Technical Information



Technical Information


Here some background information, just what came into my mind...



Window Service


USBDLM is a Windows Service. As such it is registered in the registry and started and stopped by the "Service Control Manager".


Services usually are running in the context "LocalSystem" and have highest privileges here. USBDLM is a Win32 service, not a kernel service. A kernel service could have the start type "LocalSystem" which would ensure that it is loaded before the user logs on. For a Win32 service "Automatic" is earliest start type. With "Automatic" the user might be logged on before the services starts, see also "USBDLM service starts to late" under Problems.





Under Windows 2000 services have no problem showing a window on the user's desktop. All they need it the "interactive" flag. Under XP this works for the first logged on user only. Further users are running in a different "Session" with its own desktop.

Under Vista all users are running in their own session, isolated from the services. Services with the "interactive" flag are punished with a warning in the system log...


If the user is running in the same session then USBDLM shows the balloons directly. Otherwise it starts itself in the user's context and shows the balloon.


You can remove the "interactive" flag, USBDLM will show the balloons then indirectly.


The USBLDM.MSI has the "interacitve" Flag but USBDLM removes it when it is started first under Vista and higher.


When USBDLM starts itself for showing a balloontip, it gives the data for the balloon tip at the command-line. This can be used for custom balloon tips, e.g. on removal of a drive:



open="%usbdlmpath%\usbdlm.exe" -balloon -time=1500 -title="%FriendlyName% %BusType% Device" -text1="removed:  %root%" -icon=


But such balloon tips are completely independent from the regular USBDLM balloons, so multiple balloons can be shown at the same time, BalloonClicks do not work etc...


The balloon tips are handmade. The main reason is that under W2K and XP the maximum text length is too limited to show large balloons, e.g. with multiple NTFS mountpoints. Furthermore with the handmade balloons we don't need a tray-icon and the taskbar does not pop up when the balloon is shown.


Available icon numbers are:

110 one drive

112 two drives

113 one CDROM

114 one network drive


120 one drive removed

121 one drive safely removed

122 one drive unsafely removed

123 one CDROM drive removed

124 one network drive removed


130 an information sign

131 an exclamation mark



Message Boxes


The USBDLM_usr.exe can show message boxes like so:



open="%USBDLMPATH%\USBDLM_usr.exe" -msgbox -type:0 -icon:0x30 -title:Warning -text:%BusType% device %FriendlyName% was unsafely removed. This is not safe!


Type, icon and return value (aka errorlevel) are as with the Windows API call MessageBox.

Type refers to the shown buttons as MB_OK (0..6), icon to the shown icon as MB_ICONERROR (0x10, 0x20, 0x30 or 0x40).




TrueCrypt, Network and Subst drives


TrueCrypt volumes are not fully implemented. For instance there is no notification when the volume is mounted. This it true for Network and Subst drives too.


But even under Windows 10 there is still the old broadcast notification sent to all windows when a drive letter arrives or a CD is inserted into a CD drive. This comes too when a TrueCrypt volume is mounted, a Network or Subst drives is created.


To receive this USBDLM has an invisible window. But this does not work when the user is running in a different session which is always true under Vista and Windows 7+. Under XP it is true when more that one user logs on at the same time.

USBDLM needs a helper application then which receives the message an passes it "down" to the service. That's what the USBDLM_usr.exe is for. It is loaded when the user is running in a different session and one of this points is true:

  • ExternalMountEvents=1 
  • an [OnArrival] with DeviceType=TrueCryptVolume
  • an [OnArrival] with DeviceType=SubstDrive
  • an [OnArrival] with BusType=remote
  • [BalloonTips] ShowTrueCrypt=1
  • [BalloonTips] ShowVirtual=1
  • USBDLM Win32 under Vista x64 with NoMediaNoLetter=1 (workaround for Windows-Bug in the WoW64 layer)


Under Vista and Windows 7+ we deal with the User Account Control, the UAC. Here the user context is split into a restricted and an unrestricted one (the elevated one). To receive notifications for both we need the USBDLM_usr running twice if:


  • an [OnArrival] with DeviceType=SubstDrive and elevated=1
  • an [OnArrival] with BusType=remote and elevated=1
  • [BalloonTips] ShowTrueCrypt=2 or ShowTrueVirtual=2