Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


NTFS encrypted file read fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE)

Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

Hi,
I have a minifilter driver where we read file content (when file is getting copied to USB or Network share) in IRP_MJ_CLEANUP PreCleanup() callback, to decide if we want to do any further processing or not. Everything works until recently, when I observed that in Windows 10 when I try to read the content for NTFS EFS encrypted file then FltReadFile API fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE).
I am trying to read the content in application context only, this works if application has opened a file and do save-as ex. If I open an encrypted text file in Notepad and then do save as, I am able to read the content from the file, but if I copy same file using cmd copy or any other copy utility, then FltReadFile() api fails.
This same thing work without any issue in Windows7 or Windows 8.1, but not in Windows 10.
From wiki I can see MS has done changes to support EFS for FAT and ExFAT filesystem, but I have not found anything about this error, any help or any input this regard is highly appreciated.

Thanks,
Bishnu

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    Haven't seen this error yet. However, from ntstatus.h:

    //
    // MessageId: STATUS_ENCRYPTED_IO_NOT_POSSIBLE
    //
    // MessageText:
    //
    // The read or write operation to an encrypted file could not be completed because the file has not been opened for data access.
    //
    

    So, obvious question: was the file object you're using opened for data access?

    -scott
    OSR

  • Thanks Scot for looking into this.
    As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 111

    Have u checked you oplock implementation?

  • I don't have any OPLOCK implementation.
    If it was the OPLOCK issue then it would have affected my non-encrypted file read as well. But in my case issue only happens for EFS encrypted file and return status also specific to encrypted file only.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    @Bishnu_Chaturvedi said:
    Thanks Scot for looking into this.
    As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

    That just describes more behaviors, it doesn't answer the question: is the file object you're using to read the data opened for data access? Presumably you're hijacking a user's file object and not opening the file yourself (e.g. FltCreateFile).

    -scott
    OSR

  • You are right, I am using the user's file object to read the content and it don't have Read access in it.
    But even if I am explicitly passing FILE_READ_DATA in IRP desired access then also I am not able to read the content.

  • Hi @Scott_Noone_(OSR) I tried with opening my own file object with desired access "FILE_READ_DATA", then also I am getting same error NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE) when tried to read the content of EFS encrypted file.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    Sorry, don't have an answer for you. Searching the NTFS binary it looks like there are several places where this is returned. I'd start by doing the NTFS status debugging trick and seeing where exactly the error is coming from:

    https://www.osr.com/blog/2018/10/17/ntfs-status-debugging/

    Then start working backwards for what's different in your case versus the normal reading case.

    -scott
    OSR

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    Non cached io?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA