blog post that suggested utilizing `fltmc.exe` to check if the filter drivers are available to the I/O stack.

C:\>fltmc filters
Filter Name                     Num Instances Frame
------------------------------  ------------- -----
DfsDriver                                    
Datascrn                                0       1
Quota                                   0       1
SIS                                          

So, the drivers are available, but they are not bound to any volume (“num instances”). If they were not listed, I would use `fltmc.exe load [Datascrn|Quota]` to load them.

Find the volume name:

In order to attach them to a volume, I would find the Device path for the volumes with the following:

C:\>fltmc volumes
Dos Name                        Volume Name
------------------------------  ---------------------------------------
C:                              \Device\HarddiskVolume1
D:                              \Device\HarddiskVolume2
                                \Device\LanmanRedirector
                                \Device\RdpDr
                                \Device\HarddiskVolume4
E:                              \Device\TrueCryptVolumeE

The drive I am concerned with is \Device\TrueCryptVolumeE.

Insert the driver into the stack:

So, to attach the filter driver to a volume, I ran the following commands:

C:\>fltmc attach Datascrn \Device\TrueCryptVolumeE

Attach failed with error: 0x80070001
Incorrect function.

C:\>fltmc attach Quota \Device\TrueCryptVolumeE

Attach failed with error: 0x80070001
Incorrect function.

Well, this is NFG.

To test if it has something to do with Truecrypt, I will try to attach the driver into the stack of a volume that isn’t encrypted with Truecrypt:

C:\>fltmc attach Datascrn \Device\HarddiskVolume1

ATTACH successful... Instance Name: Datascrn

C:\>fltmc attach Quota \Device\HarddiskVolume1

ATTACH successful... Instance Name: Quota

C:\>fltmc filters

Filter Name                     Num Instances Frame
------------------------------  ------------- -----
DfsDriver                                    
Datascrn                                1       1
Quota                                   1       1
SIS                                          

C:\>fltmc instances
Filter                         Volume Name                    Altitude          Instance Name
-----------------------------  -----------------------------  ----------------  --------------------
Datascrn                       C:                             261000            Datascrn
Quota                          C:                             125000            Quota

Truecrypt is one of the banes:

TrueCrypt also defeats the usage of volume shadow copies, because it stops the system calls needed, so it is no surprise to me that it also stops other filter drivers from functioning.

This is a bit of a hard spot with truecrypt, and long story short: you can not use File System Resource Manager to manage a drive that is encrypted with truecrypt.
More info is available on Known Issues & Limitations:

The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of active system encryption (e.g. a system partition encrypted by TrueCrypt, or a non-system partition located on a system drive encrypted by TrueCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.

“Microsoft is evil, you see,” exclaim the TrueCrypt developers.

Time to migrate to BitLocker:
Now to convince to upgrade to 2008/2012 and migrate to BitLocker. That is, if you trust MSFT.

References:

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: