CBEncrypt Class

Properties   Methods   Events   Config Settings   Errors  

The CBEncrypt class allows applications to transparently enforce file-level encryption and decryption policies on specified directories.

Syntax

cbfsencrypt.CBEncrypt

Remarks

CBEncrypt monitors specified directories to ensure that all files stored there remain encrypted on disk, while allowing authorized processes to read or write decrypted content on-the-fly.

Applications define encryption rules to protect specific directories and their contents, and specify trusted processes that can access decrypted content. Any new files created or written by trusted processes within these directories are automatically encrypted according to the rules, ensuring that sensitive data is always protected at rest.

To learn more about the class's capabilities, please refer to the product's General Information topics.

Getting Started

1. If the class's system driver has not been installed yet, call the Install method to do so. This needs to be done only once.
   • In production, the driver can be installed (or updated) ahead of time with the application's installation script using the Installer DLL. Please refer to the Driver Installation topic for more information.
2. Call the Initialize method to initialize the CBEncrypt class. This must be done each time the application starts.
3. Set the GlobalSalt property to a string or byte array of 16 bytes in length.
4. Add one or more encryption rules using the AddEncryptionRule method. (Rules can also be added or removed after the filter is started.)
5. Add one or more trusted processes using the AddTrustedProcess method.
6. Call the Start method to start filtering filesystem requests.
7. When finished, call the Stop method to stop filtering filesystem requests.
8. To uninstall the class's system driver, call the Uninstall method. This should not be done as part of the driver upgrade process.
   • In production, the driver can be uninstalled by the application's uninstallation script using the Installer DLL. Please refer to the Driver Installation topic for more information.

Property List

---

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

Active Property (CBEncrypt Class)

This property notes whether the class is active and processing requests.

Syntax

public boolean isActive();

Default Value

False

Remarks

This property reflects whether the class is active and currently processing requests. It will be true after the filter has been attached successfully via a call to Start.

This property is read-only and not available at design time.

Altitude Property (CBEncrypt Class)

This property specifies the altitude the class's system driver should use .

Syntax

public String getAltitude();
public void setAltitude(String altitude);

Default Value

""

Remarks

This property specifies the altitude that the class's system driver should use . A driver's altitude determines its absolute position in the stack of filter drivers; drivers with higher altitudes are attached toward the top of the stack, closer to the user mode, which allows them to process requests earlier.

If multiple instances of the class are used, each instance must have own altitude.

Microsoft manages and assigns filesystem minifilter driver altitudes directly, so an application-specific altitude value must be obtained from Microsoft before an application is deployed in production. Please refer to the Driver Altitudes topic for more information. During development, an appropriate arbitrary value, such as 360000 (which is not registered with Microsoft), can be used.

If this property is queried before an altitude has been set (via this property or the Install method), it will return an empty string.

NOTE: This property cannot be changed when Active is true. Additionally, the Initialize method must be called before attempting to get or set this property's value, which is stored in the registry.

EncryptionRules Property (CBEncrypt Class)

This property includes the collection of encryption rules.

Syntax

public EncryptionRuleList getEncryptionRules();

Remarks

This property holds a collection of EncryptionRule objects, each of which represents a file encryption rule with a path and encryption parameters.

Each encryption rule represents a protected directory. Trusted processes included in the TrustedProcesses collection will have access to the decrypted contents of files within these directories. Untrusted processes will not have access to decrypted data and will see only the encrypted contents. Rules can also specify whether subdirectories are included in the protection scope.

Use the following methods to manage the rules in this collection:

• AddEncryptionRule
• RemoveEncryptionRule

NOTE: The methods and properties related to managing encryption rules are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the lists occur in a thread-safe manner.

This property is read-only and not available at design time.

Please refer to the EncryptionRule type for a complete list of fields.

FireVolumeEvents Property (CBEncrypt Class)

This property specifies the events that should be fired when a filesystem volume is mounted to or unmounted from the system.

Syntax

public int getFireVolumeEvents();
public void setFireVolumeEvents(int fireVolumeEvents);

Default Value

0

Remarks

This property specifies the events that the class should fire when a filesystem volume is mounted to or unmounted from the system. Possible values are as follows:

Note The aforementioned events are fired only for volumes mounted or unmounted after the Start method is called. Typically, applications use these events to dynamically add encryption rules for removable volumes, such as USB drives.

NOTE: The methods and properties related to managing encryption rules are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the lists occur in a thread-safe manner.

GlobalSalt Property (CBEncrypt Class)

The value being mixed into the process of key derivation.

Syntax

public byte[] getGlobalSalt();
public void setGlobalSalt(byte[] globalSalt);

Default Value

""

Remarks

This property specifies a global salt value that is mixed into the key derivation process when deriving an encryption key from a password. A salt increases security by ensuring that identical passwords produce different keys.

This property should be set to a random string or byte array of 16 bytes in length. If the value is longer than 16 bytes, only the first 16 bytes are used. If the value is shorter than 16 bytes, the Start method will throw an exception.

Using a cryptographically strong random number generator is recommended for increased security.

SerializeEvents Property (CBEncrypt Class)

Whether events should be fired on a single worker thread, or many.

Syntax

public int getSerializeEvents();
public void setSerializeEvents(int serializeEvents);

Enumerated values:
  public final static int seOnMultipleThreads = 0;
  public final static int seOnOneWorkerThread = 1;

Default Value

0

Remarks

This property specifies whether the class should fire all events serially on a single worker thread, or concurrently on multiple worker threads. The possible values are:

Please refer to the Threading and Concurrency topic for more information.

NOTE: This property cannot be changed when Active is true, and it cannot be changed within events.

Tag Property (CBEncrypt Class)

This property stores application-defined data specific to a particular instance of the class.

Syntax

public long getTag();
public void setTag(long tag);

Default Value

0

Remarks

This property can be used to store data specific to a particular instance of the class.

TrustedProcesses Property (CBEncrypt Class)

This property includes a collection of trusted processes.

Syntax

public TrustedProcessList getTrustedProcesses();

Remarks

This property contains the list of TrustedProcess entries. Each entry specifies a process that is allowed to access decrypted data of files within the directories defined by the EncryptionRules collection. When a trusted process opens an encrypted file, the class automatically decrypts the data on the fly, allowing the process to read or write the file as if it were unencrypted.

Processes not included in this collection are considered untrusted, and file-related events will not fire for these processes. Untrusted processes may read encrypted files (they will see only encrypted content), but are blocked from modifying them. This includes writing data, changing file size or allocation, or opening files in modes that overwrite, truncate, or supersede existing content. The DenyUntrustedWrite configuration setting controls this behavior and is enabled by default.

Please refer to the AddTrustedProcess and RemoveTrustedProcess methods for more information.

NOTE: The methods and properties related to process access lists are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of process access information occurs in a thread-safe manner.

This property is read-only and not available at design time.

Please refer to the TrustedProcess type for a complete list of fields.

AddEncryptionRule Method (CBEncrypt Class)

This method adds a new rule for file encryption.

Syntax

public boolean addEncryptionRule(String path, boolean includeSubdirectories, String password);

Remarks

This method adds a new encryption rule that defines how certain files must be encrypted and decrypted.

The Path parameter must be a valid path to the directory, in which files will be encrypted, and IncludeSubdirectories specifies whether or not the rule is recursive (i.e., covers files in subdirectories).

To encrypt a file, the Password parameter is used.

For more information, see Encryption.

The class stores the parameters in the list. Adding the same path several times will create only one rule for each distinct path, and consequent calls to AddEncryptionRule with different parameters will be ignored. The application can remove a rule using the RemoveEncryptionRule method, and then can add a new rule using AddEncryptionRule.

The method will return true if the rule was added to the list and false otherwise.

NOTE: The methods and properties related to managing encryption rules are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the lists occur in a thread-safe manner.

AddTrustedProcess Method (CBEncrypt Class)

Adds a rule that allows a process to access decrypted data of a file.

Syntax

public void addTrustedProcess(String processFileName, int processId, boolean childProcesses);

Remarks

This method can be used to add an access rule that grants the process specified by ProcessFileName or ProcessId access to decrypted data of an encrypted file. If no rules are added, access is not permitted to any process.

Processes that are already running can be specified by passing their process Id (PID) for the ProcessId parameter (in which case ProcessFileName should be empty). Processes that have not yet started can be specified by passing the full file name of the process's executable file for ProcessFileName (in which case ProcessId should be set to 0). If ProcessName is empty, and ProcessId is -1, the new rule will apply to all processes. When adding a PID-based rule, you need to be aware of the PID Reuse behavior of Windows.

ChildProcesses controls whether the rule also applies to children of the target process.

To remove the process access rule later, pass the same ProcessFileName and ProcessId values to the RemoveTrustedProcess method.

NOTE: This method cannot be called within events.

The methods and properties related to process access lists are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of process access information occurs in a thread-safe manner.

ChangePassword Method (CBEncrypt Class)

This method changes the password of a file.

Syntax

public void changePassword(String fileName, String oldPassword, String newPassword);

Remarks

This method changes the password used to encrypt the file specified by FileName.

If the file is not encrypted and the new password is not empty, the file will be encrypted. If the file is encrypted and the new password is empty, the file will be decrypted.

The OldPassword parameter specifies the current encryption password, if applicable.

The NewPassword parameter specifies the new encryption password to use, if applicable.

Config Method (CBEncrypt Class)

Sets or retrieves a configuration setting.

Syntax

public String config(String configurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DecryptFile Method (CBEncrypt Class)

This method decrypts a file.

Syntax

public void decryptFile(String fileName, String password);

Remarks

This method decrypts the file specified by FileName.

If the file is not encrypted, the method returns.

The Password parameter specifies the password to use to decrypt the file.

EncryptFile Method (CBEncrypt Class)

This method encrypts a file.

Syntax

public void encryptFile(String fileName, String password);

Remarks

This method encrypts the file specified by FileName, if it is not already encrypted.

If the file is encrypted, the method reports an error. Use ChangePassword method to change the file password.

The Password parameter specifies the encryption password to use.

FileMatchesMask Method (CBEncrypt Class)

This method checks whether a particular file or directory name matches the specified mask.

Syntax

public boolean fileMatchesMask(String mask, String fileName, boolean caseSensitive);

Remarks

This method checks whether the file or directory name specified by FileName matches Mask; if it does, this method returns true. The CaseSensitive parameter controls whether a case-sensitive match should be performed.

NOTE: This method does not handle so-called DOS_* wildcards (DOS_STAR, DOS_QM, DOS_DOT). The explanation about the characters can be found in the MSDN article. If you have a mask that includes one of those characters on Windows, you can use the RtlIsNameInExpression function of Windows API.

NOTE: As the explanation states, "When you do a case-insensitive search and do not provide a translation table, the name is converted to uppercase."

GetDOSPathName Method (CBEncrypt Class)

This method retrieves the DOS path name of the file or directory by its native (NT) path.

Syntax

public String getDOSPathName(String NTPath);

Remarks

This method retrieves the DOS path name of the file or directory by its native path, specified in the NTPath parameter.

NOTE: Such name conversion is not always possible (e.g., the volume can have none or more than one DOS names). In this case, an empty string is returned.

NOTE: This method can be called only within events, and it must be called in the same thread that the event was originally fired on.

GetDriverStatus Method (CBEncrypt Class)

This method retrieves the status of the class's system driver.

Syntax

public int getDriverStatus(String productGUID);

Remarks

This method retrieves the status of the class's system driver. This status can then be used to verify whether it has been properly installed and is ready for use.

The value returned by the method corresponds to the dwCurrentState field of the SERVICE_STATUS structure from the Windows API. It will be one of the following:

ProductGUID is used to distinguish among driver installations performed by different applications as well as separate filter instances. Such information is necessary to guard against unexpected situations, such as the driver being uninstalled by one application despite other applications still needing it.

Therefore, to ensure proper operation, it is critical that each individual application have its own unique ProductGUID value, and that applications (and their installation scripts) use that value when calling any of the following methods:

• Install
• Uninstall
• GetDriverStatus
• GetDriverVersion
• Initialize

Additionally, some per-instance settings are stored in the GUID-specific registry keys. If multiple instances of the class are used, each instance must have own ProductGUID, and the driver must be installed several times.

This method is available in both the class API and the Installer DLL included with the product; please refer to the Driver Installation topic for more information about the latter.

NOTE: This method cannot be called within events.

GetDriverVersion Method (CBEncrypt Class)

This method retrieves the version of the class's system driver.

Syntax

public long getDriverVersion(String productGUID);

Remarks

This method retrieves the version of the class's system driver. The value is returned as a 64-bit integer composed of four 16-bit words that each correspond to a piece of the overall module version. For example, a version of 2.32.6.28 would cause the value 0x000200200006001C to be returned.

If the class's system driver is not installed, this method returns 0.

ProductGUID is used to distinguish among driver installations performed by different applications as well as separate filter instances. Such information is necessary to guard against unexpected situations, such as the driver being uninstalled by one application despite other applications still needing it.

Therefore, to ensure proper operation, it is critical that each individual application have its own unique ProductGUID value, and that applications (and their installation scripts) use that value when calling any of the following methods:

• Install
• Uninstall
• GetDriverStatus
• GetDriverVersion
• Initialize

Additionally, some per-instance settings are stored in the GUID-specific registry keys. If multiple instances of the class are used, each instance must have own ProductGUID, and the driver must be installed several times.

This method is available in both the class API and the Installer DLL included with the product; please refer to the Driver Installation topic for more information about the latter.

NOTE: This method cannot be called within events.

GetNTPathName Method (CBEncrypt Class)

This method retrieves the NT (native) path name of the file or directory by its DOS path.

Syntax

public String getNTPathName(String DOSPath);

Remarks

This method retrieves the NT (native) path name of the file or directory by its path, specified in the DOSPath parameter.

GetOriginatorProcessId Method (CBEncrypt Class)

Retrieves the Id of the process (PID) that initiated the operation.

Syntax

public int getOriginatorProcessId();

Remarks

This method can be called within events fired for filesystem operations to retrieve the Id of the process (PID) that initiated the operation. If the query fails, this method returns 0.

Please note that PIDs are not unique, and may be reused by different processes over time.

Applications cannot use this method to retrieve information about remote processes accessing virtual drives shared on the network. Windows does not provide such information due to the nature of remote access.

NOTE: This method can be called only within events, and it must be called in the same thread that the event was originally fired on.

GetOriginatorProcessName Method (CBEncrypt Class)

Retrieves the name of the process that initiated the operation.

Syntax

public String getOriginatorProcessName();

Remarks

This method can be called within events fired for filesystem operations to retrieve the name of the process that initiated the operation. If the query fails, this method returns empty string.

Applications cannot use this method to retrieve information about remote processes accessing virtual drives shared on the network. Windows does not provide such information due to the nature of remote access.

NOTE: This method can be called only within events, and it must be called in the same thread that the event was originally fired on.

GetOriginatorToken Method (CBEncrypt Class)

Retrieves the security token associated with the process that initiated the operation.

Syntax

public long getOriginatorToken();

Remarks

This method can be called within events fired for filesystem operations to retrieve the security token associated with the process that initiated the operation. If the query fails, this method returns INVALID_HANDLE_VALUE. NOTE: To use this method from Notify* event handlers, you need to enable the CaptureTokenForNotifyEvents setting.

The security token returned by this method can be passed to the Windows API's GetTokenInformation function to obtain more information about the process. This is particularly useful for implementing custom security checks; please refer to the Security Checks topic for more information.

Important: When applications are finished using the returned security token, they must close it using the Windows API's CloseHandle function.

Network Access Notes

For virtual drives shared on the network, applications may wish to obtain information about the network users accessing it (e.g., account names). Drives can be shared in several modes in Windows, which can affect the information retrievable via the security token this method returns:

• Authenticated mode, in which case the Helper DLL (which, in general, is responsible for relaying remote drive requests to and from the system driver) will impersonate the network user, allowing that account's actual information to be retrieved.
• Guest mode, in which case the retrievable information is for the system's GUEST account.
• Administrative shares (those which exist by default and whose names end with '$'; e.g., C$, ADMIN$, etc.), in which case the retrievable information is for the LOCAL_SYSTEM account.

