certificate - Backup EFS encryption key generated, but no encrypted files? Track what caused the key creation

06
2014-04
  • 0xC0000022L

    In I started getting a weird message "Encrypting file system - Back up your file encryption key" a user experiences a prompt that I also experienced yesterday for the first time.

    Now the question: what causes the prompt if cipher /u /n (as admin) doesn't find any encrypted files? I.e. what caused a key to be generated in the first place? Is there a way to track that down? (also see EFS - Find out what's encrypted)

    enter image description here

    NB: I am not interested in why I get the EFS prompt, but rather what causes the key to be generated, if no encrypted files seem to exist on the system and I haven't used EFS consciously myself.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    windows vista - EFS - Find out what's encrypted
  • gsharp

    Since a few days when I start Windows Vista i get a Popup from "Encrypting File System" (coming from process efsui.exe) asking me to backup the certificate and key.

    I don't know what i did to get this message (The last SW i did install was google desktop).

    Now i'm wondering what directories or file are encrypted with EFS. Is there a way to found out?

    Thanks for your help.


    • Related Answers
  • slhck

    You can trying using this batch file :

    @echo off
cls

:: Set the varibles - Use Quotes "" if there are spaces in the source or log path
set log_path=C:\EFS_Find

:: Find Encrypted Files
cipher /s C:\ | findstr "^.E" >> %log_path%\found.txt && echo:Encrypted files found"

:: Find Hidden Files
attrib /s C:\ 2>nul | findstr "^....H" >> %log_path%\found.txt && echo:Hidden files found"  

pause

    This batch file will scan your C:\ drive for all EFS encrypted files (and also hidden files), echo on the screen every time it finds one, and record all instances of encrypted files found into C:\EFS_Find\found.txt.

    For a command-line approach to finding just encrypted files, you can type in the command-line :

    cipher /s:C:\ | findstr "^.E" >> C:\efs_found.txt && echo:Encrypted files found"

    This will search your entire C:\ drive for encrypted files, and dump it into C:\efs_found.txt.

    Modified from the solution found here.

    To disable EFS on your Vista system, I refer you to the link here :

    How to Disable or Enabled EFS Encryption in Vista

  • Sathya

    gsharp is correct, the syntax to display all EFS encrypted files on drive C: is

    cipher /s:c:\ |findstr "^E"

    Pay attention to the pipe character, which is usually found on the \ key. The findstr command ^E looks for the E at the beginning of the line. Also pay attention that the /s has a colon after it and the drive letter, all with no spaces.

    The downside is only the filenames are returned, there is no directory structure provided.

  • Frank Thomas

    For Win7 users: I just had the same problem, (someone sent me a zip file prepared on a mac, that for some reason encrypted itself on decompression), and I started to get the EFS Key backup prompt.

    cipher /s:c:\ |findstr "^E"

    and its variants returned no information.

    however I was able to find the encrypted directories with:

    cipher /u