1) Using Search
If you have lots of time on your hands or are looking for extra pain in your life, one tool you could use to find encrypted folders and files is Windows' Search functionality. By searching for *.*, you can get a list of every single folder and file on your hard drive. You then need to look through all the results for any folder or file that's highlighted in green (assuming you haven't changed the default color for EFS folders and files).
2) Using EFSinfo
A slightly better way to find EFS folders and files is to use Microsoft's EFSinfo command-line tool. You can find it in the \Support\Tools folder on the Windows Server 2003 CD-ROM. You can use this tool to find all encrypted folders and files on your computer, but it typically produces a blizzard of information that's difficult to plow through. For example, try issuing the following command at the root of your C drive
Efsinfo /S:C:
All the filenames and folder names go blasting across your screen, so it's like looking for a needle in a haystack. You can display only those lines that contain the string ": Encrypted" by running the command
Efsinfo /S:C: Find ": Encrypted"
Now you at least get some filtered results such as
EFS-Test.txt: Encrypted
EFS-Test: Encrypted
But, sadly, the results don't include the paths to the encrypted folders and files. (Maybe a newer version of the EFSinfo tool does, but I couldn't get the version I was using to give up this information.)
3) Using Cipher
A more suitable way to find encrypted folders and files is to use Cipher. This powerful command-line utility has many encryption and decryption options for managing the encryption environment. You can also use it to determine whether any encrypted files exist on your computer. For example, the command
Cipher /U /N
checks for encrypted files on your computer and displays any it finds. As these results show
Encrypted File(s) on your system:
C:\Program Files\EFS-Test.txt
the file's full path is included. However, in all the tests I conducted in Windows 7, the results didn't include the empty encrypted folder.
4) Using EFS-Find.vbs
When you can't get off-the-shelf tools to do exactly what you want, it's time to see what good old VBScript can do. That's how EFS-Find.vbs came into being. EFS-Find.vbs locates all encrypted folders and files on your hard disk and automatically saves their complete paths to a log file.
You can download EFS-Find.vbs by going to the Link (http://www.windowsitpro.com/article/security/A-Fast-Way-to-Find-EFS-Folders-and-Files/3.aspx) and clicking on the Download the Code Here button (The file will be named 129393.zip). Save the script to a location on your computer (in this example, C:\Test\EFS-Find.vbs), then open a command prompt window as an administer and run the command
Cscript //NOLOGO C:\Test\EFS-Find.vbs
The script will search all the local hard drives on your computer and report on any EFS folders and files it finds. Unlike the Cipher /U /N command, EFS-Find.vbs reports on any empty encrypted folders.
Besides displaying a summary report on screen, the script displays the log file's name, which is in the format EFS-Find-%COMPUTERNAME%.txt. This naming convention makes it easy to distinguish between different computers if you need to push the files to a central location without them being overwritten. The log file is saved to the directory specified in the %TEMP% environment variable, which is usually the current user's temporary folder.
Here's how EFS-Find.vbs works. It begins by making sure that you're a local administrator so that it can run properly. Then, for each fixed drive, it performs two checks. First, it checks each folder to see if it's encrypted. It does this by taking advantage of Windows Management Instrumentation's (WMI's) Win32_Directory class. Second, it checks each file to see if it's encrypted using WMI's CIM_DataFile class. The script writes the results to the log file, which it opens before quitting. If you aren't running the script interactively, you can disable this feature. Find the code
objShell.Run
" _
& strLogFileName &
"
and comment it out.
The script also writes information to the registry at HKLM\SOFTWARE\EFS-Find. That way, there's always a fixed location to query the computer about the script's status. In addition, you can be certain of the computer's encryption status on that particular date.
EFS-Find.vbs returns an error level that you can check if desired. Simply execute the following command in the same command prompt window you used to run the script
ECHO %ERRORLEVEL%
An error level of 10 indicates the script exited because it wasn't run under elevated permissions (i.e., as an administrator). An error level of 999 indicates at least one EFS folder or file was detected. If the script returns an error level of 0, no EFS folders or files were detected.
If the script detects EFS folders and files, you can navigate to them using the paths provided in the log file and decrypt or remove them. Afterward, you can rerun EFS-Find.vbs and the error level check to confirm that no EFS folders or files exist.