NOTE: This method can be called only within events, and it must be called in the same thread that the event was originally fired on.

GetVolumeGUID Method (CBEncrypt Class)

This method retrieves the volume GUID of the device targeted by a filesystem operation.

Syntax

public String getVolumeGUID();

Remarks

This method can be called within events fired for filesystem operations to retrieve the volume GUID of the device targeted by the operation, returned in the Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format. If the query fails, this method returns an empty string.

Volume GUIDs can be used to enumerate the mounting points of a device using the Windows API's GetVolumePathNamesForVolumeName function.

NOTE: This method can be called only within events.

Initialize Method (CBEncrypt Class)

This method initializes the class.

Syntax

public void initialize(String productGUID);

Remarks

This method initializes the class and must be called each time the application starts before attempting to call any of the class's other methods with the exception of installation-related methods.

ProductGUID is used to distinguish between driver installations performed by different applications. Such information is necessary to guard against unexpected situations such as, e.g., the driver being uninstalled by one application despite other applications still needing it.

The GUID must be specified in so-called "Registry Format" (e.g., "{1FAD0EF2-9A03-4B87-B4BC-645B7035ED90}") with curly braces included.

To ensure proper operation, it is critical that each individual application have its own unique ProductGUID value, and that applications (and their installation scripts) use that value when calling any of the following methods:

• Install
• Uninstall
• GetDriverStatus
• GetModuleVersion
• RegisterIcon
• UnregisterIcon
• Initialize

If the required driver was not installed using the Install method with the same value of ProductGUID, Initialize will return a ERROR_FILE_NOT_FOUND error (Win32 error code 2).

If the loaded kernel-mode driver is older than the user-mode API, Initialize will return a ERROR_INVALID_KERNEL_INFO_VERSION error (Win32 error code 340). In this situation, an update of the driver using the Install method is required before the class can be used.

Install Method (CBEncrypt Class)

This method installs (or upgrades) the class's system driver.

Syntax

public boolean install(String cabFileName, String productGUID, String pathToInstall, String altitude, int flags, String allowedControllers);

Remarks

This method is used to install or upgrade the class's system driver. If the system must be rebooted to complete the installation process, this method returns true; otherwise, it returns false.

Important: To upgrade the product's modules, use only the Install method. Previously installed versions of the modules should not be uninstalled first. Calling the Install method will upgrade the previously installed version.

Please refer to the Driver Installation topic for more information.

CabFileName must be the path of the cbfilter.cab file containing the class's system driver.

NOTE: This .cab file must remain on the target system (or be available in some other way) after installation, as it is required to uninstall the driver from the system.

ProductGUID is used to distinguish among driver installations performed by different applications as well as separate filter instances. Such information is necessary to guard against unexpected situations, such as the driver being uninstalled by one application despite other applications still needing it.

Therefore, to ensure proper operation, it is critical that each individual application have its own unique ProductGUID value, and that applications (and their installation scripts) use that value when calling any of the following methods:

• Install
• Uninstall
• GetDriverStatus
• GetDriverVersion
• Initialize

Additionally, some per-instance settings are stored in the GUID-specific registry keys. If multiple instances of the class are used, each instance must have own ProductGUID, and the driver must be installed several times.

PathToInstall controls where the driver is installed. Pass empty string (highly recommended) to automatically install them to the appropriate Windows system directory.

Altitude specifies the driver altitude to use . During development, you can use any acceptable altitude value. For deployment, an altitude value must be assigned by Microsoft before deploying a filesystem minifilter in production. After installation, the altitude can be changed at any time using the Altitude property. Please refer to the Driver Altitudes topic for more information.

If multiple instances of the class are used, each instance must have own altitude.

Flags specifies various installation options. It should be created by OR'ing together (e.g., "Constants.CONST_A | Constants.CONST_B") zero or more of the following flags:

NOTE: Enabling the AlwaysPrepareFiles and/or SendRequestsViaDriverStack configuration settings before calling this method will cause the corresponding flags to be added automatically. These configuration settings can also be used to toggle the corresponding options at any time after installation.

AllowedControllers is the optional parameter that makes it possible to limit communication with the driver to just the predefined set of processes. When the caller specifies one or more names of the executable files, filtering can be started with the specified ProductGUID only when filtering is initiated by the process created from one of the listed executable files. If the name of the caller process does not match any of the allowed names, the call to Start will fail with an error.

The parameter may be either empty or contain one or more EXE file names with complete paths. Separate names/paths should be separated by the LF character (numeric code 10).

This method is available in both the class API and the Installer DLL included with the product; please refer to the Driver Installation topic for more information about the latter.

This method requires administrative rights to execute successfully. If the user account of the process that calls this method doesn't have such rights, the call will fail with an ERROR_PRIVILEGE_NOT_HELD (0x0522) error.

NOTE: This method cannot be called within events.

IsFileEncrypted Method (CBEncrypt Class)

Checks whether the specified file is encrypted.

Syntax

public boolean isFileEncrypted(String fileName);

Remarks

This method checks whether the file specified by FileName is encrypted using the class.

RemoveEncryptionRule Method (CBEncrypt Class)

This method removes an encryption rule from the list.

