Mount and unmount issue

[andry81]

• Windows 7 Pro x64

I wrote 2 scripts to mount/unmount:

mount.bat:

imdisk -a -f "d:\a\shared-store.vdi" -m "d:\a\shared-store"

unmount.bat:

imdisk -d -m "d:\a\shared-store"

The problem is that it can not mount nor unmount.

Some time ago it has mount/dismount correctly. But after that is something did happen and mounting now is broken.

The ProcessHacker shows that the System holds the vdi file: shared-store.vdi

The mount.bat reports access denied on mount. The unmount.bat reports that the file is not found. All scripts does execute under Administrator privileges.

If try to change the parameter from path d:\a\shared-store to drive e:, then the scripts reports almost the same.

If try to run MountImg.exe it shows nothing mounted.

The same vdi file mounts correctly by the VirtualBox Guest instance. If try to stop the VM instance with the vdi file attached and run scripts again, then the issue happens again.

I read this issue but did't found a solution: #10

There is questions:

• How to correctly dismount buggy mounted vdi file?
• How mount vdi drive to a directory?

[LTRData]

The commands look correct from what I can see. Maybe some other driver or application keeps the virtual disk in use? Are you sure that you are running as administrator (elevated command prompt etc)?

[andry81]

The commands look correct from what I can see. Maybe some other driver or application keeps the virtual disk in use? Are you sure that you are running as administrator (elevated command prompt etc)?

Yes, scripts is properly elevated. The problem might be in how your driver try to create the device object, because in some cases it does not print the name. So the next allocation looks like 2: -> , which means that the previous might not released properly.

[LTRData]

It uses the next available number automatically. You can run
imdisk -l
This will show which numbers are currently in use. In some cases this list will include devices that you have unmounted, because sometimes it is not possible to remove a device directly if it is still in use.

[andry81]

\Device\ImDisk8
\Device\ImDisk7
\Device\ImDisk6
\Device\ImDisk5
\Device\ImDisk4
\Device\ImDisk3
\Device\ImDisk2
\Device\ImDisk1

The vdi file is not used by anyone, but there is too many objects is allocated.

[LTRData]

Yes, that means that the device was in use when you dismounted them and the driver could therefore not delete the device directly. The driver continues in background to attempt to delete the device at certain intervals.

[andry81]

The driver continues in background to attempt to delete the device at certain intervals.

And can not delete it while not used?

[LTRData]

The driver continues in background to attempt to delete the device at certain intervals.

And can not delete it while not used?

The device objects are in use and that is why they cannot be deleted. It can be an application or another kernel component that keeps a handle or reference to the device objects active. As long as there are references to a device object, the device object cannot be deleted.

[andry81]

I've created a second drive: d:\a\shared-backup.vhd

And create another pair of scripts. The mount script executed the same way and reported: ... 9: ->

Now the unmount script can not remove the drive, because of a file not found error: d:\a\shared-backup.

The path d:\a\shared-backup really does not exist, but the utility did report it has been mounted. I think you hold the reference to the object without actually have a name or path to it or something.

[LTRData]

You can check with Process Explorer and see what is holding a reference to ImDisk0, ImDisk1 and so on.

The problem is that if it reports that system process is the process that holds a reference you do not actually see which drivers have created the references. The only safe way to know that would be to run under a kernel debugger and check owners of references.

I would recommend that you try to disable as many other drivers and filter drivers as possible and see when it makes a difference. In most cases it is filter drivers for antimalware products that cause things like this.

[andry81]

You can check with Process Explorer and see what is holding a reference to ImDisk0, ImDisk1 and so on.

System (4), DLL, C:\Windows\system32\DRIVERS\imdisk.sys, 0xfffff88009000000

The problem is that if it reports that system process is the process that holds a reference you do not actually see which drivers have created the references. The only safe way to know that would be to run under a kernel debugger and check owners of references.

I would recommend that you try to disable as many other drivers and filter drivers as possible and see when it makes a difference. In most cases it is filter drivers for antimalware products that cause things like this.

