I am playing with EFS little bit. I created encrypted folder on C: drive and put several files into it. I though it should load EFS driver. I always thought that EFS is implemented as a File System Filter, but it seems that efs.sys is present only on Win2k. On WinXp + Vista I didn’t find any driver related to EFS. Is EFS a part of ntfs.sys since Windows XP?
Even on Win2k, I cannot see EFS on driver stack. There is only one instance of EFS device. So it seems that ntfs.sys talks to this device internally.
Does anyone know how it works? I need to know if there is some case on some platform that it is on the driver stack, so I don’t bypass it by IoCreateFileSpecifyDeviceObjectHint() when I communicate directly to NTFS FSD.
Thanks in advance
Bronislav
> I am playing with EFS little bit. I created encrypted folder on C:
drive and put several files into it. I though it should load EFS
driver. I always thought that EFS is implemented as a File System
Filter, but it seems that efs.sys is present only on Win2k.
Efs.sys is something like plugin DLL for ntfs.sys in Windows 2000.
For later operating systems, I think it’s been integrated into
NTFS.sys.
L.
It seems that EFS is implemented like export driver (like dll). Also
there are a lot of other system components take part in the NTFS
encryption mechanism. As I remember the description of this mechanism is
in the book “Microsoft Windows Internals” by Russinovich and Solomon.
–
Best regards,
Vladimir Zinin
mailto:xxxxx@eldos.com
xxxxx@xythos.com wrote:
I am playing with EFS little bit. I created encrypted folder on C: drive and put several files into it. I though it should load EFS driver. I always thought that EFS is implemented as a File System Filter, but it seems that efs.sys is present only on Win2k. On WinXp + Vista I didn’t find any driver related to EFS. Is EFS a part of ntfs.sys since Windows XP?
Even on Win2k, I cannot see EFS on driver stack. There is only one instance of EFS device. So it seems that ntfs.sys talks to this device internally.
Does anyone know how it works? I need to know if there is some case on some platform that it is on the driver stack, so I don’t bypass it by IoCreateFileSpecifyDeviceObjectHint() when I communicate directly to NTFS FSD.
Thanks in advance
Bronislav
I thought that it works like plug-in, but I wanted to be sure.
There is no exported function on win2k in efs.sys, but there are exported functions in ntfs.sys. I guess the EFS calls NtOfsRegisterCallBacks() to register its interface.
There are no exported functions in ntfs.sys on XP and above. It seems that EFS is linked statically into ntfs.sys since WinXp.
Thans for the responses.
Bronislav
EFS is an add-on to NTFS which uses undocumented interfaces, it is not a
file system filter.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> I am playing with EFS little bit. I created encrypted folder on C: drive and
put several files into it. I though it should load EFS driver. I always thought
that EFS is implemented as a File System Filter, but it seems that efs.sys is
present only on Win2k. On WinXp + Vista I didn’t find any driver related to
EFS. Is EFS a part of ntfs.sys since Windows XP?
>
> Even on Win2k, I cannot see EFS on driver stack. There is only one instance
of EFS device. So it seems that ntfs.sys talks to this device internally.
>
> Does anyone know how it works? I need to know if there is some case on some
platform that it is on the driver stack, so I don’t bypass it by
IoCreateFileSpecifyDeviceObjectHint() when I communicate directly to NTFS FSD.
>
> Thanks in advance
> Bronislav
>
>