Cannot "Safely Remove" USB Drives after Free Space Wipe

gilean23

New Member
Using Eraser 5.86.1 on Windows XP (SP3) and Windows Server 2003 (SP1).

After running a free space wipe using US DoD 5220 22-M (8-306. / E) 3 passes on an external USB hard drive (not flash memory), I am encountering problems using the "safely remove hardware" function to dismount the drive after the free space wipe completes. It gives the message that the drive is still in use.

I've made sure that the eraser scheduler has no tasks pointing to the drives, and is not running.

On XP, I can sometimes kill my explorer.exe process and restart it manually to get the OS to release the drive and allow it to dismount. However, on Server2k3 I'm unable to get the drive to safely dismount unless I reboot the server (even logging off and back on doesn't work). I've verified there's nobody else remotely logged on to the server, and there are no open shares leading to the drives in question.

Any suggestions?
 

Overwriter

Active Member
Hi gilean23

I have had this happen to me before, but not with Eraser.

I think I discovered it was my AntiVirus in the end. Any chance you could try disabling it as a test ?
 

gilean23

New Member
I had a sneaking suspicion that antivirus might be the culprit, however, I'm still not having any luck.
Running Symantec Corporate v10.1.4.4000: Disabled autoprotect via the gui, no luck. Stopped all Symantec services manually... still no luck. :(

Edit: the reason I correlate this issue with Eraser is that I never ran into this using sdelete.exe by Microsoft SysInternals. Eraser overall seems like a better product over the last few days I've used it though.

Edit2: Just noticed I'm having the same problem on a server that doesn't have SAV installed at all yet, so that should rule it out.
 

Overwriter

Active Member
Hi gilean23

I am sorry it wasn’t the AV, but thank you for trying that out and letting me know the result. :wink:

It could very well be an Eraser issue and if so I suspect Joel will know what it is. You have given a lot of good information and I am sure he will read this thread soon.

Meanwhile just another thought, could there be anything installed on the USB attached drive that may be being used ? I am only guessing here but I know sometimes media files can be accessed by Nero Scout and other such programs. Even things like Access might be holding something open.

You sound as if you know what you are doing and have probably thought about most things but this is just another attempt until Joel replies. Did or could you mount the drive as removable media ? I think this might be to do with the recycle bin. I am only guessing this as I had something like this when using Truecrypt.

If there is nothing on the drive have you tried formatting it and then seeing if you can safely remove it ?

Are there any type of backup programs running ?

Any automatic defragmenters ?

Any other type of anti spyware ?

Could there be something on your network accessing the drive ?

If you wish to remove your drive I think it is safe to do so as long as it isn’t being written to whilst you remove it.

OK well I am out of ideas now !! :lol:

Let me know what happens and if nothing works keep checking back to see what Joel says.

Oh and yeah you are right Eraser is a better product ! :lol: V6 is coming soon’ish so this may solve your problems.

Good luck ! :)
 

gilean23

New Member
Overwriter:
Thanks for the replies. :)

A) There's nothing on the drive except an MSSQL database backup (*.bak) file (which has not been loaded directly into SQL... see below workflow for explanation).
B) Though there is backup software running on the server (Veritas BackupExec 10.0 Rev5484), I've tried disabling all of the services for it as well.
C) According to the MMC, there are no shares even pointed at these drives, so they're not being accessed over the network.


The basic workflow I'm looking at is this:
I work for a provider of insurance software.
I receive data from our customers for conversion from one product to another within our suite of offerings. This data is always on removable media of some sort: floppy, optical, usb flash drive, usb external hard drive, or various types of tapes.

I restore/copy the data from the media onto the server in our lab environment for use by our data conversions department.

While the conversions folks are using the copy on the server, I use sdelete or Eraser to securely wipe the free space on the removable media, then store it for a couple of weeks in case conversions needs another copy of the data again.

Once conversions is completely done with the data for that customer, I'll securely wipe the data itself and ship the media back to the customer, thus ensuring their data cannot be compromised during shipping.

So basically, there are just various data files sitting on the drive.

I'm sure the odds of actually causing any damage to the drive/data/file system by just removing the drive without using the "safely remove" function are fairly remote. However, since I'm dealing with drives that are the property of customers of my company, I'd rather avoid that risk if possible.
 

Overwriter

Active Member
Hi

Thank you for the information as to how you use Eraser.

It is nice to see someone taking their customers data security seriously !

Anyway I have remembered something else, I think there is a setting somewhere (I have tried looking but no luck yet) that allows you to set whether the USB attached drive is optimised for safety or speed. I thought it was in device manager but I just can’t find it now.

Ok I have found a link for you.

Safely-remove-usb-drive

It’s the optimized for Quick Removal part I was trying to tell you about.

Also when you want to wipe entire disks you could perhaps get an old PC and use DBAN ? You could do a few at a time. It might free up your server a bit and USB is slow.

Just reading your first post again I noticed that you used the US DoD 5220 22-M (8-306. / E) 3 passes. While that is an excellent method as far as I am aware a single pseudorandom pass with either Eraser or DBAN will give you very good security in a third of the time.
 

Joel

Active Member
What you can try to do is to use Handle to determine open handles. If it is an open program.. it should be open. I'm pretty sure you know how to use it...? If Eraser is the culprit, do let me know.

Joel
 

gilean23

New Member
Unfortunately, no. I'm not too familiar with the usage of Handle or Process Explorer. :(
I've never really gotten down beyond the process level in the course of my admittedly limited admin experience.

I poked around with Handle a little bit, but couldn't figure out how to filter the results down enough to find an open handle pointed at the specific drive - especially when I'm not really sure what such a handle would look like.
 

Joel

Active Member
Just type handle <drive name> eg handle C:

Joel
 

gilean23

New Member
That was way too simple, I was apparently overthinking it. Thanks, Joel. :)

The bad news is: there were no active handles displayed for the drive in question.

The good news is: I found the culprit.

The [expletive deleted] Windows recycle bin. Apparently the default setting for the recycle bin is to use global settings for all drives on the machine. Once I set it to use separate settings for each drive, then disabled the recyle bin for the removeable drive, it dismounted as neatly as can be.

My apologies for attempting to lay this Microsoft WIndows Feature (tm) at the doorstep of Eraser. :)
 

Joel

Active Member
Shouldn't your drive be automatically detected as removable and have the recycle bin automatically disabled? Anyway, glad you solved it.

Joel
 
Top