JSI Tip 2329. Who encryted 'Myfile.txt' and who is the Recovery Agent?


On a standalone Windows 2000 computer, the Recovery Agent is the local Administrator account.

To determine who encrytped a file, and the Recovery Agent in a domain, open a CMD prompt and use Efsinfo.exe. To use Efsinfo.exe:

1. Switch (CD) to the folder that contains the file.

2. Type efsinfo /r /u <filename>. If I type efsinfo /r /u Myfile.txt, the information returned is:

   Myfile.txt: Encrypted
     Users who can decrypt:
       <DomainName>\<UserName> (CN=User Name,L=EFS,OU=EFS File Encryption Certificate)
     Recovery Agents:
       <DomainName>\EFSRecover (OU=EFS File Encryption Certificate, L=EFS, CN=EFSRecover)
This output indicates that Myfile.txt was encrypted by <UserName> from domain <DomainName>. The EFSRecover account in domain <DomainName> is the designated EFS recovery agent for the file.

NOTE: If you don't specify a file name, all files in the folder are displayed.

NOTE: Efsinfo.exe is also in the Windows XP Support Tools.

NOTE: The Efsinfo syntax is:

  EFSINFO \[/U\] \[/R\] \[/C\] \[/I\] \[/Y\] \[/S:dir\] \[pathname \[...\]\]

    /U        Display user information. (Default option.)
    /R        Display recovery agent information.
    /C        Display certificate thumbnail information.
    /I        Continues performing the specified operation even after errors
              have occurred.  By default, EFSINFO stops when an error is
              encountered.
    /Y        Display your current EFS certificate thumbnail on the local PC.
              The files you specified might not be on this PC.
    /S        Performs the specified operation on directories in the given
              directory and all subdirectories.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish