7

Since a few days when I start Windows Vista i get a Popup from "Encrypting File System" (coming from process efsui.exe) asking me to backup the certificate and key.

I don't know what i did to get this message (The last SW i did install was google desktop).

Now i'm wondering what directories or file are encrypted with EFS. Is there a way to found out?

Thanks for your help.

gsharp
  • 1,046
  • 1
  • 13
  • 25

3 Answers3

8

You can trying using this batch file :

@echo off
cls

:: Set the varibles - Use Quotes "" if there are spaces in the source or log path
set log_path=C:\EFS_Find

:: Find Encrypted Files
cipher /s C:\ | findstr "^.E" >> %log_path%\found.txt && echo:Encrypted files found"

:: Find Hidden Files
attrib /s C:\ 2>nul | findstr "^....H" >> %log_path%\found.txt && echo:Hidden files found"  

pause

This batch file will scan your C:\ drive for all EFS encrypted files (and also hidden files), echo on the screen every time it finds one, and record all instances of encrypted files found into C:\EFS_Find\found.txt.

For a command-line approach to finding just encrypted files, you can type in the command-line :

cipher /s:C:\ | findstr "^.E" >> C:\efs_found.txt && echo:Encrypted files found"

This will search your entire C:\ drive for encrypted files, and dump it into C:\efs_found.txt.

Modified from the solution found here.

To disable EFS on your Vista system, I refer you to the link here :

How to Disable or Enabled EFS Encryption in Vista

slhck
  • 223,558
  • 70
  • 607
  • 592
caliban
  • 20,053
  • 5
  • 51
  • 62
  • The command listed here is incorrect (at least in win7). It should be: >cipher /s:C:\ /h | findstr "^.E" >> C:\efs_found.txt && echo:"Encrypted files found" Notice the colon after the /s. –  Jul 15 '12 at 12:04
3

gsharp is correct, the syntax to display all EFS encrypted files on drive C: is

cipher /s:c:\ |findstr "^E"

Pay attention to the pipe character, which is usually found on the \ key. The findstr command ^E looks for the E at the beginning of the line. Also pay attention that the /s has a colon after it and the drive letter, all with no spaces.

The downside is only the filenames are returned, there is no directory structure provided.

Sathyajith Bhat
  • 61,504
  • 38
  • 179
  • 264
chris
  • 31
  • 1
0

For Win7 users: I just had the same problem, (someone sent me a zip file prepared on a mac, that for some reason encrypted itself on decompression), and I started to get the EFS Key backup prompt.

cipher /s:c:\ |findstr "^E"

and its variants returned no information.

however I was able to find the encrypted directories with:

cipher /u
Frank Thomas
  • 35,097
  • 3
  • 77
  • 98