CreateFile returns ERROR_ACCESS_DENIED despite FILE_FLAG_BACKUP_SEMANTICS

Question

I am developing a Windows backup application (mixed Go / C++) that needs to backup files from the disk.

My application

1. runs as a user in the "Backup Operators" group, and also with "Back up files and directories" explicitly enabled in secpol.msc
2. calls OpenProcessToken() and AdjustTokenPrivileges() to grant SeBackupPrivilege for the whole process, successfully
3. takes a VSS snapshot of the disk, successfully

4. walks over all files in the VSS snapshot, and then tries to back them up as follows:

   CreateFile( path, GENERIC_READ, FILE_SHARE_READ, NULL, // SecurityAttributes OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS|FILE_FLAG_SEQUENTIAL_SCAN NULL // TemplateFile );

5. Calls BackupRead() to read file streams.

This normally works fine, and I can successfully read files for which my user account would normally be denied read access to (e.g. C:\Windows\System32\config\systemprofile).

But despite this, some "stubborn" files still give an error, from CreateFile: 0x5 ERROR_ACCESS_DENIED ("Access is Denied").

I know the "stubborn" files aren't reparse points.

The files exist on a local, internally-attached, SATA, NTFS disk drive - not a network drive or anything exotic.

The "stubborn" files are all files, not directories.

They are a range of file-types (docx, fla, swf, .DS_Store, ...).

There's no special security software installed other than an Antivirus program.

A competititor's backup software is able to back up these files without error.

Why could this possibly be happening?

Answer 1

This error can be caused by an EFS-encrypted file, for which no key is present.

In this situation CreateFile is not possible under any circumstance.