certificate - Backup EFS encryption key generated, but no encrypted files? Track what caused the key creation
2014-04
In I started getting a weird message "Encrypting file system - Back up your file encryption key" a user experiences a prompt that I also experienced yesterday for the first time.
Now the question: what causes the prompt if cipher /u /n
(as admin) doesn't find any encrypted files? I.e. what caused a key to be generated in the first place? Is there a way to track that down? (also see EFS - Find out what's encrypted)
NB: I am not interested in why I get the EFS prompt, but rather what causes the key to be generated, if no encrypted files seem to exist on the system and I haven't used EFS consciously myself.
Since a few days when I start Windows Vista i get a Popup from "Encrypting File System" (coming from process efsui.exe) asking me to backup the certificate and key.
I don't know what i did to get this message (The last SW i did install was google desktop).
Now i'm wondering what directories or file are encrypted with EFS. Is there a way to found out?
Thanks for your help.
You can trying using this batch file :
@echo off
cls
:: Set the varibles - Use Quotes "" if there are spaces in the source or log path
set log_path=C:\EFS_Find
:: Find Encrypted Files
cipher /s C:\ | findstr "^.E" >> %log_path%\found.txt && echo:Encrypted files found"
:: Find Hidden Files
attrib /s C:\ 2>nul | findstr "^....H" >> %log_path%\found.txt && echo:Hidden files found"
pause
This batch file will scan your C:\ drive for all EFS encrypted files (and also hidden files), echo on the screen every time it finds one, and record all instances of encrypted files found into C:\EFS_Find\found.txt.
For a command-line approach to finding just encrypted files, you can type in the command-line :
cipher /s:C:\ | findstr "^.E" >> C:\efs_found.txt && echo:Encrypted files found"
This will search your entire C:\ drive for encrypted files, and dump it into C:\efs_found.txt.
Modified from the solution found here.
To disable EFS on your Vista system, I refer you to the link here :
gsharp is correct, the syntax to display all EFS encrypted files on drive C: is
cipher /s:c:\ |findstr "^E"
Pay attention to the pipe character, which is usually found on the \ key. The findstr command ^E
looks for the E at the beginning of the line. Also pay attention that the /s
has a colon after it and the drive letter, all with no spaces.
The downside is only the filenames are returned, there is no directory structure provided.
For Win7 users: I just had the same problem, (someone sent me a zip file prepared on a mac, that for some reason encrypted itself on decompression), and I started to get the EFS Key backup prompt.
cipher /s:c:\ |findstr "^E"
and its variants returned no information.
however I was able to find the encrypted directories with:
cipher /u