Skip navigation

A Fast Way to Find EFS Folders and Files


Encrypting File System (EFS) has been available since NTFS 3.0 and Windows 2000. With it, you can encrypt individual files, encrypt an entire folder, or configure a folder so that all the files that users save in it will be encrypted.

In most cases, it's extremely important to find every encrypted folder and file that might reside on a computer before you do something to that computer. For example, suppose you have a server that you want to promote to a domain controller (DC). Before promoting it, you need to make sure that all encrypted folders and files have been found and dealt with. The same holds true if you're demoting a DC. (If you didn't, the Microsoft article "Unable to Recover Encrypted Files After the Domain Controller Is Demoted" can help you through this predicament.)

Another example of when you want to be completely sure you have no EFS folders or files on a computer is when you're installing some third-party encryption software. Not surprisingly, some of this software doesn't play nice with already encrypted folders or files. But what is surprising is that there are vendors out there that don't even do a preliminary check for EFS folders or files before allowing the software install to merrily proceed.

You should also know about all EFS folders and files before a file migration, before swapping out hard drives, before removing a computer from a domain, and before deleting or reseeding user profiles. A good rule of thumb is to know about all EFS folders and files before performing any invasive operation that could potentially leave the encrypted data inaccessible. By knowing about the existence (or non-existence) of EFS folders and files, you can gauge how to proceed. If you're sure no EFS folders or files exist, you can rule out needing to decrypt or export certificates and private keys before proceeding.

There are various tools available to find encrypted folders and files. I'll discuss several of them, including a VBScript script I created. But before I do, let's make sure there's at least one EFS folder and one EFS file on your computer so you can try them out.


Creating an EFS Folder and File

On your test computer, create an empty folder named EFS-Test at C:\Program Files\Common. Mark the newly created folder for EFS encryption by doing the following: right-click it, choose Properties, click the Advanced button, select the Encrypt contents to secure data check box, and click OK.

Next, create a test file named EFS-Test.txt at C:\Program Files. Mark it for EFS encryption by following the same general steps just described, except this time select the Encrypt the file only check box (see Figure 1) because the file is in an unencrypted folder.

Figure 1: Encrypting the test file
Figure 1: Encrypting the test file

Now that you have at least one EFS folder and one EFS file on your C drive, let's look at how you can find them. Specifically, I'll discuss how to use the Windows' built-in Search functionality, the EFSinfo tool, the Cipher utility, and the EFS-Find.vbs script.

Using Search

If you have lots of time on your hands or are looking for extra pain in your life, one tool you could use to find encrypted folders and files is Windows' Search functionality. By searching for *.*, you can get a list of every single folder and file on your hard drive. You then need to look through all the results for any folder or file that's highlighted in green (assuming you haven't changed the default color for EFS folders and files). I don't recommend this approach, but I wanted to mention it because you can find encrypted folders and files this way in a pinch.


Using EFSinfo

A slightly better way to find EFS folders and files is to use Microsoft's EFSinfo command-line tool. You can find it in the \Support\Tools folder on the Windows Server 2003 CD-ROM. You can use this tool to find all encrypted folders and files on your computer, but it typically produces a blizzard of information that's difficult to plow through. For example, try issuing the following command at the root of your C drive

Efsinfo /S:C:

All the filenames and folder names go blasting across your screen, so it's like looking for a needle in a haystack. You can display only those lines that contain the string ": Encrypted" by running the command

Efsinfo /S:C: | Find ": Encrypted"

Now you at least get some filtered results such as

EFS-Test.txt: Encrypted

EFS-Test: Encrypted

But, sadly, the results don't include the paths to the encrypted folders and files. (Maybe a newer version of the EFSinfo tool does, but I couldn't get the version I was using to give up this information.)


Using Cipher

A more suitable way to find encrypted folders and files is to use Cipher. This powerful command-line utility has many encryption and decryption options for managing the encryption environment. You can also use it to determine whether any encrypted files exist on your computer. For example, the command

Cipher /U /N

checks for encrypted files on your computer and displays any it finds. As these results show

Encrypted File(s) on your system:

C:\Program Files\EFS-Test.txt

the file's full path is included. However, in all the tests I conducted in Windows 7, the results didn't include the empty encrypted folder.

Using EFS-Find.vbs

When you can't get off-the-shelf tools to do exactly what you want, it's time to see what good old VBScript can do. That's how EFS-Find.vbs came into being. EFS-Find.vbs locates all encrypted folders and files on your hard disk and automatically saves their complete paths to a log file.

You can download EFS-Find.vbs by going to the top of this page and clicking on the Download the Code Here button (The file will be named Save the script to a location on your computer (in this example, C:\Test\EFS-Find.vbs), then open a command prompt window as an administer and run the command

Cscript //NOLOGO


(Although this command wraps here, you'd enter it all on one line.) The script will search all the local hard drives on your computer and report on any EFS folders and files it finds. Unlike the Cipher /U /N command, EFS-Find.vbs reports on any empty encrypted folders, as Figure 2 shows.

Figure 2: Using EFS-Find.vbs to find encrypted folders and files
Figure 2: Using EFS-Find.vbs to find encrypted folders and files

Besides displaying a summary report on screen, the script displays the log file's name, which is in the format EFS-Find-%COMPUTERNAME%.txt. This naming convention makes it easy to distinguish between different computers if you need to push the files to a central location without them being overwritten. The log file is saved to the directory specified in the %TEMP% environment variable, which is usually the current user's temporary folder.

Here's how EFS-Find.vbs works. It begins by making sure that you're a local administrator so that it can run properly. Then, for each fixed drive, it performs two checks. First, it checks each folder to see if it's encrypted. It does this by taking advantage of Windows Management Instrumentation's (WMI's) Win32_Directory class. Second, it checks each file to see if it's encrypted using WMI's CIM_DataFile class. The script writes the results to the log file, which it opens before quitting. If you aren't running the script interactively, you can disable this feature. Find the code


" _

  & strLogFileName &


and comment it out.

The script also writes information to the registry at HKLM\SOFTWARE\EFS-Find, as Figure 3 shows. That way, there's always a fixed location to query the computer about the script's status. In addition, you can be certain of the computer's encryption status on that particular date.

Figure 3: Writing information to the registry
Figure 3: Writing information to the registry

EFS-Find.vbs returns an error level that you can check if desired. Simply execute the following command in the same command prompt window you used to run the script


An error level of 10 indicates the script exited because it wasn't run under elevated permissions (i.e., as an administrator). An error level of 999 indicates at least one EFS folder or file was detected. If the script returns an error level of 0, no EFS folders or files were detected.

If the script detects EFS folders and files, you can navigate to them using the paths provided in the log file and decrypt or remove them. Afterward, you can rerun EFS-Find.vbs and the error level check to confirm that no EFS folders or files exist, as Figure 4 shows.

Figure 4: Rerunning EFS-Find.vbs to confirm that all the encrypted folders and files have been decrypted or removed
Figure 4: Rerunning EFS-Find.vbs to confirm that all the encrypted folders and files have been decrypted or removed

TAGS: Windows 7/8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.