Windows 10, USB encrypted by bitlocker do not ask to password?

Bui Trung

I have created a file manager, then i can open USB from there.
With usb is not encrypted everything works fine.But a usb is encrypted by bitlocker, when i access it, it do not show a dialog to ask for password like when i open usb by explorer of windows.
Anyone can help please!

ambershark

@Bui-Trung You can shell out to explorer to do the unlock password prompt for you.

Or you can prompt for the password yourself, then pass it to a powershell script or a batch script. Or QProcess to run the cmd command yourself.

Here are some examples:

http://stackoverflow.com/questions/15324758/bitlocker-script-to-unlock-drive

Bui Trung

Yes, i'm trying this way. But to be able to run 'manage-bde', you have to provide administrator right.for standard user i don't want they input password for administrator directly. I still not be able to automatically input password for them.

ambershark

@Bui-Trung Well there's no easy way around that. You will have to have your application run as administrator. Or you can write a separate system service with elevated permissions just to unlock those drives. That is the proper way for admin level stuff in windows.

But again, you can just shell out to explorer and have it unlock for you. Even without admin. Just launch explorer.exe and pass it the path of the drive you want to unlock, i.e. explorer.exe e:\ and it should prompt the user to enter their password. Granted they will now have an explorer window open which isn't desirable.

You could also tell the user that they need to unlock their encrypted drive before your app can access it. Provide them with a button that will launch explorer as I detailed above and you should be set.

You're pretty much stuck using one of these options though, there really isn't any other way around it.

If your app is a filemanager, I would go with the system service for admin tasks approach. But that means people installing your apps will need admin to do so. User levels to run though as you just ask the service when you need to do admin stuff like unlock a drive.

Bui Trung

But, with the system service for admin tasks appoarch, can i unlock usb from a standard user account, I have some users on my computer, and all of them can unlock usb if they provide an correct password?

At this time, i've found a way to automatically input adminstrator password to command line that is vbscript.
Link reference: https://gallery.technet.microsoft.com/scriptcenter/9bda53d7-ec2e-4bc2-8e97-4487233bc55b
I can use it to open an cmd with administrator privilege, and be able to unlock usb. But if it's possible i wish to find an more secure way to unlock usb without save administrator password, something like explorer.exe xD

ambershark

@Bui-Trung Yea so the premise behind the service is to start a service that can do admin level things. The service is installed with your app and runs as the system account.

Then when your application needs to do something that is administrator level you call into your service (you can use named pipes, sockets, whatever for of communication you want) and ask it to do the admin required task. In this case mount the encrypted drive.

So your application is a user space app that never needs elevated permissions.

That is the general idea. Make sure to limit what your service can do so it won't be exploited to gain admin privileges on a target system. A good rule of thumb there is to only let it do a specific task. In this case mount an encrypted drive.

It is a lot of work though, as you need to write a service, a client/server communication system, and have an installer for your app to install the service. It's a bit of a pain for one small task. But that is the best way to do it.

Bui Trung

Another way, Use "bdeunlock.exe" to open the default input usb password of Windows Bitlocker.
Run the command like: "bdeunlock.exe D:". It will show you a dialog to input password as Windows explorer, you do not need to provide Administrator account or password.