Syntax

public boolean removeEncryptionRule(String path);

Remarks

This method removes an encryption rule, identified by Path, from the list of encrypted rules.

The method will return true if the rule that includes the path was found in the list and was removed, and false otherwise.

NOTE: The methods and properties related to managing encryption rules are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the lists occur in a thread-safe manner.

RemoveTrustedProcess Method (CBEncrypt Class)

Removes a rule that allows a process to access the decrypted data of an encrypted file.

Syntax

public void removeTrustedProcess(String processFileName, int processId);

Remarks

This method can be used to remove an access rule previously added with the AddTrustedProcess method.

Pass the same values for ProcessFileName and ProcessId as were used to add the rule when AddTrustedProcess was called previously. Please refer to that method's documentation for more information.

NOTE: This method cannot be called within events.

The methods and properties related to process access lists are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of process access information occurs in a thread-safe manner.

ResetTimeout Method (CBEncrypt Class)

This method resets the timeout duration for the current event handler.

Syntax

public boolean resetTimeout(int timeout);

Remarks

When event timeouts are being enforced, this method can be called within an event handler to inform the class that request processing is taking longer than expected.

If called successfully, this method returns true, and the current event handler's timeout timer is immediately reset to 0; when it reaches the number of milliseconds specified by Timeout, the driver will either "release" the underlying request and pass it onwards, or cancel it by reporting an error; whichever is most appropriate for the event in question. Please refer to the Timeouts topic for more information.

Passing 0 for Timeout disables the timeout timer for the current event handler, allowing it to take as long as it needs to complete.

NOTE: When several events are fired for the same file concurrently (if the SerializeAccess configuration setting is disabled), and ResetTimeout is called from one of the handlers of these events, this method will reset the timer for all currently executed event handlers.

NOTE: This method can be called only within events.

ShutdownSystem Method (CBEncrypt Class)

Shuts down or reboots the operating system.

Syntax

public boolean shutdownSystem(String shutdownPrompt, int timeout, boolean forceCloseApps, boolean reboot);

Remarks

This method shuts down or (if Reboot is true) reboots the operating system. If the appropriate privileges cannot be obtained, or if the InitiateSystemShutdown system call returns false, then this method will return false; otherwise, it returns true. This method can be used if the installation or uninstallation function requires the system to be rebooted in order to complete.

ShutdownPrompt, if non-empty, specifies a message that the OS should display to the user for Timeout seconds. If empty string is passed for ShutdownPrompt, no message is displayed and the Timeout parameter's value is ignored.

ForceCloseApps specifies whether the OS should forcefully close all applications. Please keep in mind that forceful closing of applications with unsaved data can lead to data loss.

Reboot specifies whether the OS should reboot (true) or just shut down (false).

This method is available in both the class API and the Installer DLL included with the product; please refer to the Driver Installation topic for more information about the latter.

NOTE: This method cannot be called within events.

Start Method (CBEncrypt Class)

This method starts monitoring the filesystem and encrypting and decrypting files.

Syntax

public void start(int timeout);

Remarks

This method starts filesystem monitoring and handling of operations with files that must be encrypted or decrypted. Rules can be added and removed both before and after this method is called, so long as the Initialize method is called before doing anything else.

This method can fail for a number of reasons, including (but not limited to) the following:

• If the class's system driver has not been properly installed, or is awaiting a system reboot (as indicated by the return value of Install), this method fails with an ERROR_FILE_NOT_FOUND (2) error code.
• If the Initialize method has not been called yet, this method fails with an ERROR_NOT_READY (21) error code.
• If the filter is already Active, this method fails with an ERROR_CONNECTION_ACTIVE (1230) error code.
• If an invalid value is passed for Timeout, this method fails with an ERROR_IMPLEMENTATION_LIMIT (1292) error code.

Timeout

Timeout specifies how many milliseconds the driver should wait for events to execute before releasing or cancelling the underlying OS requests; please refer to the Timeouts topic for more information. Valid values are 0, which disables event timeouts, and values greater than or equal to 3000. When event timeouts are in effect, event handlers can call ResetTimeout to reset the timer if they require additional time to complete.

Stop Method (CBEncrypt Class)

This method stops monitoring of filesystem operations.

Syntax

public void stop();

Remarks

This method stops monitoring of filesystem operations and encrypting and decrypting files.

The method returns after monitoring is stopped.

Uninstall Method (CBEncrypt Class)

This method uninstalls the class's system driver.

Syntax

public boolean uninstall(String cabFileName, String productGUID, String installedPath, int flags);

Remarks

This method is used to uninstall the class's system driver. If the system must be rebooted to complete the uninstallation process, this method returns true; otherwise, it returns false.

Important: To upgrade the product's modules, use only the Install method. Previously installed versions of the modules should not be uninstalled first. Calling the Install method will upgrade the previously installed version.

Please refer to the Driver Installation topic for more information.

The same values must be passed for the CabFileName, ProductGUID, and InstalledPath parameters as were passed when Install was called; please refer to its documentation for more information.

Flags specifies which versions of the class's system driver should be uninstalled and which should be set by OR'ing together (e.g., "Constants.CONST_A | Constants.CONST_B") one or more of the following values:

This method is available in both the class API and the Installer DLL included with the product; please refer to the Driver Installation topic for more information about the latter.

This method requires administrative rights to execute successfully. If the user account of the process that calls this method doesn't have such rights, the call will fail with an ERROR_PRIVILEGE_NOT_HELD (0x0522) error.

