Hello all,
is there a way I can disable NTFS EFS from encrypting one particular file,
which my mini filter owns? I cannot use the user mode API to do it.
thanks
A
If it’s already encrypted you can send a decrypt IOCTL for it, just
like you would from user mode.
If it’s not encrypted yet, you can deny the encrypt IOCTL in your
filter.
D.
Ami Awbadhho wrote:
Hello all,
is there a way I can disable NTFS EFS from encrypting one particular
file,
which my mini filter owns? I cannot use the user mode API to do it.thanks
A
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Thanks Dejan.
I will be creating the file in my mini filter, so it wont be encrypted
before. but encryption might be preenabled in that folder.
-
if that is the case, then would ntfs create the file encrypted? if so,
can my minifilter be able to change the attributes? -
also, I read that EFS is now inside NTFS, then, why does one need to send
the IOCTL at all? also which process service will send this IOCTL? -
which ioctl/fsctl is this?
best regards
Awbadhho
On Sat, May 21, 2011 at 1:10 AM, Dejan Maksimovic wrote:
>
> If it’s already encrypted you can send a decrypt IOCTL for it, just
> like you would from user mode.
> If it’s not encrypted yet, you can deny the encrypt IOCTL in your
> filter.
>
> D.
>
> Ami Awbadhho wrote:
>
> > Hello all,
> >
> > is there a way I can disable NTFS EFS from encrypting one particular
> > file,
> > which my mini filter owns? I cannot use the user mode API to do it.
> >
> > thanks
> >
> > A
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I think I mixed it with compression. I don’t know how to decrypt an
existing file from kernel mode.
FSCTL_SET_ENCRYPTION would seem to be what you need, but it is not
documented for sending by drivers themselves, only the OS.
Curious pitfall here really. BTW, does encryption interfere with
your driver? I know compression would require different coding for data
modification filters, but encryption did not cause such issues.
Dejan.
Ami Awbadhho wrote:
Thanks Dejan.
I will be creating the file in my mini filter, so it wont be encrypted
before. but encryption might be preenabled in that folder.
if that is the case, then would ntfs create the file encrypted? if
so,
can my minifilter be able to change the attributes?also, I read that EFS is now inside NTFS, then, why does one need
to send
the IOCTL at all? also which process service will send this IOCTL?which ioctl/fsctl is this?
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Dejan,
BTW, does encryption interfere with your driver?
In Face Book terms, ‘it’s complicated’ 
Well have a couple of drivers, and some of those come up before the FS does,
and need to access the same meta data file outside the FS at boot time.
Hence the problem…
Awbadhho
On Sat, May 21, 2011 at 11:57 AM, Dejan Maksimovic wrote:
>
> I think I mixed it with compression. I don’t know how to decrypt an
> existing file from kernel mode.
> FSCTL_SET_ENCRYPTION would seem to be what you need, but it is not
> documented for sending by drivers themselves, only the OS.
> Curious pitfall here really. BTW, does encryption interfere with
> your driver? I know compression would require different coding for data
> modification filters, but encryption did not cause such issues.
>
> Dejan.
>
> Ami Awbadhho wrote:
>
> > Thanks Dejan.
> >
> > I will be creating the file in my mini filter, so it wont be encrypted
> >
> > before. but encryption might be preenabled in that folder.
> >
> > 1. if that is the case, then would ntfs create the file encrypted? if
> > so,
> > can my minifilter be able to change the attributes?
> >
> > 2. also, I read that EFS is now inside NTFS, then, why does one need
> > to send
> > the IOCTL at all? also which process service will send this IOCTL?
> >
> > 3. which ioctl/fsctl is this?
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Aha… well in that case marking the file System should be
sufficient for you when you create the file. Your filter can keep track
of file I/O to make sure it doesn’t become encrypted though.
You’ll notice files inside Windows folder cannot be encrypted just
like boot related files can’t.
Ami Awbadhho wrote:
Dejan,
>BTW, does encryption interfere with your driver?
In Face Book terms, ‘it’s complicated’
Well have a couple of drivers, and some of those come up before the FS
does,
and need to access the same meta data file outside the FS at boot
time.
Hence the problem…Awbadhho
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Dejan,
marking the file System should be sufficient for you when you create the
file?
You mean set it is a ‘System’ file? yes that is wht we are trying now.
MSDN says:
To determine whether a file system supports file encryption for files and
directories, call the
*GetVolumeInformation*http:function
and examine the FS_FILE_ENCRYPTION bit flag.
When I go through the web page for GetVolumeInformation I do not see this
flag. There is a mention of a FILE_SUPPORTS_ENCRYPTION, are they are same?
If so, I can tap this API’s corresponding IRP and unset the bit.
Thanks
Awbadhho
On Mon, May 23, 2011 at 5:05 PM, Dejan Maksimovic wrote:
>
> Aha… well in that case marking the file System should be
> sufficient for you when you create the file. Your filter can keep track
> of file I/O to make sure it doesn’t become encrypted though.
> You’ll notice files inside Windows folder cannot be encrypted just
> like boot related files can’t.
>
> Ami Awbadhho wrote:
>
> > Dejan,
> >
> > >BTW, does encryption interfere with your driver?
> >
> > In Face Book terms, ‘it’s complicated’
> >
> > Well have a couple of drivers, and some of those come up before the FS
> > does,
> > and need to access the same meta data file outside the FS at boot
> > time.
> > Hence the problem…
> >
> > Awbadhho
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:>
> Dejan,
>marking the file System should be sufficient for you when you create
the
file?You mean set it is a ‘System’ file? yes that is wht we are trying now.
Yes.
MSDN says:
To determine whether a file system supports file encryption for files
and
directories, call the
*GetVolumeInformation
http:function
>
> and examine the FS_FILE_ENCRYPTION bit flag.
>
> When I go through the web page for GetVolumeInformation I do not see
> this
> flag. There is a mention of a FILE_SUPPORTS_ENCRYPTION, are they are
> same?
Yeah, it’s a typo probably
> If so, I can tap this API’s corresponding IRP and unset the bit.
But you would disable encryption on the entire volume that way
(provided you can even filter that part, IIRC, this is done at FS
registration time and not via an IRP later).
Encrypt a large file instead and see what IRPs are generated
rather. You’ll see IRP_MJ_FILE_SYSTEM_CONTROL with
FSCTL_ENCRYPTION_FSCTL_IO
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.</http:>
thanks for all the help dejan!
On Tue, May 24, 2011 at 7:33 AM, Dejan Maksimovic wrote:
> > Dejan,
> >
> > >marking the file System should be sufficient for you when you create
> > the
> > file?
> >
> > You mean set it is a ‘System’ file? yes that is wht we are trying now.
>
> Yes.
>
> > MSDN says:
> > To determine whether a file system supports file encryption for files
> > and
> > directories, call the
> > *GetVolumeInformation
> > http:function
> >
> > and examine the FS_FILE_ENCRYPTION bit flag.
> >
> > When I go through the web page for GetVolumeInformation I do not see
> > this
> > flag. There is a mention of a FILE_SUPPORTS_ENCRYPTION, are they are
> > same?
>
> Yeah, it’s a typo probably
>
> > If so, I can tap this API’s corresponding IRP and unset the bit.
>
> But you would disable encryption on the entire volume that way
> (provided you can even filter that part, IIRC, this is done at FS
> registration time and not via an IRP later).
>
> Encrypt a large file instead and see what IRPs are generated
> rather. You’ll see IRP_MJ_FILE_SYSTEM_CONTROL with
> FSCTL_ENCRYPTION_FSCTL_IO
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:>