On a standalone Windows 2000 computer, the Recovery Agent is the local Administrator account.
To determine who encrytped a file, and the Recovery Agent in a domain, open a CMD prompt and use Efsinfo.exe. To use Efsinfo.exe:
1. Switch (CD) to the folder that contains the file.
2. Type efsinfo /r /u <filename>. If I type efsinfo /r /u Myfile.txt, the information returned is:
Myfile.txt: Encrypted Users who can decrypt: <DomainName>\<UserName> (CN=User Name,L=EFS,OU=EFS File Encryption Certificate) Recovery Agents: <DomainName>\EFSRecover (OU=EFS File Encryption Certificate, L=EFS, CN=EFSRecover)This output indicates that Myfile.txt was encrypted by <UserName> from domain <DomainName>. The EFSRecover account in domain <DomainName> is the designated EFS recovery agent for the file.
NOTE: If you don't specify a file name, all files in the folder are displayed.
NOTE: Efsinfo.exe is also in the Windows XP Support Tools.
NOTE: The Efsinfo syntax is:
EFSINFO \[/U\] \[/R\] \[/C\] \[/I\] \[/Y\] \[/S:dir\] \[pathname \[...\]\] /U Display user information. (Default option.) /R Display recovery agent information. /C Display certificate thumbnail information. /I Continues performing the specified operation even after errors have occurred. By default, EFSINFO stops when an error is encountered. /Y Display your current EFS certificate thumbnail on the local PC. The files you specified might not be on this PC. /S Performs the specified operation on directories in the given directory and all subdirectories.