diff --git a/internal/fs/meta_darwin.go b/internal/fs/meta_darwin.go
index 0b74064b3..d7b3d1dcf 100644
--- a/internal/fs/meta_darwin.go
+++ b/internal/fs/meta_darwin.go
@@ -24,6 +24,15 @@ func openMetadataHandle(path string, flag int) (*os.File, error) {
 	return f, nil
 }
 
+func openReadHandle(path string, flag int) (*os.File, error) {
+	f, err := os.OpenFile(path, flag, 0)
+	if err != nil {
+		return nil, err
+	}
+	_ = setFlags(f)
+	return f, nil
+}
+
 // reopenMetadataHandle reopens a handle created by openMetadataHandle for reading.
 // The caller must no longer use the original file.
 func reopenMetadataHandle(f *os.File) (*os.File, error) {
diff --git a/internal/fs/meta_linux.go b/internal/fs/meta_linux.go
index 3bfafe429..d5bf750a1 100644
--- a/internal/fs/meta_linux.go
+++ b/internal/fs/meta_linux.go
@@ -25,6 +25,15 @@ func openMetadataHandle(path string, flag int) (*os.File, error) {
 	return f, nil
 }
 
+func openReadHandle(path string, flag int) (*os.File, error) {
+	f, err := os.OpenFile(path, flag, 0)
+	if err != nil {
+		return nil, err
+	}
+	_ = setFlags(f)
+	return f, nil
+}
+
 // reopenMetadataHandle reopens a handle created by openMetadataHandle for reading.
 // The caller must no longer use the original file.
 func reopenMetadataHandle(f *os.File) (*os.File, error) {
diff --git a/internal/fs/meta_windows.go b/internal/fs/meta_windows.go
index 570cca334..40f59804b 100644
--- a/internal/fs/meta_windows.go
+++ b/internal/fs/meta_windows.go
@@ -77,11 +77,18 @@ func (p *fdMetadataHandle) SecurityDescriptor() (*[]byte, error) {
 }
 
 func openMetadataHandle(path string, flag int) (*os.File, error) {
-	path = fixpath(path)
 	// OpenFile from go does not request FILE_READ_EA so we need our own low-level implementation
-	// according to the windows docs, STANDARD_RIGHTS_READ + FILE_FLAG_BACKUP_SEMANTICS disable security checks on access
+	return openCustomHandle(path, flag, windows.FILE_READ_EA|windows.FILE_READ_ATTRIBUTES|windows.STANDARD_RIGHTS_READ)
+}
+
+func openReadHandle(path string, flag int) (*os.File, error) {
+	return openCustomHandle(path, flag, windows.FILE_GENERIC_READ)
+}
+
+func openCustomHandle(path string, flag int, fileAccess int) (*os.File, error) {
+	path = fixpath(path)
+	// according to the windows docs, STANDARD_RIGHTS_READ (fileAccess) + FILE_FLAG_BACKUP_SEMANTICS disables security checks on access
 	// if the process holds the SeBackupPrivilege
-	fileAccess := windows.FILE_READ_EA | windows.FILE_READ_ATTRIBUTES | windows.STANDARD_RIGHTS_READ
 	shareMode := windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE | windows.FILE_SHARE_DELETE
 	attrs := windows.FILE_ATTRIBUTE_NORMAL | windows.FILE_FLAG_BACKUP_SEMANTICS
 	if flag&O_NOFOLLOW != 0 {