Lazybit

It has been reported that in certain circumstances the system will shutdown instead of rebooting itself when the user restarts it while Private Disk is running and an encrypted disk is mounted.

This was a problem difficult to trace; while it repeats itself 10/10 times on a "problematic" machine, on "non-problematic" ones everything is working correctly and it is impossible to simulate the problem.

This is what makes it of reason to make an educated guess that this is caused by a third-party component present on the system, which somehow alters the standard behaviour of Windows. The tough part is that even when you think you have disabled all the non-standard programs, there is a myriad of low-level components that one can't see with the naked eye.

Follow up:

Here is how programs usually start automatically (this list is handy when you are trying to catch a rootkit like amvo.exe - no matter how many times you remove it, it's still there):

• Start\Programs\Startup
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, see Userinit
• system services (run "services.msc")
• drivers (enable "show hidden devices" in the device manager, this one is also called "show non plug and play devices")

The easiest way to manually go through all these entries is using Autoruns, a great tool by Sysinternals.

Well, it turned out this was not a problem caused by a third-party application, because the system behaved that way even when nothing else except Private Disk was there. Eh...

How the Windows shutdown procedure works

1. When the system is shutdown or restarted, each program is notified by Windows: "the system is shutting down, are you OK with that?"
2. Each program must send a reply, if everyone says "Yes", the system is shut down
3. If one of the programs says "No", the process is interrupted
4. A program can interrupt the process when it still has work to do (ex: save unsaved data, remove temporary files, save its settings, etc)
5. When it is done, the program should re-initiate the shutdown procedure, this time there will be no barriers

There are several key details:

• when Windows tells a program that it is about to shutdown, the program does not know whether what follows is a restart, a shutdown, a stand-by or a hibernate
• when the program re-initiates the process, it has no clue which particular flavour of the process is actually needed
• however, there is a place in the registry which contains the type of the action that was about to be performed: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer, Shutdown Setting
• the only problem is that for some reason, on some systems, this registry key does not exist and is not updated

On this systems Private Disk will shut the system down when you restart it while a disk is mounted.

Why Private Disk defaults to a restart

Because this is the less evil option of all the evil options. If you're leaving the office and shut the system down - it will actually reboot; but the door is already closed and you'll be on your way home, there is nothing you can do about it, unless you accidentally return.

A different flavour of this scenario - you're going on a vacation, so the computer will remain on for a couple of weeks; the electricity bill will be pumped up - not good.

A different scenario - you want to restart (which implies you'll be at the computer when it is fully loaded), you notice that it shut down instead of restarting, so you hit the power button and you're back to work. In this case you spot the problem quickly and you can intervene immediately. Of course, the annoying part is that you have to press the power button (this is "especially uncool" if your computer is somewhere under the desk).

A different flavour of this scenario - you have one of those slow machines, you pressed restart and went to the kitchen to make yourself a cup of tea. You take your time, hoping that when you're back everything is ready... But no... annoying indeed...

When choosing between "annoying" and "bigger bill + security risk" (leaving the system on unattended), we chose "annoying".

Why is there a need to choose anything in the first place? Because if we don't cancel the shutdown procedure, there is a chance that some data on the encrypted disks will be corrupted, because the volumes were disconnected immediately, without any clean-up routines (dump the cache, update the file table, etc).

Back to choices - which one do you prefer: "data corruption" or "annoyance"?

Some might argue, "but a similar program from ACME works flawlessly in such circumstances!". It is true, but do you want to be the lucky one who loses data in "such circumstances"?

Solution

It turns out that the registry key that contains details about the type of shutdown procedure is not updated if you use the "Welcome screen" of Windows XP. So, you can fix the problem by disabling the "Welcome screen":

1. Control Panel\Users
2. Uncheck "use welcome screen"

You might be worried that without the welcome screen, you can't make the system log on automatically, without typing a password. Here is how to deal with that:

1. run "control userpasswords2" (this is how you can call the classic user management applet, which was replaced in Windows XP with a simple, less flexible version)
2. select the user from the list
3. uncheck "users must enter a password to use this computer"
4. enter the credentials and press OK