Written by Luke

[Solved] External USB drive twinkling in Windows Explorer

This week, one of my colleagues logged on to a server and when he opened the file explorer all external USB drives where appearing and disappearing continuously.

At the same time, in the upper right corner, several messages appeared asking to unlock all BitLocker-protected drives.

Unlock drive. The drive is BitLocker-protected.

This happened on several Windows 2012 R2 servers.

After investigation, we found events in the System log which seamed to be related to this strange behaviour.
First there was an Error event with ID 7 and “The device has a bad block” as message.

7 Error The device has a bad block
This event was followed by many of two other events appearing alternatively and nearly every second.

  • Event ID 98 Information Volume (\Device\HarddiskVolume) is healthy. No action is needed.
  • Event ID 1 Information CBA filesystem filter driver has attached to volume “\Device\HarddiskVolume”.

Fortunately, we discovered this behaviour only a few hours after I updated a GPO, which helped me to quickly establish the link between the behaviour and my action.

The modified Group Policy was Audit Removable Storage.
It is located in Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Object Access.

Audit removable storage

As soon as I removed this auditing configuration and launched GPUpate /force in a command line, all external USB drives showed up normally again in file explorer.

I made some additional tests, and it appears that both the Success or the Failure setting produce this behavior.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s