NOTE: This method cannot be called within events.

AfterFilterAttachToVolume Event (CBEncrypt Class)

This event fires after the filter attaches to a newly mounted filesystem volume.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void afterFilterAttachToVolume(CBEncryptAfterFilterAttachToVolumeEvent e) {}
  ...
}

public class CBEncryptAfterFilterAttachToVolumeEvent {
  public String volumeName;
  public String volumeNameNT;
  public int resultCode; //read-write
}

Remarks

This event fires after the filter attaches to the newly mounted filesystem volume specified by VolumeNameNT and, when possible, VolumeName. Please refer to the FireVolumeEvents property for more information.

Applications need to handle this event only if the FireVolumeEvents property includes the FS_MOUNT_CONTROL flag.

NOTE: This event won't fire for any volumes skipped during the BeforeFilterAttachToVolume event; please refer to its documentation for more information.

VolumeNameNT contains the name of the volume in the NT-native format, as received from the system. If the ResolveNtDeviceToDriveLetter configuration setting is enabled, and if it was possible to convert the NT name to the DOS format with a drive letter, VolumeName will contain the name in this format; otherwise, it will be empty.

Applications can obtain additional information about a volume by retrieving its GUID using the GetVolumeGUID method, and then using that GUID to call various Windows API functions.

Applications can use this event to add volume-specific rules for the volume that has been mounted (keeping in mind that this event does not fire for volumes that are already present when Start is called). Applications that intend to do so must ensure that proper thread synchronization techniques are used when manipulating or enumerating the rule lists, because this event's handler will always execute in the context of some worker thread. Note: if a path-based rule is added or removed, such a path should use the value from VolumeNameNT to avoid a possible deadlock, which may occur during resolving a DOS name to the NT format.

Applications must be aware that this event fires as a direct response to a filesystem state change (mount or unmount). Various system components or third-party actors can perform supplementary filesystem mounting and unmounting during main unmount operations (e.g., Volume Service is one such component). This can cause seemingly excessive events to be fired, and sometimes they can be fired out of order (such as two *Attach or *Detach events fired in a row).

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

AfterFilterDetachFromVolume Event (CBEncrypt Class)

This event fires after the filter detaches from a filesystem volume.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void afterFilterDetachFromVolume(CBEncryptAfterFilterDetachFromVolumeEvent e) {}
  ...
}

public class CBEncryptAfterFilterDetachFromVolumeEvent {
  public String volumeName;
  public String volumeNameNT;
  public int resultCode; //read-write
}

Remarks

This event fires after the filter detaches from the filesystem volume specified by VolumeNameNT and, when possible, VolumeName, typically because of the volume being unmounted. Please refer to the FireVolumeEvents property for more information.

Applications need to handle this event only if the FireVolumeEvents property includes the FS_MOUNT_CONTROL flag.

NOTE: This event won't fire for any volumes skipped during the BeforeFilterAttachToVolume event; please refer to its documentation for more information.

Applications should use this event to remove volume-specific rules for the volume that has been unmounted. Applications that intend to do so must ensure that proper thread synchronization techniques are used when manipulating or enumerating the rule lists, because this event's handler will always execute in the context of some worker thread. Note: if a path-based rule is added or removed, such a path should use the value from VolumeNameNT to avoid a possible deadlock, which may occur during resolving a DOS name to the NT format.

Applications must be aware that this event fires as a direct response to a filesystem state change (mount or unmount). Various system components or third-party actors can perform supplementary filesystem mounting and unmounting during main unmount operations (e.g., Volume Service is one such component). This can cause seemingly excessive events to be fired, and sometimes they can be fired out of order (such as two *Attach or *Detach events fired in a row).

VolumeNameNT contains the name of the volume in the NT-native format, as received from the system. If the ResolveNtDeviceToDriveLetter configuration setting is enabled, and if it was possible to convert the NT name to the DOS format with a drive letter, VolumeName will contain the name in this format; otherwise, it will be empty.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

BeforeFilterAttachToVolume Event (CBEncrypt Class)

This event fires before the filter attaches to a newly mounted filesystem volume.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void beforeFilterAttachToVolume(CBEncryptBeforeFilterAttachToVolumeEvent e) {}
  ...
}

public class CBEncryptBeforeFilterAttachToVolumeEvent {
  public String volumeName;
  public String volumeNameNT;
  public boolean skipVolume; //read-write
  public int resultCode; //read-write
}

Remarks

This event fires before the filter attaches to the newly mounted filesystem volume specified by VolumeNameNT and, when possible, VolumeName. Please refer to the FireVolumeEvents property for more information.

Applications need to handle this event only if the FireVolumeEvents property includes the FS_MOUNT_CONTROL flag.

VolumeNameNT contains the name of the volume in the NT-native format, as received from the system. If the ResolveNtDeviceToDriveLetter configuration setting is enabled, and if it was possible to convert the NT name to the DOS format with a drive letter, VolumeName will contain the name in this format; otherwise, it will be empty.

Applications can obtain additional information about a volume by retrieving its GUID using the GetVolumeGUID method, and then using that GUID to call various Windows API functions.

The SkipVolume parameter specifies whether the class's system driver should skip the specified volume (i.e., not attach the filter to it). Setting this parameter to true will cause all filesystem operations that target to volume to be completely ignored by the class's system driver. It also will prevent any of the following events from firing for the volume:

• AfterFilterAttachToVolume
• AfterFilterDetachFromVolume

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Applications must be aware that this event fires as a direct response to a filesystem state change (mount or unmount). Various system components or third-party actors can perform supplementary filesystem mounting and unmounting during main unmount operations (e.g., Volume Service is one such component). This can cause seemingly excessive events to be fired, and sometimes they can be fired out of order (such as two *Attach or *Detach events fired in a row).

CloseFile Event (CBEncrypt Class)

This event fires when a file or directory is closed.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void closeFile(CBEncryptCloseFileEvent e) {}
  ...
}

public class CBEncryptCloseFileEvent {
  public String fileName;
  public int desiredAccess;
  public int createDisposition;
  public boolean encrypted;
  public boolean modified;
  public int resultCode; //read-write
}

Remarks

This event fires when the file or directory specified by FileName is closed, but only when the file was opened for reading or writing (not for retrieving attributes).

An application can use this event to schedule an asynchronous encryption or decryption operation on the file.

The DesiredAccess and CreateDisposition parameters are the same as the ones that were passed with the OpenFile event that opened the file.

The Encrypted parameter indicates whether the file is currently encrypted.

The Modified parameter indicates whether the file was modified while being opened. Modifications include writing to the file, changing its size or Valid Data Length, as well as opening a file in one of the overwrite or "supersede" modes, in which file contents are replaced.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Error Event (CBEncrypt Class)

This event fires if an unhandled error occurs during an event.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void error(CBEncryptErrorEvent e) {}
  ...
}

public class CBEncryptErrorEvent {
  public int errorCode;
  public String description;
}

Remarks

This event fires if an unhandled error occurs during another event. Developers can use this information to track down unhandled errors in an application's event handlers.

OpenFile Event (CBEncrypt Class)

The event fires when a file or directory is created or opened.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void openFile(CBEncryptOpenFileEvent e) {}
  ...
}

public class CBEncryptOpenFileEvent {
  public String fileName;
  public boolean fileExists;
  public int existingAttributes;
  public int desiredAccess;
  public int attributes;
  public int shareMode;
  public int options;
  public int createDisposition;
  public int encryption; //read-write
  public String password; //read-write
  public int resultCode; //read-write
}

Remarks

This event fires when the file or directory specified by FileName is created or opened. You can use the FileExists parameter to detect whether the file exists and the CreateDisposition parameter to determine what will happen with the data after the file is opened.

The initial values of DesiredAccess, Attributes, ShareMode, and CreateDisposition parameters reflect the values that were passed for the similarly named parameters of the Windows API's CreateFile function (or, more accurately, the values carried by the IRP_MJ_CREATE I/O Request Packet).

DesiredAccess may contain one or more of the following access flags:

Attributes may contain one or more of the following attributes:

ShareMode may contain zero or more of the following share mode flags:

When the file being created or opened is virtual, the event handler must inspect and handle the value of the ShareMode parameter as a filesystem would normally do it.

CreateDisposition may contain one of the following values:

When the file being created or opened is virtual, the event handler must inspect and handle the value of the CreateDisposition parameter as a filesystem would normally do it. This includes adjusting the file size and updating the time attributes depending on the flag. For a virtual file, the driver returns the CreationStatus value that is derived from CreateDisposition as follows: If the event handler needs to change the returned CreationStatus, it should change the value of the CreateDisposition to the FILE_DISPOSITION_*** value that leads to the desired CreationStatus value (e.g. set the value to FILE_DISPOSITION_OPEN_EXISTING so that the driver returns CREATION_STATUS_OPENED).

Options contains the flags that are described in the CreateOptions parameter of the Native API's ZwCreateFile function. Most of those flags correspond to flags passed in the FlagsAndAttributes parameter of the Windows API's CreateFile function, but some flags are specific to Native API. If you need those flags, check both functions' descriptions.

Please refer to Microsoft's documentation for detailed information about these constants.

To determine whether the request is for a file or a directory, compare Attributes against the FILE_SYS_ATTR_DIRECTORY constant, as follows: // Check whether the request is for a file or a directory. bool isDirectory = (Attributes & FILE_SYS_ATTR_DIRECTORY) == FILE_SYS_ATTR_DIRECTORY; FILE_SYS_ATTR_DIRECTORY will be present only if it was specified by the calling process; its presence or absence does not indicate the real presence of the attribute on the file or directory on disk.

The attibute may be not present when an existing entry is opened. Thus, the alternative approach is to check the intention of the originator process to open a directory. This is done by verifying whether the Options parameter contains the FILE_DIRECTORY_FILE flag (numeric value 1): // Check whether the request is to open a a directory. bool isDirectory = (Options & 1) != 0; Note that this flag may also be missing, in which case, if the handler needs to know if an existing entry is a file or directory, it should request the attributes of the entry, for example, by opening a direct handle to the entry with the CreateFileDirect method and using the QueryFileInformationDirect method to obtain the attributes.

To determine whether a file will be deleted when its last handle is closed, compare Options against the Windows API's FILE_FLAG_DELETE_ON_CLOSE constant, as follows: // Check whether the file will be deleted on close. bool deleteOnClose = Options & FILE_FLAG_DELETE_ON_CLOSE == FILE_FLAG_DELETE_ON_CLOSE;

NOTE: Files can be deleted in different ways, so do not use this check to take actions related to tracking file deletion operations. Instead, use the events related to file deletion.

To prevent a file or directory from being opened, set the ResultCode parameter to a non-zero value (typically ERROR_ACCESS_DENIED (5)).

To prevent the OS from creating or opening the file, set the ResultCode parameter to a certain error value, such as ACCESS_DENIED (numeric value is 5).

To encrypt a file, the Encryption and Password parameters are used. Encryption specifies the encryption mode and can initially have, or be set to, one of the following values:

If the file does not exist or is recreated (superseded), the Encryption parameter will initially be set to 2, and Password will be empty. If the user does not modify either parameter, the new file will be encrypted with the password specified in the relevant EncryptionRule.

If the user sets the Password parameter as something other than an empty string, the new file will be encrypted using that value. Lastly, if the user sets the Encryption parameter to 0, the new file will not be encrypted.

If the file already exists and is not superseded, the values of these parameters are ignored; the password for the existing file is requested through the PasswordNeeded event before OpenFile event is fired.

For more information, see Encryption.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

PasswordNeeded Event (CBEncrypt Class)

This event fires if a password is needed to open an encrypted file.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void passwordNeeded(CBEncryptPasswordNeededEvent e) {}
  ...
}

public class CBEncryptPasswordNeededEvent {
  public String fileName;
  public String password; //read-write
  public int resultCode; //read-write
}

Remarks

This event fires when the existing encrypted file specified by FileName is being opened when a valid password has not been provided in the rule. This event will not fire if a valid password has already been provided, or if the file specified by FileName does not exist.

To allow access to the specified file, set the Password parameter to the correct password. To prevent access to the specified file, return the ERROR_ACCESS_DENIED error code via ResultCode.

The event will fire in a loop until a valid password is provided or a nonzero result code is returned.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Progress Event (CBEncrypt Class)

This event fires to indicate the progress of long-running encryption/decryption operations.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void progress(CBEncryptProgressEvent e) {}
  ...
}

public class CBEncryptProgressEvent {
  public int operation;
  public String fileName;
  public int progress;
  public int total;
  public boolean canStop;
  public boolean stop; //read-write
}

Remarks

This event fires anytime the class needs to report the progress of a long-running operation, initiated by the application (EncryptFile or DecryptFile). This event can be fired repeatedly during one operation.

The Operation parameter specifies which long-running operation caused this event to fire. Possible values are as follows:

The FileName contains the path of the file being processed.

The Progress and Total parameters reflect the current and maximum progress values. Both will be 0 if the operation's progression cannot be determined.

The CanStop parameter indicates whether the application may interrupt the operation by setting the Stop parameter to true.

NOTE: An application should not attempt to call class's methods from handlers of this event. Doing this is guaranteed to cause a deadlock.

RenameOrMoveFile Event (CBEncrypt Class)

This event fires when a file is renamed or moved.

Syntax

public class DefaultCBEncryptEventListener implements CBEncryptEventListener {
  ...
  public void renameOrMoveFile(CBEncryptRenameOrMoveFileEvent e) {}
  ...
}

public class CBEncryptRenameOrMoveFileEvent {
  public String fileName;
  public String newFileName;
  public int encryption; //read-write
  public String password; //read-write
  public int resultCode; //read-write
}

Remarks

This event fires when the file specified by FileName is renamed or moved to another location, identified by NewFileName.

To prevent the OS from renaming the file, set the ResultCode parameter to a certain error value, such as ACCESS_DENIED (numeric value is 5).

The Encryption and Password parameters are used for file encryption. Encryption specifies the encryption mode to use and can have one of the following values:

When this event fires, the Encryption parameter indicates whether the source file is currently encrypted (if 2, the file is encrypted), and Password will be empty. If these parameters remain unchanged, the file will not be modified and will retain its original encryption when renamed or moved.

To change the file's encryption, set the Encryption and/or Password parameters accordingly. For example, if a file is initially encrypted when the event fires, Encryption will be 2. Setting Encryption to 0 will decrypt the resulting file, while assigning a new value to Password will re-encrypt the file using the specified password.

Before making any changes, applications may use the FileMatchesMask helper method to determine whether the new file name matches an existing encryption rule. This allows the application to adjust the Password parameter as needed to ensure the resulting file uses the appropriate rule password for its new location or name. For example, this can be done by iterating through the EncryptionRules collection, and passing the relevant rule path like so:

lock (mEncrypt.EncryptionRules) { foreach (EncryptionRule rule in mEncrypt.EncryptionRules) { if (mEncrypt.FileMatchesMask(rule.Path + "\\*", e.NewFileName, false)) { e.Encryption = 2; e.Password = rule.Password; } } }

Note that before this event fires, if a file is encrypted, the PasswordNeeded event will fire.

For more information, see Encryption.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource is not available or security checks failed), set it to a nonzero value to report an appropriate error. Please see the Error Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

EncryptionRule Type

This type represents an encryption rule.

Remarks

This type represents a rule for encryption and decryption by CBEncrypt class. Rules can be added to the list using AddEncryptRule.

• IncludeSubdirectories
• Password
• Path

Fields

TrustedProcess Type

Represents an access rule granting some process access to decrypted data of files.

Remarks

This type represents an access rule that grants some or all processes access to decrypted data of files encrypted with CBEncrypt.

• IncludeChildren
• ProcessId
• ProcessName

Fields

Config Settings (CBEncrypt Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

CBEncrypt Config Settings

Base Config Settings

Trappable Errors (CBEncrypt Class)