Launching a command / third-party app right after (or before) mounting a container

[John SMITH]

Hi

I really like VeraCrypt, I use it and make other people use it in very hostile environment.

One feature, not critical but that would really improve our experience would be the capacity to indicate a command or a program to be run right after a given container is mounted (or unmounted).

In our case, we hide folders mirrored in the cloud in hidden containers. Most of the desktop cloud applications crash or hang when they cannot find the local folder they are supposed to manage. We have to kill them and manually re-launch them again when (re-)mounting the containers, which we do often.

But I suspect there would be several other use cases where this feature could be appreciated.

Thanks for your attention.

PS: or you could create your own "VeraCloud" relying on VeraCrypt that would be able to encrypt AND hide cloud data mirrored on the local machine ;D

[Adrian Kentleton]

What you want could easily be acheived by using a script eg a batch file in Windows, mounting the volume first, then launching your mirroring app.

[John SMITH]

Well I'd rater not provide the attacker with a script indicating basically everything they need to find the sensitive data...

[Adrian Kentleton]

You can launch VC GUI with a script, and be required to enter password and PIM etc. Not sure how this is any less secure than any other way of indicating "a command or a program to be run right after a given container is mounted (or unmounted)".

Alternatively, you could hide your script in a VC file, which has to be mounted before you can run the script!

[John SMITH]

The second option won't fit as my users will deem it too much inconvenient.

Forgive my ignorance about Windows command lines and VC commands (I come from the Linux world), but how would you do in a batch file to expect a certain volume to be mounted and launch some commands only when it has happened?

[Adrian Kentleton]

Post deleted: GUI is mangling what I'm posting!

[Adrian Kentleton]

Ditto! Will log out and try again.

[Adrian Kentleton]

Aha! Worked out what the problem was. Try again.

A basic batch file called eg premount.bat would look something like this (replace {yourvol} etc with your values):

@echo off
veracrypt /v {yourvol} /l {yourdriveletter} /q /hash {yourhash} /nowaitdlg /c n
if not exist {yourdriveletter}:\ goto error01
{"Drive:\path\to\your\program"}
veracrypt /d {yourdriveletter} /w /f /q
goto end
:error01
echo {yourvol} is not mounted
:end
echo Press any key to exit ...
pause > nul
exit

Note that this batch file will run in the background until you close your program, when {yourvol} will be dismounted. If you want the batch file to terminate before you close your program, you'll have to use:

start {"Drive:\path\to\your\program"}

and remove the veracrypt /d etc line.

[Eyal A.]

Hello Adrian,
As far as I understand, your script will not work.
If you use the line:
veracrypt /v {yourvol} /l {yourdriveletter} /q /hash {yourhash} /nowaitdlg /c n
Then the next line is executed only after the last veracrypt volume is dismounted.
if you use the line:
start {"Drive:\path\to\your\program"}
Then the next line is being executed while the the mount/dismount process is being executed.

Currently, there are only three available indications that the mounting process has been completed successfully:
1- A beep is heard if you use the "/b" command line option
2- The wait dialog closes
3- A windows explorer is opened if you use the "/e" command line option
Only indicator #1 is available also for the dismount process. The other two are available only for the mount process.
None of the above three indicators are script-friendly.

I would humbly like to suggest a "/signal signalname" command line option that would send a signal to the local system, which then can be caught or propagated to another computer using the WAITFOR.exe (ss64.com) command.

[Adrian Kentleton]

I've tested my script in the context of:
a. VC 1.22
b. Windows 7
c. VC Background Task started on logon to Windows, and not exiting when no mounted volumes
d. Other VC volumes already mounted (via scripts)

The subsequent program launches only after the specified volume is mounted, whether directly or with 'start', since you never get to the launch line if the volume doesn't mount successfully; an errorcheck/goto routine bypasses the launch line in that case.

It may not work in other contexts.

