When I mount a VeraCrypt volume as a removable drive and attempt to attach ISO files from the drive to my Hyper-V virtual machine, I receive the following error:
"Hyper-V Virtual Machine Management service Account does not have permission to open attachment <PATH TO FILE>. Error: ‘General access denied error’"
The permissions on the file seem to be OK, and Hyper-V is successfully adding its own permissions to the file that should work. I attempted to reset the ownership and permissions of the drive with no success.
I experimented and noticed the following:
- The permissions on the drive and file do not seem to matter.
- I do not see anything in the Windows Event Viewer relating to this error.
- If I disable Windows security auditing for removable drives using Group Policy, the error still occurs.
- It doesn't matter what file I use, as long as it comes from a VeraCrypt-mounted volume.
- If I copy the file to a non-VeraCrypt volume, removable or fixed, there is no problem.
- If I mount the volume as non-removable within VeraCrypt, there is no problem.
- It doesn't matter if the VeraCrypt volume I mount is a hidden or regular volume.
- It doesn't matter if the VeraCrypt volume is a device volume or a volume mounted from a .hc file.
I am running Windows 10 TH2 x64 Professional, using VeraCrypt 1.16 x64. Let me know if you need more information about my PC configuration, or want me to test with different versions of VeraCrypt or TrueCrypt.
Reproduction steps:
- Make sure Hyper-V is enabled in the Windows Features control panel in Programs and Features.
- Create a new VeraCrypt volume, non-hidden volume in a .hc file. All settings should be defaults unless otherwise specified. AES encryption with SHA-512 hash (this is what I used, not sure if it matters). Use normal password authentication and NTFS file system.
- Mount the new volume. Before entering the password, go to "Mount Options" and be sure to mount it as a removable volume.
- To be extra sure this should work right click the drive in explorer, go to Security, hit Edit, and add the Everyone group at Full Control. There should be no security issues.
- Copy an ISO file (any one should do) to the volume. For reproduction's sake I used the latest Ubuntu stable release: ubuntu-15.10-desktop-amd64.iso
- Open the Hyper-V Manager and create a new virtual machine. I created it on a non-VeraCrypt volume and did not test if creating it on a VeraCrypt volume mattered.
- Choose to create a Generation 1 Virtual Machine (not sure if any of these settings matter but they are here in case they do).
- Assign some memory (I did 1024mb) and disable dynamic memory.
- Set networking to Not Connected.
- Create a virtual hard disk (so you can also configure DVD settings). I created one in the default folder (non-VeraCrypt volume) at 50gb.
- Choose to install an OS from a DVD. Select the image file off of the VeraCrypt volume we created.
- Click Finish.
- Observe the following error message:
[Window Title]
New Virtual Machine Wizard
[Main Instruction]
The server encountered an error while configuring the devices on New Virtual Machine.
[Content]
Failed to add device 'Virtual CD/DVD Disk'.
Hyper-V Virtual Machine Management service Account does not have permission to open attachment.
[Expanded Information]
'New Virtual Machine' failed to add device 'Virtual CD/DVD Disk'. (Virtual machine ID BCD59B4E-F9B7-4413-90AE-8EF671EB2EE7)
'New Virtual Machine': Hyper-V Virtual Machine Management service account does not have permission required to open attachment 'X:\ubuntu-15.10-desktop-amd64.iso'. Error: 'General access denied error' (0x80070005). (Virtual machine ID BCD59B4E-F9B7-4413-90AE-8EF671EB2EE7)
[^] Hide details [Close]
- Change OS install option to "install later". Click Finish and observe no error this time.
- You can also try accessing the VM settings to observe you cannot attach the ISO there, either. You can also use powershell with the command "set-vmdvddrive "<VM Name>" -Path "<Path to ISO>"" and observe the same error occurs here too.
- Dismount the VeraCrypt volume and remount, this time as a fixed drive.
