Carbon Black Cloud: Live Response "Get" Command Gives "Access Denied" Error Within C:\Windows\CSC Directory
book
Article ID: 286069
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
"Remote error 0x80070005 - Access is denied" Received when trying to "Get" a file from C:\windows\csc directory
Environment
Carbon Black Cloud: All versions
Live Response
Microsoft Windows: All Supported Versions
Cause
Offline File Encryption is enabled
Resolution
This is a limitation imposed by the OS. When encryption is enabled, each cached file is encrypted with a public key. No one (including local admins and System) except the user who owns the file has the key/access for reading/copying of the file.
Additional Information
Using "Del" command to delete files within this directory will still work, however if the file is re-cached- it will come back.
This setting can be checked by launching "control /name Microsoft.OfflineFiles" (from CMD or Run) and then looking at the Encryption tab.