Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Quickly Check Which User Encrypted a File

How can I easily discover who’s the user that encrypted a file?

The Windows Explorer user interface (UI) shows which files are encrypted but not who encrypted them, causing a lot of confusion when trying to access specific files needed by other users. As an administrator, you could rectify the situation by decrypting the files. But wouldn’t you like to know the identity of the dastard that caused the trouble?

The Windows 2000 Resource Kit includes the tool Efsinfo.exe, which you can use to view information about the recovery agent accounts. You can use Efsinfo to verify what recovery accounts are current for an encrypted file.

To determine who the designated recovery agent is after installing the Windows 2000 Resource Kit:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  2. Use the cd (change directory) command to change to the folder that contains the encrypted file.
  3. Type efsinfo /r /u filename, where filename is the name of the file you want to check. Or, leave the filename parameter off to report information for all the files in the current folder.

Sample Output from Efsinfo

EFSINFO /r /u Myfile.doc

Myfile.doc: Encrypted
Users who can decrypt:
DOMAINNAME\Username (CN=User Name,L=EFS,OU=EFS File Encryption Certificate)
Recovery Agents:
DOMAINNAME\EFSRecover (OU=EFS File Encryption Certificate, L=EFS, CN=EFSRecover)

The output indicates that the Myfile.doc file was encrypted by domain user “Username” from domain “Domainname.” The “EFSRecover” account in domain “Domainname” is the designated EFS recovery agent for the file.

For example:

Note: Stand-alone Windows 2000 workstations and servers do not display the recovery agent information. The default recovery agent for all stand-alone computers is the local Administrator account.

You can download Efsinfo from the Download Free Windows 2000 Resource Kit Tools page.

Related articles

You might also want to read the following related articles:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: