Locked files

[auser]

Hi,

I am trying to write some code which copies a locked file. the system registry to be exact.
Does someone have some experience with that?

Thanks

[jeroen]

I am trying to write some code which copies a locked file. the system registry to be exact.
Does someone have some experience with that?

If all else fails you can access the raw disk and copy the file from there. You can find out where exactly on disk a file is with the FSCTL_GET_RETRIEVAL_POINTERS system call. Opening a handle to a raw disk is easy:

VolumeHandle = CreateFile("C:", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);

For finding out where a file is on disk see the GetFragments() subroutine in the JkDefragLib.cpp source. I don't have an example for reading the file into memory, but take a look at the "Read the boot block from the disk" section in the AnalyzeNtfsVolume() subroutine in the ScanNtfs.cpp sources.

[auser]

hmmm 

[cf]

You might first try the FILE_FLAG_BACKUP_SEMANTICS flag for CreateFile.

According to the MSDN, this flag does the following:

The file is being opened or created for a backup or restore operation. The system ensures that the calling process overrides file security checks when the process has SE_BACKUP_NAME and SE_RESTORE_NAME privileges. For more information, see Changing Privileges in a Token.

I think the "override of security checks" means that you can open it even when it is locked. So you should be able to read all the data and save it to another file.

[auser]

You might first try the FILE_FLAG_BACKUP_SEMANTICS flag for CreateFile.

According to the MSDN, this flag does the following:

The file is being opened or created for a backup or restore operation. The system ensures that the calling process overrides file security checks when the process has SE_BACKUP_NAME and SE_RESTORE_NAME privileges. For more information, see Changing Privileges in a Token.

I think the "override of security checks" means that you can open it even when it is locked. So you should be able to read all the data and save it to another file.

Thank you both. Maybe just for the challenge of it you'd want to try copying the file "C:\WINDOWS\system32\config\system" ( xp )

Let me know if you are successful.

For your information I have done the following so far:
got the SE_BACKUP_NAME privilege. according to GetLastError success.
But CreateFile fails with GENERIC_READ flag set. no matter what the other flags are. no read or write access is possible.

Thanks

[Morne44gell]

You might first try the FILE_FLAG_BACKUP_SEMANTICS flag for CreateFile.

According to the MSDN, this flag does the following:

The file is being opened or created for a backup or restore operation. The system ensures that the calling process overrides file security checks when the process has SE_BACKUP_NAME and SE_RESTORE_NAME privileges. For more information, see Changing Privileges in a Token.

I think the "override of security checks" means that you can open it even when it is locked. So you should be able to read all the data and save it to another file.

Got error while Creating File "INVALID_HANDLE_VALUE" failure, if I return it then same error occurs , can you explain how to avoid this error?