Bitlocker will not stay decrypted, it automatically re-encrypts after decrypting
-
>...You'd go trough the trouble to lock something locally (meaning you don't trust your employees), just to trust some random company? I'm a one-man company diagnosing vehicles at the customer site. I've used this guy for the last three years he is trustworthy with my data. The software is his build and he likely wants to keep his customers from selling the native installation he provides. There is no problem using the encrypted drive since its a regular Bitlocker use case. I can access my data and programs as a user/admin should. The problem is with possibly a hidden service that keeps Bitlocker encrypted and I know I can find that service given time, tools and some guidance (ergo my coming to this forum). edit: Bitlocker has not kept me from a windows login and accessing my account, there is no abnormal functionality here. The problem here is turning off Bitlocker because I needed to do some maintenance work and noticed that Bitlocker turns off then quickly re-encrypts.
Member 13161686 wrote:
I've used this guy for the last three years he is trustworthy with my data.
If that was the case you would not be posting here. If the only problem is that the third-party app starts encrypting after decrypt, then you should contact that vendor. None of us would know any details on the software.
Member 13161686 wrote:
The software is his build and he likely wants to keep his customers from selling the native installation he provides.
Very unlikely. There's easier ways to prevent idiots from selling your application.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Member 13161686 wrote:
I've used this guy for the last three years he is trustworthy with my data.
If that was the case you would not be posting here. If the only problem is that the third-party app starts encrypting after decrypt, then you should contact that vendor. None of us would know any details on the software.
Member 13161686 wrote:
The software is his build and he likely wants to keep his customers from selling the native installation he provides.
Very unlikely. There's easier ways to prevent idiots from selling your application.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
Alright, then how would you write something that behaves similarly to what I have on my machine? Then please let me know how would I track it down using the different tools freely available. Just to be clear, your executable must be listening for a user to issue a "Turn Bitlocker off" command from the control panel, and prevent the drive from being decrypted.
-
Member 13161686 wrote:
This is a fellow who installs automotive diagnostic software (for a specific German brand)
Then you should be talking to him.
It's better for me to be a couple of steps ahead of this fellow. If and when I figure how to kill the process responsible for this inconvenience, I plan on restarting it up when I'm done with my disk maintenance. Do you, however, know how to write an executable that listens for a user's decrypt command to Bitlocker (from the control panel) and prevent decrypting? Or would you know how to track down a process like this? This is why I came to this forum. Thank you
-
It's better for me to be a couple of steps ahead of this fellow. If and when I figure how to kill the process responsible for this inconvenience, I plan on restarting it up when I'm done with my disk maintenance. Do you, however, know how to write an executable that listens for a user's decrypt command to Bitlocker (from the control panel) and prevent decrypting? Or would you know how to track down a process like this? This is why I came to this forum. Thank you
-
Alright, then how would you write something that behaves similarly to what I have on my machine? Then please let me know how would I track it down using the different tools freely available. Just to be clear, your executable must be listening for a user to issue a "Turn Bitlocker off" command from the control panel, and prevent the drive from being decrypted.
Member 13161686 wrote:
Alright, then how would you write something that behaves similarly to what I have on my machine?
I wouldn't. If you were paying my expenses, I might entertain you with arguments for that position.
Member 13161686 wrote:
Then please let me know how would I track it down using the different tools freely available.
The taskmanager shows the executables location.
Member 13161686 wrote:
Just to be clear, your executable must be listening for a user to issue a "Turn Bitlocker off" command from the control panel, and prevent the drive from being decrypted.
If you are the owner of the machine than it will be easy to turn off or halt. Which third party-software? What company?
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Member 13161686 wrote:
Alright, then how would you write something that behaves similarly to what I have on my machine?
I wouldn't. If you were paying my expenses, I might entertain you with arguments for that position.
Member 13161686 wrote:
Then please let me know how would I track it down using the different tools freely available.
The taskmanager shows the executables location.
Member 13161686 wrote:
Just to be clear, your executable must be listening for a user to issue a "Turn Bitlocker off" command from the control panel, and prevent the drive from being decrypted.
If you are the owner of the machine than it will be easy to turn off or halt. Which third party-software? What company?
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
Quote:
I wouldn't. If you were paying my expenses, I might entertain you with arguments for that position
Just to be clear, I'm not interested in you coding anything for me. I'm just asking you how would you code something like that eg. write some code that creates a hidden process and intercepts calls to the Bitlocker "Turn Bitlocker off" command issued from the user control panel.
Quote:
The taskmanager shows the executables location.
I'm already aware of the Sysinternals suite of tools that give a lot more information regarding system processes. It's just now I need to know what to look for when tracking down what is intercepting the Bitlocker command I issue from the control panel.
Quote:
If you are the owner of the machine than it will be easy to turn off or halt.
I am the owner of the machine and if were easy to find the hidden process I suspect is on my machine, I would not need to find someone for whom it is easy.
-
How could we? We know nothing about the programs that this person has installed. As I said before, you need to talk to him for assistance.
Quote:
As I said before, you need to talk to him for assistance.
I'm aware of what you said but I would like to stay a couple of steps ahead of this person I'm also not sure if you have considered the fact that if this person has installed this hidden process without my knowledge, that would that person help me to remove it. Just take the example of the Sony DRM rootkit episode some years back. This is a similar scenario.
Quote:
We know nothing about the programs that this person has installed
Actually you should not have to know anything about the installer. He has installed a hidden process that listens for certain Bitlocker commands (decrypting, for example) and blocks the command at the kernel level. The Sysinternals tools as well as gmer are out there and I'm familiar with their use. All I need is guidance on what to look for on how this hidden process hooks into calls I make to Bitlocker to decrypt my drive.
-
Alright, what third-party product did you use, and also enabled it to encrypt your drives? Ever heard of ransomware? Secondly, would you be able to decrypt that drive and read the content from within the software application they provided you? If, there is a system service that keeps blocking you from reading the content, contact their team, or sales department and ask them to guide you on this one. Also, please in future make sure you only buy such services from vendors you can trust.
The shit I complain about It's like there ain't a cloud in the sky and it's raining out - Eminem ~! Firewall !~
Zeeshan, After conversing back and forth with a couple of other folks on this form I see they don't understand what I'm looking for. I'm looking for someone who has knowledge on using Sysinternals tools and other similar tools to just give me some tips on what to look for. What I'm looking for is this hidden process that intercepts my Bitlocker command (to decrypt) I make from the control panel and prevents Bitlocker from decrypting.
-
Quote:
As I said before, you need to talk to him for assistance.
I'm aware of what you said but I would like to stay a couple of steps ahead of this person I'm also not sure if you have considered the fact that if this person has installed this hidden process without my knowledge, that would that person help me to remove it. Just take the example of the Sony DRM rootkit episode some years back. This is a similar scenario.
Quote:
We know nothing about the programs that this person has installed
Actually you should not have to know anything about the installer. He has installed a hidden process that listens for certain Bitlocker commands (decrypting, for example) and blocks the command at the kernel level. The Sysinternals tools as well as gmer are out there and I'm familiar with their use. All I need is guidance on what to look for on how this hidden process hooks into calls I make to Bitlocker to decrypt my drive.
-
Member 13161686 wrote:
All I need is guidance on what to look for
You know what to look for, something that is using Bitlocker commands. As I already said, we know nothing about this software or how it works, so there is really nothing to suggest.
Alright, thank you.
-
Quote:
I wouldn't. If you were paying my expenses, I might entertain you with arguments for that position
Just to be clear, I'm not interested in you coding anything for me. I'm just asking you how would you code something like that eg. write some code that creates a hidden process and intercepts calls to the Bitlocker "Turn Bitlocker off" command issued from the user control panel.
Quote:
The taskmanager shows the executables location.
I'm already aware of the Sysinternals suite of tools that give a lot more information regarding system processes. It's just now I need to know what to look for when tracking down what is intercepting the Bitlocker command I issue from the control panel.
Quote:
If you are the owner of the machine than it will be easy to turn off or halt.
I am the owner of the machine and if were easy to find the hidden process I suspect is on my machine, I would not need to find someone for whom it is easy.
I see that some of our users can be difficult, let me put in my two cents. All 64-bit versions of Windows from Vista onward include a technology that prevents kernel hooks. If a kernel hook is somehow successfully installed, the machine will blue screen. It's called Kernel Patch Protection - Wikipedia[^] Therefore, I don't think the scenario that you suspect is what's actually going on.
The difficult we do right away... ...the impossible takes slightly longer.
