Carbon Black Cloud: Live Response "Get" Command Gives "Access Denied" Error Within C:\Windows\CSC Directory
search cancel

Carbon Black Cloud: Live Response "Get" Command Gives "Access Denied" Error Within C:\Windows\CSC Directory

book

Article ID: 286069

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

"Remote error 0x80070005 - Access is denied" Received when trying to "Get" a file from C:\windows\csc directory

Environment

  • Carbon Black Cloud: All versions
    • Live Response
  • Microsoft Windows: All Supported Versions

Cause

Offline File Encryption is enabled

Resolution

This is a limitation imposed by the OS. When encryption is enabled, each cached file is encrypted with a public key. No one (including local admins and System) except the user who owns the file has the key/access for reading/copying of the file.

Additional Information

  • Using "Del" command to delete files within this directory will still work, however if the file is re-cached- it will come back.
  • This setting can be checked by launching "control /name Microsoft.OfflineFiles" (from CMD or Run)  and then looking at the Encryption tab.
Powered by Wolken Software