Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

NTFS encrypted file read fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE)

Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

Hi,
I have a minifilter driver where we read file content (when file is getting copied to USB or Network share) in IRP_MJ_CLEANUP PreCleanup() callback, to decide if we want to do any further processing or not. Everything works until recently, when I observed that in Windows 10 when I try to read the content for NTFS EFS encrypted file then FltReadFile API fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE).
I am trying to read the content in application context only, this works if application has opened a file and do save-as ex. If I open an encrypted text file in Notepad and then do save as, I am able to read the content from the file, but if I copy same file using cmd copy or any other copy utility, then FltReadFile() api fails.
This same thing work without any issue in Windows7 or Windows 8.1, but not in Windows 10.
From wiki I can see MS has done changes to support EFS for FAT and ExFAT filesystem, but I have not found anything about this error, any help or any input this regard is highly appreciated.

Thanks,
Bishnu

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,183

    Haven't seen this error yet. However, from ntstatus.h:

    //
    // MessageId: STATUS_ENCRYPTED_IO_NOT_POSSIBLE
    //
    // MessageText:
    //
    // The read or write operation to an encrypted file could not be completed because the file has not been opened for data access.
    //
    

    So, obvious question: was the file object you're using opened for data access?

    -scott
    OSR

  • Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

    Thanks Scot for looking into this.
    As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 110

    Have u checked you oplock implementation?

  • Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

    I don't have any OPLOCK implementation.
    If it was the OPLOCK issue then it would have affected my non-encrypted file read as well. But in my case issue only happens for EFS encrypted file and return status also specific to encrypted file only.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,183

    @Bishnu_Chaturvedi said:
    Thanks Scot for looking into this.
    As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

    That just describes more behaviors, it doesn't answer the question: is the file object you're using to read the data opened for data access? Presumably you're hijacking a user's file object and not opening the file yourself (e.g. FltCreateFile).

    -scott
    OSR

  • Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

    You are right, I am using the user's file object to read the content and it don't have Read access in it.
    But even if I am explicitly passing FILE_READ_DATA in IRP desired access then also I am not able to read the content.

  • Bishnu_ChaturvediBishnu_Chaturvedi Member Posts: 29

    Hi @Scott_Noone_(OSR) I tried with opening my own file object with desired access "FILE_READ_DATA", then also I am getting same error NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE) when tried to read the content of EFS encrypted file.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,183

    Sorry, don't have an answer for you. Searching the NTFS binary it looks like there are several places where this is returned. I'd start by doing the NTFS status debugging trick and seeing where exactly the error is coming from:

    https://www.osr.com/blog/2018/10/17/ntfs-status-debugging/

    Then start working backwards for what's different in your case versus the normal reading case.

    -scott
    OSR

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,073

    Non cached io?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE