Files unable to decrypt when removing Dell Encryption - Dell DSS - Security - Dell Community

Files unable to decrypt when removing Dell Encryption

Security

Security
All things Dell Security related

Files unable to decrypt when removing Dell Encryption

This question has been answered by SgtTomK

I am trying to decrypt a system, while troubleshooting another issue.  I've found that 0 out of 3 systems that I've tried to decrypt have finished successfully - the decryption service is still running after weeks, months.

Here's some errors from the logs.... (from various systems, all have similar errors)

[05.16.17 08:11:54] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\System Volume Information\{2c601cfa-303d-11e7-9dfa-e4a471bd4977}{3808876b-c176-4e48-b7ae-04046e6cc752}", win32Err = 5

[05.16.17 08:11:30] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\pagefile.sys", win32Err = 32

[05.16.17 08:12:23] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\Windows\Temp\CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD172.CEFD7cf.CEFD5a5.ood_stream.x86.en-us.dat.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

[07.31.17 15:41:15] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\CEFD784.CEFD8be.CEFD823.CEFD784.CEFD8be.CEFD321.Microsoft.WindowsAzure.StorageClient.dll.TMP.TMP.TMP.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

[07.31.17 15:41:15] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\Program Files (x86)\Microsoft Office\root\Office16\1033\CEFD029.CEFD029.CEFD029.CEFD029.CEFD029.CEFD7a9.OWSHLP10.CHM.TMP.TMP.TMP.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

[07.31.17 15:41:08] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\swapfile.sys", win32Err = 32

Verified Answer
  • Dale,

    That was my thought exactly, but it was easier said then done.

    - I tried clearing recycle bin to no avail - no files where in it.

    - I tried disk cleanup, even though it said 8bytes in recycle bin

    - I in-hid the OS folder C:\$Recycle.Bin - I could see the files, but access denied

    - Boot into safe mode - try to delete files it let me delete them, but they just moved to another folder - - Access denied.

    - Booted into Linux live (Ubunto), it was unable to mount the windows partition

    - Disabled "Fast Boot" in Power Settings of Windows 10 (it uses Hybrid-sleep)

    - Booted back into Ubunto, deleted the files, reboot...

    - Success - Decrypt agent is no longer running and the folder in programdata cleaned itself up.

    Perhaps "Fast boot" was the issue all along, and the reason why rebooting didn't allow access to those files?  Will this be fixed in the future version of the client?

    Thanks,

    -Tom

All Replies
  • Hello SgtTomK,

    Those Win32Error codes translate to the following according to Microsoft. msdn.microsoft.com/.../ms681381(v=vs.85).aspx

    win32Err=5 is an Access is denied error.

    win32Err=32 is similar to error 5.  The process cannot access the file because it is being used by another process.

    win32Err=998 references an "Invalid access to memory location." error which I believe to us is being caused by the file path being over 255 characters.  

    First thing we should confirm that your SDE exclusions are up to date.  Below is an updated list we recently published.

    -^3F#:\EFI\

    -^%ENV:SYSTEMDRIVE%\System Volume Information

    -^%ENV:SYSTEMROOT%\;dll.exe.sys.ocx.man.cat.manifest.policy

    -^%ENV:SYSTEMROOT%\System32

    -^%ENV:SYSTEMROOT%\SysWow64

    -^%ENV:SYSTEMROOT%\WinSxS

    -^%ENV:SYSTEMROOT%\Fonts

    Second we can add the below registry value.  This will help up the amount of file sizes the agent can decrypt during OS startup.  This is safe enough to throw in place on any machine you need to decrypt.  This key should help with the 5 and 32 win32err codes.

    HKEY_LOCAL_MACHINE\SOFTWARE\Credant\DecryptAgent\

    MaxBytesReboot=REG_DWORD:0

    Finally the 998 codes.  From the logs they look to be temporary files that should be able to be safely deleted.  I understand that is a manual process but there is a fix for it in the 8.15 release of DDP|E which should be available on dell.com soon.  

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039

  • I think I have all the suggested exclusions.  Could you take a look at my policy and see if there are any edits you would suggest?

    -------------------------------------------------------------------------------------------------

    SDE Policy
    F#:\
    -^%ENV:SYSTEMDRIVE%\System Volume Information
    -^%ENV:SYSTEMROOT%\;dll.exe.sys.ocx.man.cat.manifest.policy
    -^%ENV:SYSTEMROOT%\System32
    -^%ENV:SYSTEMROOT%\WinSxS
    -^%ENV:SYSTEMROOT%\Fonts
    -^3@%ENV:SYSTEMROOT%\SYSTEM32\;exe
    -^3@%ENV:SYSTEMROOT%\SYSTEM32\cmd.exe;exe
    -^3@%ENV:SYSTEMROOT%\SYSTEM32\autochk.exe;exe
    -^3@%ENV:SYSTEMROOT%\SYSTEM32\winresume.exe;exe
    -^3@%ENV:SYSTEMROOT%\SYSTEM32\csrss.exe;exe
    -^F#:\boot
    -^F#:\bootmgr
    -^%ENV:SYSTEMDRIVE%\Program Files\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files\Common Files\Symantec Shared
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Common Files\Symantec Shared
    -^%ENV:SYSTEMDRIVE%\ProgramData\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin
    -^%ENV:SYSTEMDRIVE%\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin
    -^3F#:\EFI\
    -^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT
    -^%ENV:SYSTEMDRIVE%\_SMSTaskSequence

    -------------------------------------------------------------------------------------------------

    Common Encrypted Folders

    %ENV:SYSTEMDRIVE%\;accdb.doc.docm.docx.mdb.pdf.ppam.pps.ppsm.ppsx.ppt.pptm.pptx.pub.puz.sldm.sldx.tif.tiff.vdx.vsd.vss.vst.vsx.vtx.xlam.xlm.xls.xlsb.xlsm.xlsx.xsf.zip.rar
    %ENV:USERPROFILE%\Desktop
    %ENV:USERPROFILE%\Downloads
    -^%ENV:SYSTEMDRIVE%\;dat.ini.xml.txt.log.db.lnk
    -^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT
    -^%ENV:SYSTEMDRIVE%\_SMSTaskSequence
    -^%ENV:SYSTEMDRIVE%\Program Files\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files\Common Files\Symantec Shared
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Common Files\Symantec Shared
    -^%ENV:SYSTEMDRIVE%\ProgramData\Symantec
    -^%ENV:SYSTEMDRIVE%\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin
    -^%ENV:SYSTEMDRIVE%\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin

    -------------------------------------------------------------------------------------------------

  • Those polices look perfect.

    It's hard to make suggestions when I don't know your environment but from the top level best practices standpoint you have excluded what I would recommend.

    Are you having any application conflicts?  Usually when we have those that's when we add exclusions and usually those are based around security products.  Generally we want to whitelist those directories and if applicable whitelist our software files\folders from the security vendors product.  

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039

  • We have an open case with ProSupport to investigate a reproducible bug we found.  Systems failing to boot when they are completely powered down, but once they fail to boot once they will boot just fine.  It's definitely something with the Encryption client.

    So, I had to decrypt a few systems to get users up and running, and discovered that they would never finish decrypting.  I actually stumbled onto this several weeks prior while troubleshooting an unrelated issue - I had to decrypt a user and then when I went to re-install DDP on their system WEEKS after, it said it was still decrypting.  

    I am booting into safe mode on one affected system to attempt manually deleting the TMP files that it's stuck on.  They were locked by SYSTEM and I could not delete them.  Will report back...

  • I booted into safe mode and deleted those files.  I also ran disk cleanup, on reboot the decrypt still fails.

    -------------------------------------------------------------------------------------

    [08.02.17 11:36:39] [PCSQuery] PCS driver not found![08.02.17 11:36:39] SDE Decrypt Service - CreateVolumes(): Logical drive "C:\" classified as a Fixed Drive

    [08.02.17 11:36:39] SDE Decrypt Service - CreateVolumes(): Volume created for logical drive "C:\"

    [08.02.17 11:36:39] SDE Decrypt Service - UpdateApplicationStatus( **** "Initial sweep" ****)

    [08.02.17 11:36:39] CBUT::Run(): Signalling UMES thread to run

    [08.02.17 11:36:39] CBUT::ThreadFunc(): Running UMES.

