NTFS encrypted file read fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE)

Hi,
I have a minifilter driver where we read file content (when file is getting copied to USB or Network share) in IRP_MJ_CLEANUP PreCleanup() callback, to decide if we want to do any further processing or not. Everything works until recently, when I observed that in Windows 10 when I try to read the content for NTFS EFS encrypted file then FltReadFile API fails with NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE).
I am trying to read the content in application context only, this works if application has opened a file and do save-as ex. If I open an encrypted text file in Notepad and then do save as, I am able to read the content from the file, but if I copy same file using cmd copy or any other copy utility, then FltReadFile() api fails.
This same thing work without any issue in Windows7 or Windows 8.1, but not in Windows 10.
From wiki I can see MS has done changes to support EFS for FAT and ExFAT filesystem, but I have not found anything about this error, any help or any input this regard is highly appreciated.

Thanks,
Bishnu

Haven’t seen this error yet. However, from ntstatus.h:

//
// MessageId: STATUS_ENCRYPTED_IO_NOT_POSSIBLE
//
// MessageText:
//
// The read or write operation to an encrypted file could not be completed because the file has not been opened for data access.
//

So, obvious question: was the file object you’re using opened for data access?

Thanks Scot for looking into this.
As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

Have u checked you oplock implementation?

I don’t have any OPLOCK implementation.
If it was the OPLOCK issue then it would have affected my non-encrypted file read as well. But in my case issue only happens for EFS encrypted file and return status also specific to encrypted file only.

@Bishnu_Chaturvedi said:
Thanks Scot for looking into this.
As I said initially, If I save file using notepad (assuming text file), then I am able to read that in my driver. But when I copy same file using Windows explorer then I get this error. One correction in case of USB I am able to read the content, issue happens only for network share, and that too only for shares where I am allowed to save NTFS-EFS files in encrypted form.

That just describes more behaviors, it doesn’t answer the question: is the file object you’re using to read the data opened for data access? Presumably you’re hijacking a user’s file object and not opening the file yourself (e.g. FltCreateFile).

You are right, I am using the user’s file object to read the content and it don’t have Read access in it.
But even if I am explicitly passing FILE_READ_DATA in IRP desired access then also I am not able to read the content.

Hi @“Scott_Noone_(OSR)” I tried with opening my own file object with desired access “FILE_READ_DATA”, then also I am getting same error NTSTATUS 0xC0000810 (STATUS_ENCRYPTED_IO_NOT_POSSIBLE) when tried to read the content of EFS encrypted file.

Sorry, don’t have an answer for you. Searching the NTFS binary it looks like there are several places where this is returned. I’d start by doing the NTFS status debugging trick and seeing where exactly the error is coming from:

https://www.osr.com/blog/2018/10/17/ntfs-status-debugging/

Then start working backwards for what’s different in your case versus the normal reading case.

Non cached io?