I've tried Windows 7 x64 on VirtualBox and result almost the same. The difference is it could report some details:

D:\a>imdisk -a -f shared-backup.vhd -m "d:\a\shared-backup"
Creating device...
Error creating mount point: The system cannot find the file specified.
Warning: The device is created without a mount point.
Created device 0:  -> shared-backup.vhd
Done.

D:\a>imdisk -l
\Device\ImDisk0

D:\a>imdisk -a -f shared-backup.vhd -m "d:\a\shared-backup"
Creating device...
Error creating virtual disk:
The process cannot access the file because it is being used by another process.

D:\a>imdisk -d -m "d:\a\shared-backup"
D:\A\SHARED-BACKUP The system cannot find the file specified.

There is no any other drivers that could interfere with the ImDisk except .NET Framework 4.8.

[LTRData]

Thanks for more details! The directory mount point needs to exist before you run the mount command and it needs to be empty. Because it does not exist, the mounted device does not get a mount point and you can therefore not remove it by specifying a mount point. You need to remove it using the device number in that case, such as:
imdisk -d -u 0

Make sure that you first create the directory you want to use as mount point.

Also, if you mount a vhd, you need to specify which partition to mount. ImDisk works at disk volume level, it does not emulate full disks with partition tables etc. Also, since it only supports raw format image files, you can only use fixed size vhd files in this way, not dynamically allocated or differencing.

md "d:\a\shared-backup"
imdisk -a -f shared-backup.vhd -v 1 -m "d:\a\shared-backup"

This mounts partition 1 in shared-backup.vhd at mount point "d:\a\shared-backup". You can then dismount it using imdisk -d -m "d:\a\shared-backup".

If you need to mount dynamically allocated vhd images, there are ways to do that using devio.exe tool and ImDisk in proxy mode. There are examples in the FAQ in repository wiki.

[andry81]

You need to remove it using the device number in that case, such as:
imdisk -d -u 0

Yes, it works.

md "d:\a\shared-backup"

Another problem: I could not open it in case of vdi drive. It has mounted but is not accessible. Unmount has worked as expected.

[LTRData]

I have never tried vdi image files with ImDisk without using any third-party libraries for parsing the vdi format. If it is a fixed size image, no sparse, dynamic allocation etc it could of course work anyway but you need to be careful to identify whether there are file format headers that need to be skipped over. If you see that the actual disk data begins at a certain offset in the image file, you can use the -b switch to specify that offset to ImDisk driver.

[andry81]

Some interesting links to mount vdi:

Mount VDI as logical drive on host : https://forums.virtualbox.org/viewtopic.php?t=4748
Mounting .vdi file on host : https://forums.virtualbox.org/viewtopic.php?t=52
VirtualBox and forensics tools : http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html

[LTRData]

That is about 15 years old information. Lots of things have happened since. In most cases nowadays I recommend people to use Arsenal Image Mounter instead when mounting forensics image formats and virtual machine image formats in Windows. That will give you a full disk emulation with partition tables and everything.
GUI application that also installs necessary drivers etc: https://arsenalrecon.com/downloads
Command line tools: https://github.com/ArsenalRecon/Arsenal-Image-Mounter/tree/master/Command%20line%20applications

You can mount vdi images like this:
aim_cli /filename=image.vdi /provider=DiscUtils /background

You will get a device number in the console output, something like device 000000. Use that to dismount later:
aim_cli /dismount=000000

Hope this helps!

[andry81]

There is qemu-img version for Windows, it's free and seems it can check or convert vdi: https://cloudbase.it/qemu-img-windows/

https://github.com/cloudbase/qemu

[LTRData]

Okay. Yes, the command line version of Arsenal Image Mounter is also free and can convert between vdi and many other formats.

In any case, ImDisk is somewhat old and outdated when it comes to tasks like this. There are lots of better alternatives nowadays.

[andry81]

aim_cli /filename=image.vdi /provider=DiscUtils /background

Is there a way to mount single partition vdi to a specific drive letter?

[LTRData]

No, not in this way. This mounts the entire disk. If you are preparing scripts etc where you know partitions in the image, you can assign drive letters or mount points using mountvol command in Windows. Next time you mount the same image, Windows will assign the same mount point automatically.