Read/Write raw EFS file data

OSR_Community_User · September 28, 2006, 4:30pm

NTFSD Folk:

I need to be able to read/write files from my minifilter driver that have
been encrypted with Microsoft’s Encrypted File System (EFS), i.e., the file
has FILE_ATTRIBUTE_ENCRYPTED set in the file attributes.

Are there kernel-mode equivalents of OpenEncryptedFileRaw(),
ReadEncryptedFileRaw(), etc.?

Ken

OSR_Community_User · September 28, 2006, 5:41pm

I’m not positive, but I believe FILE_OPEN_FOR_BACKUP_INTENT should allow you
to do the open.

To read the raw data you want FSCTL_READ_RAW_ENCRYPTED.

Dan.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 28, 2006 2:30 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Read/Write raw EFS file data

NTFSD Folk:

I need to be able to read/write files from my minifilter driver that have
been encrypted with Microsoft’s Encrypted File System (EFS), i.e., the file
has FILE_ATTRIBUTE_ENCRYPTED set in the file attributes.

Are there kernel-mode equivalents of OpenEncryptedFileRaw(),
ReadEncryptedFileRaw(), etc.?

Ken

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 28, 2006, 5:57pm

Ken,

In fact, no. I spent quite a bit of time looking at this several years
ago and determined that the FSCTL operations used are *encrypted* using
an encryption key, randomly selected by LSA and then “plucked out” of
the LSA address space by the EFS library. Thus, this effectively makes
these FSCTL operations not reasonably useful in the kernel environment.

It is possible that this has changed for Vista, but I suspect that’s not
the case (after all, this would have the illusion of greater security,
right?)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 28, 2006 1:30 PM
To: ntfsd redirect
Subject: [ntfsd] Read/Write raw EFS file data

NTFSD Folk:

I need to be able to read/write files from my minifilter driver that
have
been encrypted with Microsoft’s Encrypted File System (EFS), i.e., the
file
has FILE_ATTRIBUTE_ENCRYPTED set in the file attributes.

Are there kernel-mode equivalents of OpenEncryptedFileRaw(),
ReadEncryptedFileRaw(), etc.?

Ken

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 29, 2006, 8:19am

Tony:

I believe you, but that sure seems convoluted.

Why would the FSCTL operations be encrypted if you’re asking for the data
without encryption? It seems like the whole purpose of
OpenEncryptedFileRaw() is to bypass all that.

I want to make a copy of the file for backup purposes. The problem is
obvious: if we’re in the user context, the driver gets decrypted data; if
not, it’s encrypted. It’d be nice to be able to be consistent, i.e.,
*always* read encrypted data (without having to go to user mode).

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 28, 2006 5:57 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Read/Write raw EFS file data

Ken,

In fact, no. I spent quite a bit of time looking at this several years
ago and determined that the FSCTL operations used are encrypted using
an encryption key, randomly selected by LSA and then “plucked out” of
the LSA address space by the EFS library. Thus, this effectively makes
these FSCTL operations not reasonably useful in the kernel environment.

It is possible that this has changed for Vista, but I suspect that’s not
the case (after all, this would have the illusion of greater security,
right?)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 28, 2006 1:30 PM
To: ntfsd redirect
Subject: [ntfsd] Read/Write raw EFS file data

NTFSD Folk:

I need to be able to read/write files from my minifilter driver that
have
been encrypted with Microsoft’s Encrypted File System (EFS), i.e., the
file
has FILE_ATTRIBUTE_ENCRYPTED set in the file attributes.

Are there kernel-mode equivalents of OpenEncryptedFileRaw(),
ReadEncryptedFileRaw(), etc.?

Ken

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 29, 2006, 9:08am

> Why would the FSCTL operations be encrypted if you’re asking for the data

without encryption? It seems like the whole purpose of
OpenEncryptedFileRaw() is to bypass all that.

Just guessing, but won’t FileSpy help with this ?
The sequence of API functions from user mode must be
followed by series of IRP, maybe this is a way ?

L.

OSR_Community_User · September 29, 2006, 9:15am

You know Ken, I agree with you - I thought it was a poor policy decision
as well. But I can’t argue that it is a security bug because it doesn’t
create an additional hole, it merely creates inefficiency for backup
operations that could be done via the kernel.

When we designed our new DMK toolkit we tried to take into account both
backup and network access - because what a backup program really wants
to see is the encrypted contents of the file (and since it is log
structured, you can take a snapshot of the file and we can restore
consistency to the file contents should you ever restore the actual file
contents. A nice alternative to VSS…) Similarly, what we want the
network to see is (normally) the encrypted contents of the file.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Friday, September 29, 2006 5:19 AM
To: ntfsd redirect
Subject: RE: [ntfsd] Read/Write raw EFS file data

Tony:

I believe you, but that sure seems convoluted.

Why would the FSCTL operations be encrypted if you’re asking for the
data
without encryption? It seems like the whole purpose of
OpenEncryptedFileRaw() is to bypass all that.

I want to make a copy of the file for backup purposes. The problem is
obvious: if we’re in the user context, the driver gets decrypted data;
if
not, it’s encrypted. It’d be nice to be able to be consistent, i.e.,
*always* read encrypted data (without having to go to user mode).

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 28, 2006 5:57 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Read/Write raw EFS file data

Ken,

In fact, no. I spent quite a bit of time looking at this several years
ago and determined that the FSCTL operations used are encrypted using
an encryption key, randomly selected by LSA and then “plucked out” of
the LSA address space by the EFS library. Thus, this effectively makes
these FSCTL operations not reasonably useful in the kernel environment.

It is possible that this has changed for Vista, but I suspect that’s not
the case (after all, this would have the illusion of greater security,
right?)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 28, 2006 1:30 PM
To: ntfsd redirect
Subject: [ntfsd] Read/Write raw EFS file data

NTFSD Folk:

I need to be able to read/write files from my minifilter driver that
have
been encrypted with Microsoft’s Encrypted File System (EFS), i.e., the
file
has FILE_ATTRIBUTE_ENCRYPTED set in the file attributes.

Are there kernel-mode equivalents of OpenEncryptedFileRaw(),
ReadEncryptedFileRaw(), etc.?

Ken

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com