If you have lots of time on your hands or are looking for extra pain in your life, one tool you could use to find encrypted folders and files is Windows' Search functionality. By searching for *.*, you can get a list of every single folder and file on your hard drive. You then need to look through all the results for any folder or file that's highlighted in green (assuming you haven't changed the default color for EFS folders and files).
2) Using EFSinfo
A slightly better way to find EFS folders and files is to use Microsoft's EFSinfo command-line tool. You can find it in the \Support\Tools folder on the Windows Server 2003 CD-ROM. You can use this tool to find all encrypted folders and files on your computer, but it typically produces a blizzard of information that's difficult to plow through. For example, try issuing the following command at the root of your C drive
Efsinfo /S:C:
All the filenames and folder names go blasting across your screen, so it's like looking for a needle in a haystack. You can display only those lines that contain the string ": Encrypted" by running the command
Efsinfo /S:C: Find ": Encrypted"
Now you at least get some filtered results such as
EFS-Test.txt: Encrypted
EFS-Test: Encrypted
But, sadly, the results don't include the paths to the encrypted folders and files. (Maybe a newer version of the EFSinfo tool does, but I couldn't get the version I was using to give up this information.)
3) Using Cipher
A more suitable way to find encrypted folders and files is to use Cipher. This powerful command-line utility has many encryption and decryption options for managing the encryption environment. You can also use it to determine whether any encrypted files exist on your computer. For example, the command
Cipher /U /N
checks for encrypted files on your computer and displays any it finds. As these results show
Encrypted File(s) on your system:
C:\Program Files\EFS-Test.txt
the file's full path is included. However, in all the tests I conducted in Windows 7, the results didn't include the empty encrypted folder.
4) Using EFS-Find.vbs
When you can't get off-the-shelf tools to do exactly what you want, it's time to see what good old VBScript can do. That's how EFS-Find.vbs came into being. EFS-Find.vbs locates all encrypted folders and files on your hard disk and automatically saves their complete paths to a log file.
You can download EFS-Find.vbs by going to the Link (http://www.windowsitpro.com/article/security/A-Fast-Way-to-Find-EFS-Folders-and-Files/3.aspx) and clicking on the Download the Code Here button (The file will be named 129393.zip). Save the script to a location on your computer (in this example, C:\Test\EFS-Find.vbs), then open a command prompt window as an administer and run the command
Cscript //NOLOGO C:\Test\EFS-Find.vbs
The script will search all the local hard drives on your computer and report on any EFS folders and files it finds. Unlike the Cipher /U /N command, EFS-Find.vbs reports on any empty encrypted folders.
Besides displaying a summary report on screen, the script displays the log file's name, which is in the format EFS-Find-%COMPUTERNAME%.txt. This naming convention makes it easy to distinguish between different computers if you need to push the files to a central location without them being overwritten. The log file is saved to the directory specified in the %TEMP% environment variable, which is usually the current user's temporary folder.
Here's how EFS-Find.vbs works. It begins by making sure that you're a local administrator so that it can run properly. Then, for each fixed drive, it performs two checks. First, it checks each folder to see if it's encrypted. It does this by taking advantage of Windows Management Instrumentation's (WMI's) Win32_Directory class. Second, it checks each file to see if it's encrypted using WMI's CIM_DataFile class. The script writes the results to the log file, which it opens before quitting. If you aren't running the script interactively, you can disable this feature. Find the code
objShell.Run
" _
& strLogFileName &
"
and comment it out.
The script also writes information to the registry at HKLM\SOFTWARE\EFS-Find. That way, there's always a fixed location to query the computer about the script's status. In addition, you can be certain of the computer's encryption status on that particular date.
EFS-Find.vbs returns an error level that you can check if desired. Simply execute the following command in the same command prompt window you used to run the script
ECHO %ERRORLEVEL%
An error level of 10 indicates the script exited because it wasn't run under elevated permissions (i.e., as an administrator). An error level of 999 indicates at least one EFS folder or file was detected. If the script returns an error level of 0, no EFS folders or files were detected.
If the script detects EFS folders and files, you can navigate to them using the paths provided in the log file and decrypt or remove them. Afterward, you can rerun EFS-Find.vbs and the error level check to confirm that no EFS folders or files exist.
0 comments:
Post a Comment