Sorry for the lack of details, was trying to eject it before I went to work. Gave it at least 5 minutes to see if whatever process was accessing the drive would stop.
It's possible it's not svchost.exe, but that's the only thing I saw accessing the drive. The drive is a USB Hard Drive with a Truecrypt container, that's the Fujitsu.tc file, on the drive and yes the Truecrypt volume was ejected.
I received the "Cannot safely eject...in use" message, didn't screenshot it at the time but I'm sure everyone's seen it at one time or another. No "Explorer" windows looking at the drive at the time... which is 9/10 my problem when I see the message in XP
I fired up the new Procmon 2.0 and filtered any disk activity to J: (which is the drive in question) and that was the only process coming up. That was only one entry out of... a bunch by the way. I just didn't grab the log because I was running late. I ended up rebooting and pulling the drive during the boot process.
This is a new Vista (Ultimate, SP1) machine, built on the 3rd, and I've seen this once with my thumbdrive and went away during a reboot. It definitely doesn't happen all the time, just annoying when it does. I probably could have pulled it out without any issues, but I needed to make sure I had the data so didn't do that.
Is there a better way to determine what's accessing the drive when an eject is performed?
PS Anyone know what corresponding service that is? I think the cmd-line is just referencing the level of access, correct? Any way for me to link it to the proper service? I was thinking it might be indexing, but it doesn't do it through SVChost. I flipped off the indexing attribute after the 2nd try just for testing.. plus it doesn't need to be index.