VC may have three (non-script-friendly) in-built mechanisms for indicating successful mounts, but there are at least three other script-based ones I can think of (off the top of my head) eg checking existence of mounted drive root folder (as in my script), using 'errorlevel' or similar, or 'tasklist'. Whether any of these can be used to meet John's issue is an open question; his issue can be interpreted as a need to have a completely generic script, that has no 'giveaways' in it about the source volume and mount letter, yet can detect successful mounting and thus trigger the launch of the required mirroring program.

What is possible partly depends on the context; if one could be sure that the volume to be mounted/dismounted is the only one, that would considerably simplify the task.

There are no security implications in specifying the hash. Veracrypt tries them all in turn if you don't specify one, so not specifying one just wastes time.

[Eyal A.]

Hello again,
I've re-tested in two contexts:
a. VC 1.23
b. Windows 10 pro x64
c1. VC Background Task not exiting when no mounted volumes
c2. VC Background Task set to exit when no mounted volumes

In both contexts, using "start", the next command started during volume mounting process.
When mounting directly without using "start", I got two different behaviours:
In configuration c1, the next command executed only after the mounting process accomplished, just as you described.
In configuration c2, the next command executed immediately after the mounting process started and during the mounting process.

Regarding the script-based techniques that you mentioned:
1- errorlevel and exit codes are not mentioned in the user's guide
2- tasklist may take longer than the mounting process itself
3- The "if exist z:\" technique is not accurate enough. The script may find the root folder even though the mounting process has not completely finished.

So, I would like, again, to request a feature: Please add the "/signal signalname" command line option that would send a signal to the local system upon mount/dismount completion, which can then be caught or propagated to another computer using the WAITFOR.exe command.
Thanks,
Eyal

[Adrian Kentleton]

Could you post your script, please.

[Eyal A.]

@echo off
choice /m "Would you like to use START when mounting the volume? "
if errorlevel 2 (
    @echo Not using Start. Time is: %time%
                              "C:\Program Files\VeraCrypt\VeraCrypt.exe" /quit background /beep /letter G /password my_password /volume D:\some_path\VC_volume.hc
    goto :done_message)
if errorlevel 1 (
    @echo     Using start. Time is: %time%
    start "G: (confidential)" "C:\Program Files\VeraCrypt\VeraCrypt.exe" /quit background /beep /letter G /password my_password /volume D:\some_path\VC_volume.hc )

rem my results:
rem A=Exit when there are no mounted volumes
rem B=Using Start   
rem      A    |  B  | :done_message is executed
rem -------------------------------------------
rem checked   | No  | when all drives are dismounted and the background task is closed (no icon in system tray)
rem checked   | Yes | immediately after the mouning proess begins and before it is accomplished
rem unchecked | No  | after the mounting process is completed and while the beep is being played
rem unchecked | Yes | immediately after the mouning proess begins and before it is accomplished
rem
rem when A=unchecked, I did pre-loaded the background task (icon is visible in the system tray)
:done_message   
@echo Done. time is: %time%
@echo Press any key to close this window
pause >nul

[Adrian Kentleton]

Ah. I see you haven't actually tried my script; instead you've written a different one, which apparently proves mine doesn't work.

If my understanding is correct, 'start' will (if it can make sense of it at all) interpret the first item in double quotes as the title of any new window that is launched; otherwise it will ignore it, and interpret the second item (in double quotes if necessary) as a command, and run it.

I also believe 'start' is used to launch something as a separate process, allowing the script that started it to continue, irrespective of the outcome of that which is started. So it's no surprise that the script terminates in that case while VC launches.

More anon.

[Adrian Kentleton]

With regard to the direct launch of VC, you seem to claim two different thing. In your second post, you said that if VC BT set to exit when no mounted volumes, the script executed the next command while mounting still in progress. Yet (if I understand it correctly) in the remarks in your actual script, you say that in that scenario, no further command executes until all drives are unmounted (which means the script is pointless).

The former appears to be untrue; I have tested it on Win10 now, with VC 2.3, with all possible BT settings, and cannot reproduce that behaviour. However, I can reproduce the latter behaviour, but only if I specify /q background as one of the parameters. I've no idea why this should be, but you will note that in my script, I did not specify /q background.