    [08.02.17 11:36:39] SDE Decrypt Service - UpdateApplicationStatus( **** "Decryption sweep" ****)

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep(): Performing decrypt sweep for C:\

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\hiberfil.sys", win32Err = 32

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\pagefile.sys", win32Err = 32

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): Error calling DeviceIoControl(CREDCEF_ChkPathEncr) for file "C:\swapfile.sys", win32Err = 32

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFD029.CEFD029.CEFD029.$R0O83AR.TMP.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFD784.CEFD8be.$RBKFAQA.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFD823.CEFD784.$RDTBLV2.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFD8be.CEFD823.$R7H6E32.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFDae1.CEFDae1.$RL3S6AX.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:36:39] SDE Decrypt Service - DecryptSweep_CheckDecryptFile(): EncryptDecryptFile("C:\$Recycle.Bin\S-1-5-21-725345543-1580436667-2146892821-4942\CEFDd6c.CEFDd6c.$RQJYXPG.TMP.TMP.TMP") failed, win32Err = 998 [SDE]

    [08.02.17 11:37:37] SDE Decrypt Service - DecryptSweep(): Decryption sweep for C:\ complete

    [08.02.17 11:37:37] CBUT::Shutdown(): Signalling UMES thread to terminate.

    [08.02.17 11:37:37] CBUT::ThreadFunc(): UMES Done.

    [08.02.17 11:37:37] CBUT::ThreadFunc(): Thread complete.

    [08.02.17 11:37:37] SDE Decrypt Service - Run(): 6 files are still locked i.e. in use and hence not available for decryption.

    [08.02.17 11:37:37] SDE Decrypt Service - UpdateApplicationStatus( **** "All files could not be decrypted" ****)

    [08.02.17 12:24:17] SDE Decrypt Service - OnSessionChange(): Notification received, dwEventType = WTS_SESSION_LOGON

    [08.02.17 12:24:17] SDE Decrypt Service - OnSessionChange(): Setting user to logged on

    -------------------------------------------------------------------------------------

  • hi SgtTomK

    the Hiberfile.sys, Pagefile.sys, and swapfile.sys are expected to get a win32err of 32, this translates to :

    ERROR_SHARING_VIOLATION

    32 (0x20)

    The process cannot access the file because it is being used by another process.

    this specifically means that we just cannot access the file. it does not necessarily mean it is encrypted.

    the subsequent files in the recycle bin are recieving an error 998, which translates to:

    ERROR_NOACCESS

    998 (0x3E6)

    Invalid access to memory location.

    are we able to purge the recycle bin and re-start the "Dell Encryption Removal Agent" to see if this resolves the decryption issues?

    Dale

    L4 Support

    Dell Data Protection | Encryption

    Need Immediate help? Please call DDP |E Support @ +1.877.459.7304 Ext. 4310039

  • Dale,

    That was my thought exactly, but it was easier said then done.

    - I tried clearing recycle bin to no avail - no files where in it.

    - I tried disk cleanup, even though it said 8bytes in recycle bin

    - I in-hid the OS folder C:\$Recycle.Bin - I could see the files, but access denied

    - Boot into safe mode - try to delete files it let me delete them, but they just moved to another folder - - Access denied.

    - Booted into Linux live (Ubunto), it was unable to mount the windows partition

    - Disabled "Fast Boot" in Power Settings of Windows 10 (it uses Hybrid-sleep)

    - Booted back into Ubunto, deleted the files, reboot...

    - Success - Decrypt agent is no longer running and the folder in programdata cleaned itself up.

    Perhaps "Fast boot" was the issue all along, and the reason why rebooting didn't allow access to those files?  Will this be fixed in the future version of the client?

    Thanks,

    -Tom

  • Hi SgtTomK,

    We are looking into methods to help us better decrypt these hard-to-access files. Fast Boot was a great call, as the hybrid restart that it forces would cause issues with how we hold files in memory on reboot to decrypt.

    Changes to this space are coming in future versions, let me know if you would like to chat on this more via DM and we can talk potential strategies around this if needed.

    Dale

    L4 Support

    Dell Data Protection | Encryption

    Need Immediate help? Please call DDP |E Support @ +1.877.459.7304 Ext. 4310039