RE: Access to encrypted folder by service process

Good morning Scott. Welcome to Microsoft Newsgroup Support service. My name
is Jialiang Ge [MSFT]. It's my pleasure to work with you on this issue.

According to the issue description, we have an encrypted folder (am I right
that the folder is encrypted using Windows EFS - Encrypting File System?).
Our UI app is capable of accessing the folder's content, however, our
windows service running in the background gets "access denied" even if the
service runs as the same user as the one who encrypts the folder. If I
misunderstand anything, please point it out.

In order to trouble-shoot this issue, I think that it will be helpful to
first determine whether this is caused by the EFS configuration, or an
issue with the windows service. We design the following trouble-shoot steps
for your reference. They may look tedious, I hope you could spend time on
them which can help us to narrow down the focuses.

===================
Check EFS configuration

a). Please use the Efsinfo.exe tool to determine Users who can decrypt the
encrypted file and who is the recovery agent for it:

efsinfo /r /c /u Path\FileName >C:\efsinfo1.txt

Please run the above command for the problematic folder/file. The detailed
use of the tool efsinfo is introduced in the KB article:
http://support.microsoft.com/kb/243026

Does the user that runs the service process appear in the output of efsinfo?

Additional resources about EFS:

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/

b). How did you encrypt the folder (programmatically or manually in windows
explorer)? To determine whether the problem is related to how the folders
are encrypted, I suggest that we do this test:

step1. Log on the computer as UserA. Create a folder and include a file,
and encrypt them by checking the "Encrypt contents to secure data" option.
step2. Create a simple windows service with some codes to read the content
of the encrypted file. Configure the service to run as UserA.
step3. Test the windows service, and see whether the file content is read
successfully.

If the above steps succeed (without "access denied"), we can compare the
test folder with the folder in our original discussion, to see if there's
anything different between the two. To compare EFS, we can still use
efsinfo:

efsinfo /r /c /u Path1\FileName1 >C:\efsinfo1.txt
efsinfo /r /c /u Path2\FileName2 >C:\efsinfo2.txt

,where Path1\FileName1 and Path2\FileName2 are the files we mentioned
above.

c). I'd like to collect some info about your environment:
Is your computer in a domain environment?
What's your OS version?

Please spend some time on the above tests (especially the test b). I'm
performing further researches in the meantime.

Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • RE: Duplicate Mailbox after reattempting move from 2003-2007 Exchange
    ... that the moving mailbox failed. ... require you to reinstall Microsoft Windows Server, ... Start the ADSI tool which is available in the Support folder on the ... Windows 2003 Support Tools is not already installed. ...
    (microsoft.public.exchange.admin)
  • Re: GPO Folder Redirect causing Permissions Error
    ... managed newsgroups are staffed weekdays by Microsoft Support professionals. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... GPO Folder Redirect causing Permissions Error ...
    (microsoft.public.windows.server.sbs)
  • RE: File Compression
    ... compression to be available on a volume that uses the NTFS file system. ... obtain the latest service pack for Microsoft ... contact Microsoft Product Support ... Run Qfixapp from the Applications folder in the toolkit installation folder. ...
    (microsoft.public.win2000.file_system)
  • Re: clean up--compacting??
    ... Microsoft Online Partner Support ... After 100 times opening/closing Outlook ... When you delete a message from a folder, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • RE: folder virtualisation
    ... i creaded a folder under appdata and also a service just to save read write ... within that folder. ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)