[Eyal A.]

The table to which you refer, has four lines.
In each line, the first two columns describe the settings. Column A describe the set in VeraCrypt. Column B describe my choice whether to use the "Start" syntax or not.
The third column is the behavior I experienced from VeraCrypt and my Win10 OS.

Anyhow, I did find your response very helpful. You pointed my attention to the "/q background" parameter. After playing with the parameters for a while, I did have a success to get my desired behavior:
While VeraCrypt's setting for "Exit when there are no mounted volumes" is checked, mount a volume, make a background task icon appear in the system tray, and only after the mount process has been accomplished, execute the next command.

The code for accomplishing that is:

rem mounting the volume
Path\to\VeraCrypt.exe /auto /quit /beep /letter DriveLetter /password MyPassword /volume Path\to\container.hc
rem making the background task icon appear
start "tray icon" Path\to\VeraCrypt.exe /quit background
@echo this line appears only after the mounting process is completed and while the beep is being played

Thank you for that answer, Adrian. It now seems that sending a signal is not as necessary as I thought.

[John SMITH]

Thanks a lot for your effort, but as I said, that kind of script where an attacker can already know the volume name and drive letter is not an option in my situation. Not talking about the hash since I don't master the implications of the attacker knowing it. I thought you were mentioning a script launching the GUI and then running the third-party program once the volume was mounted through the GUI, and that could have fit my situation.

[John SMITH]

I think the simplest solution would still be that VeraCrypt offer a hook where users can set a command to be run upon successful mounting. Maybe it is actually the case in the source code for developers who re-use VeraCrypt's code, but here I am talking about a hook that would be editable in the GUI.

[Eyal A.]

I use VeraCrypt in conjunction with KeePass. I can store the location and the password of the container in KeePass and transfer it to the the script as command line arguments:

@echo off
rem DO NOT use EnableDelayedExpansion. It causes problems with parameters which contains exclamation marks
rem automatically mount some VeraCrypt volumes
rem syntsx:
rem     option 1: launch without parameters from Run/CMD/Windows Explorer
rem     option 2: <scriptname.cmd> <drive letter> <password> <VolumePath>
if "%1"=="" (
    @echo Getting passwords from KeePass
    "Path\to\KeePass.exe" -entry-url-open -uuid:TheEntry'sID
    exit /b)
cd /d "%~dp0"
cls

if exist %1:\ goto EOF
    start "mounting" "Path\to\VeraCrypt.exe" /quit background /beep /letter %1 /password %2 /volume %3
    echo %time% Mounting
    echo.

In KeePass, in the entry's URL I use:

cmd://"Path\to\the\above\script.cmd" DriveLetter {PASSWORD} "Path\to\container\file.hc"

Good luck for that hostile guy to look for the container file, the volume's password and to which drive letter it will be mounted.....

[John SMITH]

This is elegant. But the kind of hostile guy my users might deal with won't bother playing smart. If they see some VeraCrypt/Keepass/Whatever-encrypt thing, they'll start chopping fingers until they get the data. That's why I want nothing looking like security stuff on laptops, only using portable VeraCrypt on pendrives, and that's why that builtin hook would be perfect instead of forcing me to leave some odd tracks that may draw attention.

[John SMITH]

up
?

[d-fens]

i would also need that feature. we want to run nextcloud syncing inside a veracrypt mounted container and the nextcloud client must be stopped before dismounting or if will fail catching changes when remounted. so mycommands would be onmount => start nc client, onunmount => stop nc client

please implement this!

[Mounir IDRASSI]

@eyalarg: Thank you for proposing to support WAITFOR command. After some research, I have found how it works and I implemented its support in 1.24-Update4 using a new CLI switch /signalExitwhich requiers the name of signal that WAITFOR command will wait on.
For example:

veracrypt.exe /q /v test.hc /l Z /signalExit SigName
waitfor.exe SigName

The waitfor call will block until VeraCrypt exits.

I have put the installer that contains it in the Nightly Builds folder but tomorrow it will be released officially if no issues found. Any feedback is welcomed.