I have a minifilter driver where we read file content (when file is getting copied to USB or Network share) in IRP_MJ_CLEANUP PreCleanup() callback, to decide if we want to do any further processing or not. Everything works until recently, when I observed that in Windows 10 when I try to read the content for NTFS EFS encrypted file then FltReadFile API fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE).
I am trying to read the content in application context only, this works if application has opened a file and do save-as ex. If I open an encrypted text file in Notepad and then do save as, I am able to read the content from the file, but if I copy same file using cmd copy or any other copy utility, then FltReadFile() api fails.
This same thing work without any issue in Windows7 or Windows 8.1, but not in Windows 10.
From wiki I can see MS has done changes to support EFS for FAT and ExFAT filesystem, but I have not found anything about this error, any help or any input this regard is highly appreciated.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|