Mount and unmount issue about imdisk HOT 19 CLOSED

That is about 15 years old information. Lots of things have happened since. In most cases nowadays I recommend people to use Arsenal Image Mounter instead when mounting forensics image formats and virtual machine image formats in Windows. That will give you a full disk emulation with partition tables and everything.
GUI application that also installs necessary drivers etc: https://arsenalrecon.com/downloads
Command line tools: https://github.com/ArsenalRecon/Arsenal-Image-Mounter/tree/master/Command%20line%20applications

You can mount vdi images like this:
aim_cli /filename=image.vdi /provider=DiscUtils /background

You will get a device number in the console output, something like device 000000. Use that to dismount later:
aim_cli /dismount=000000

Hope this helps!

from imdisk.

The commands look correct from what I can see. Maybe some other driver or application keeps the virtual disk in use? Are you sure that you are running as administrator (elevated command prompt etc)?

from imdisk.

The commands look correct from what I can see. Maybe some other driver or application keeps the virtual disk in use? Are you sure that you are running as administrator (elevated command prompt etc)?

Yes, scripts is properly elevated. The problem might be in how your driver try to create the device object, because in some cases it does not print the name. So the next allocation looks like 2: -> , which means that the previous might not released properly.

from imdisk.

It uses the next available number automatically. You can run
imdisk -l
This will show which numbers are currently in use. In some cases this list will include devices that you have unmounted, because sometimes it is not possible to remove a device directly if it is still in use.

from imdisk.

\Device\ImDisk8
\Device\ImDisk7
\Device\ImDisk6
\Device\ImDisk5
\Device\ImDisk4
\Device\ImDisk3
\Device\ImDisk2
\Device\ImDisk1

The vdi file is not used by anyone, but there is too many objects is allocated.

from imdisk.

Yes, that means that the device was in use when you dismounted them and the driver could therefore not delete the device directly. The driver continues in background to attempt to delete the device at certain intervals.

from imdisk.

The driver continues in background to attempt to delete the device at certain intervals.

And can not delete it while not used?

from imdisk.

The driver continues in background to attempt to delete the device at certain intervals.

And can not delete it while not used?

The device objects are in use and that is why they cannot be deleted. It can be an application or another kernel component that keeps a handle or reference to the device objects active. As long as there are references to a device object, the device object cannot be deleted.

from imdisk.

I've created a second drive: d:\a\shared-backup.vhd

And create another pair of scripts. The mount script executed the same way and reported: ... 9: ->

Now the unmount script can not remove the drive, because of a file not found error: d:\a\shared-backup.

The path d:\a\shared-backup really does not exist, but the utility did report it has been mounted. I think you hold the reference to the object without actually have a name or path to it or something.

from imdisk.

You can check with Process Explorer and see what is holding a reference to ImDisk0, ImDisk1 and so on.

The problem is that if it reports that system process is the process that holds a reference you do not actually see which drivers have created the references. The only safe way to know that would be to run under a kernel debugger and check owners of references.

I would recommend that you try to disable as many other drivers and filter drivers as possible and see when it makes a difference. In most cases it is filter drivers for antimalware products that cause things like this.

from imdisk.

You can check with Process Explorer and see what is holding a reference to ImDisk0, ImDisk1 and so on.

System (4), DLL, C:\Windows\system32\DRIVERS\imdisk.sys, 0xfffff88009000000

The problem is that if it reports that system process is the process that holds a reference you do not actually see which drivers have created the references. The only safe way to know that would be to run under a kernel debugger and check owners of references.

I would recommend that you try to disable as many other drivers and filter drivers as possible and see when it makes a difference. In most cases it is filter drivers for antimalware products that cause things like this.

I've tried Windows 7 x64 on VirtualBox and result almost the same. The difference is it could report some details:

D:\a>imdisk -a -f shared-backup.vhd -m "d:\a\shared-backup"
Creating device...
Error creating mount point: The system cannot find the file specified.
Warning: The device is created without a mount point.
Created device 0:  -> shared-backup.vhd
Done.

D:\a>imdisk -l
\Device\ImDisk0

D:\a>imdisk -a -f shared-backup.vhd -m "d:\a\shared-backup"
Creating device...
Error creating virtual disk:
The process cannot access the file because it is being used by another process.

D:\a>imdisk -d -m "d:\a\shared-backup"
D:\A\SHARED-BACKUP The system cannot find the file specified.

There is no any other drivers that could interfere with the ImDisk except .NET Framework 4.8.

from imdisk.

Thanks for more details! The directory mount point needs to exist before you run the mount command and it needs to be empty. Because it does not exist, the mounted device does not get a mount point and you can therefore not remove it by specifying a mount point. You need to remove it using the device number in that case, such as:
imdisk -d -u 0

Make sure that you first create the directory you want to use as mount point.

Also, if you mount a vhd, you need to specify which partition to mount. ImDisk works at disk volume level, it does not emulate full disks with partition tables etc. Also, since it only supports raw format image files, you can only use fixed size vhd files in this way, not dynamically allocated or differencing.

md "d:\a\shared-backup"
imdisk -a -f shared-backup.vhd -v 1 -m "d:\a\shared-backup"

This mounts partition 1 in shared-backup.vhd at mount point "d:\a\shared-backup". You can then dismount it using imdisk -d -m "d:\a\shared-backup".

If you need to mount dynamically allocated vhd images, there are ways to do that using devio.exe tool and ImDisk in proxy mode. There are examples in the FAQ in repository wiki.

from imdisk.

You need to remove it using the device number in that case, such as:
imdisk -d -u 0

Yes, it works.

md "d:\a\shared-backup"

Another problem: I could not open it in case of vdi drive. It has mounted but is not accessible. Unmount has worked as expected.

from imdisk.

I have never tried vdi image files with ImDisk without using any third-party libraries for parsing the vdi format. If it is a fixed size image, no sparse, dynamic allocation etc it could of course work anyway but you need to be careful to identify whether there are file format headers that need to be skipped over. If you see that the actual disk data begins at a certain offset in the image file, you can use the -b switch to specify that offset to ImDisk driver.

from imdisk.

Some interesting links to mount vdi:

Mount VDI as logical drive on host : https://forums.virtualbox.org/viewtopic.php?t=4748
Mounting .vdi file on host : https://forums.virtualbox.org/viewtopic.php?t=52
VirtualBox and forensics tools : http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html

from imdisk.

There is qemu-img version for Windows, it's free and seems it can check or convert vdi: https://cloudbase.it/qemu-img-windows/

https://github.com/cloudbase/qemu

from imdisk.

Okay. Yes, the command line version of Arsenal Image Mounter is also free and can convert between vdi and many other formats.

In any case, ImDisk is somewhat old and outdated when it comes to tasks like this. There are lots of better alternatives nowadays.

from imdisk.

aim_cli /filename=image.vdi /provider=DiscUtils /background

Is there a way to mount single partition vdi to a specific drive letter?

from imdisk.

No, not in this way. This mounts the entire disk. If you are preparing scripts etc where you know partitions in the image, you can assign drive letters or mount points using mountvol command in Windows. Next time you mount the same image, Windows will assign the same mount point automatically.

from imdisk.