- Go back to the Hyper-V Manager and the VM settings, and observe you can now attach the ISO image.
"Hyper-V Virtual Machine Management service Account does not have permission to open attachment <PATH TO FILE>. Error: ‘General access denied error’"
The permissions on the file seem to be OK, and Hyper-V is successfully adding its own permissions to the file that should work. I attempted to reset the ownership and permissions of the drive with no success.
I experimented and noticed the following:
- The permissions on the drive and file do not seem to matter.
- I do not see anything in the Windows Event Viewer relating to this error.
- If I disable Windows security auditing for removable drives using Group Policy, the error still occurs.
- It doesn't matter what file I use, as long as it comes from a VeraCrypt-mounted volume.
- If I copy the file to a non-VeraCrypt volume, removable or fixed, there is no problem.
- If I mount the volume as non-removable within VeraCrypt, there is no problem.
- It doesn't matter if the VeraCrypt volume I mount is a hidden or regular volume.
- It doesn't matter if the VeraCrypt volume is a device volume or a volume mounted from a .hc file.
I am running Windows 10 TH2 x64 Professional, using VeraCrypt 1.16 x64. Let me know if you need more information about my PC configuration, or want me to test with different versions of VeraCrypt or TrueCrypt.
Reproduction steps:
- Make sure Hyper-V is enabled in the Windows Features control panel in Programs and Features.
- Create a new VeraCrypt volume, non-hidden volume in a .hc file. All settings should be defaults unless otherwise specified. AES encryption with SHA-512 hash (this is what I used, not sure if it matters). Use normal password authentication and NTFS file system.
- Mount the new volume. Before entering the password, go to "Mount Options" and be sure to mount it as a removable volume.
- To be extra sure this should work right click the drive in explorer, go to Security, hit Edit, and add the Everyone group at Full Control. There should be no security issues.
- Copy an ISO file (any one should do) to the volume. For reproduction's sake I used the latest Ubuntu stable release: ubuntu-15.10-desktop-amd64.iso
- Open the Hyper-V Manager and create a new virtual machine. I created it on a non-VeraCrypt volume and did not test if creating it on a VeraCrypt volume mattered.
- Choose to create a Generation 1 Virtual Machine (not sure if any of these settings matter but they are here in case they do).
- Assign some memory (I did 1024mb) and disable dynamic memory.
- Set networking to Not Connected.
- Create a virtual hard disk (so you can also configure DVD settings). I created one in the default folder (non-VeraCrypt volume) at 50gb.
- Choose to install an OS from a DVD. Select the image file off of the VeraCrypt volume we created.
- Click Finish.
- Observe the following error message:
[Window Title]
New Virtual Machine Wizard
[Main Instruction]
The server encountered an error while configuring the devices on New Virtual Machine.
[Content]
Failed to add device 'Virtual CD/DVD Disk'.
Hyper-V Virtual Machine Management service Account does not have permission to open attachment.
[Expanded Information]
'New Virtual Machine' failed to add device 'Virtual CD/DVD Disk'. (Virtual machine ID BCD59B4E-F9B7-4413-90AE-8EF671EB2EE7)
'New Virtual Machine': Hyper-V Virtual Machine Management service account does not have permission required to open attachment 'X:\ubuntu-15.10-desktop-amd64.iso'. Error: 'General access denied error' (0x80070005). (Virtual machine ID BCD59B4E-F9B7-4413-90AE-8EF671EB2EE7)
[^] Hide details [Close]
- Change OS install option to "install later". Click Finish and observe no error this time.
- You can also try accessing the VM settings to observe you cannot attach the ISO there, either. You can also use powershell with the command "set-vmdvddrive "<VM Name>" -Path "<Path to ISO>"" and observe the same error occurs here too.
- Dismount the VeraCrypt volume and remount, this time as a fixed drive.
- Go back to the Hyper-V Manager and the VM settings, and observe you can now attach the ISO image.