dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3325
Anon00
Premium Member
join:2001-09-25
USA

Anon00

Premium Member

[Vista] Can't eject USB Hard drive

svchost.txt
6,479 bytes
Vista 64-bit, used ProcMon to see what was accessing it and I got this (see attachment). Anyone have any idea what's keeping the drive locked?

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

does it happen all the time or is it intermittent? Did you close all apps that might be accessing it? If you wait few min does it unlock?

Cudni
dave
Premium Member
join:2000-05-04
not in ohio

1 edit

dave to Anon00

Premium Member

to Anon00
It looks like that procmon output is saying that a file-read operation was successfully executed. What leads you to conclude it's relevant to your failure to eject?

Did you get any error messages saying that the eject failed?

Taking a wild guess at the available evidence, it looks like something in that svchost process has an open handle to J:\fujitsu.tc; if 'J:' is the drive in question, that would be the proximate cause of non-ejection: the drive is in use.

As to why svchost takes an interest in your USB drive, I couldn't yet say.
Anon00
Premium Member
join:2001-09-25
USA

3 edits

Anon00

Premium Member

Sorry for the lack of details, was trying to eject it before I went to work. Gave it at least 5 minutes to see if whatever process was accessing the drive would stop.

It's possible it's not svchost.exe, but that's the only thing I saw accessing the drive. The drive is a USB Hard Drive with a Truecrypt container, that's the Fujitsu.tc file, on the drive and yes the Truecrypt volume was ejected.

I received the "Cannot safely eject...in use" message, didn't screenshot it at the time but I'm sure everyone's seen it at one time or another. No "Explorer" windows looking at the drive at the time... which is 9/10 my problem when I see the message in XP

I fired up the new Procmon 2.0 and filtered any disk activity to J: (which is the drive in question) and that was the only process coming up. That was only one entry out of... a bunch by the way. I just didn't grab the log because I was running late. I ended up rebooting and pulling the drive during the boot process.

This is a new Vista (Ultimate, SP1) machine, built on the 3rd, and I've seen this once with my thumbdrive and went away during a reboot. It definitely doesn't happen all the time, just annoying when it does. I probably could have pulled it out without any issues, but I needed to make sure I had the data so didn't do that.

Is there a better way to determine what's accessing the drive when an eject is performed?

PS Anyone know what corresponding service that is? I think the cmd-line is just referencing the level of access, correct? Any way for me to link it to the proper service? I was thinking it might be indexing, but it doesn't do it through SVChost. I flipped off the indexing attribute after the 2nd try just for testing.. plus it doesn't need to be index.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Pick one:

tasklist /svc on the command line.

I think Vista has a 'services' tab in Task Manager, but I'm not running Vista right now, so can't see if it has process/service mappings.

Otherwise, Sysinternals Process Explorer will tell you.
Anon00
Premium Member
join:2001-09-25
USA

Anon00

Premium Member

Oh duh, I didn't notice the PIDs in the log. Such a scatter brain in the morning.

Thanks!
thedog64
join:2002-07-12
Chicago, IL

thedog64 to Anon00

Member

to Anon00
Try this »tinyurl.com/25krgv
Anon00
Premium Member
join:2001-09-25
USA

1 edit

Anon00

Premium Member

said by thedog64:

Try this »tinyurl.com/25krgv
I usually don't load unlocker on my machines since Process Explorer or ProcMon can usually discover what's going on.

I'm just wondering why SVChost was accessing the file container. I went into Vista pretty raw, so I need to catch up on how all the Sub-Systems work/do. Just going from 2000/XP/2003 I was trying to think why that process was continuously reading that file. Maybe it's a bug with Truecrypt, but I have a hard time believing it links anything into the Generic Services Host.

I'm away from my machine (and I'm not allowed to access my systems remotely from work...) so I can't troubleshoot and try to discover which Service was the issue. If it comes up again I should remember what to do.