Skip to main content

How to Search EFS Files and Folders?

1) Using Search

If you have lots of time on your hands or are looking for extra pain in your life, one tool you could use to find encrypted folders and files is Windows' Search functionality. By searching for *.*, you can get a list of every single folder and file on your hard drive. You then need to look through all the results for any folder or file that's highlighted in green (assuming you haven't changed the default color for EFS folders and files).
2) Using EFSinfo

A slightly better way to find EFS folders and files is to use Microsoft's EFSinfo command-line tool. You can find it in the \Support\Tools folder on the Windows Server 2003 CD-ROM. You can use this tool to find all encrypted folders and files on your computer, but it typically produces a blizzard of information that's difficult to plow through. For example, try issuing the following command at the root of your C drive

Efsinfo /S:C:

All the filenames and folder names go blasting across your screen, so it's like looking for a needle in a haystack. You can display only those lines that contain the string ": Encrypted" by running the command

Efsinfo /S:C:  Find ": Encrypted"

Now you at least get some filtered results such as
EFS-Test.txt: Encrypted
EFS-Test: Encrypted

But, sadly, the results don't include the paths to the encrypted folders and files. (Maybe a newer version of the EFSinfo tool does, but I couldn't get the version I was using to give up this information.)

3) Using Cipher

A more suitable way to find encrypted folders and files is to use Cipher. This powerful command-line utility has many encryption and decryption options for managing the encryption environment. You can also use it to determine whether any encrypted files exist on your computer. For example, the command

Cipher /U /N

checks for encrypted files on your computer and displays any it finds. As these results show
Encrypted File(s) on your system:

C:\Program Files\EFS-Test.txt

the file's full path is included. However, in all the tests I conducted in Windows 7, the results didn't include the empty encrypted folder.

4) Using EFS-Find.vbs

When you can't get off-the-shelf tools to do exactly what you want, it's time to see what good old VBScript can do. That's how EFS-Find.vbs came into being. EFS-Find.vbs locates all encrypted folders and files on your hard disk and automatically saves their complete paths to a log file.

You can download EFS-Find.vbs by going to the Link ( and clicking on the Download the Code Here button (The file will be named Save the script to a location on your computer (in this example, C:\Test\EFS-Find.vbs), then open a command prompt window as an administer and run the command

Cscript //NOLOGO C:\Test\EFS-Find.vbs

The script will search all the local hard drives on your computer and report on any EFS folders and files it finds. Unlike the Cipher /U /N command, EFS-Find.vbs reports on any empty encrypted folders.

Besides displaying a summary report on screen, the script displays the log file's name, which is in the format EFS-Find-%COMPUTERNAME%.txt. This naming convention makes it easy to distinguish between different computers if you need to push the files to a central location without them being overwritten. The log file is saved to the directory specified in the %TEMP% environment variable, which is usually the current user's temporary folder.

Here's how EFS-Find.vbs works. It begins by making sure that you're a local administrator so that it can run properly. Then, for each fixed drive, it performs two checks. First, it checks each folder to see if it's encrypted. It does this by taking advantage of Windows Management Instrumentation's (WMI's) Win32_Directory class. Second, it checks each file to see if it's encrypted using WMI's CIM_DataFile class. The script writes the results to the log file, which it opens before quitting. If you aren't running the script interactively, you can disable this feature. Find the code


" _

& strLogFileName &


and comment it out.

The script also writes information to the registry at HKLM\SOFTWARE\EFS-Find. That way, there's always a fixed location to query the computer about the script's status. In addition, you can be certain of the computer's encryption status on that particular date.

EFS-Find.vbs returns an error level that you can check if desired. Simply execute the following command in the same command prompt window you used to run the script


An error level of 10 indicates the script exited because it wasn't run under elevated permissions (i.e., as an administrator). An error level of 999 indicates at least one EFS folder or file was detected. If the script returns an error level of 0, no EFS folders or files were detected.

If the script detects EFS folders and files, you can navigate to them using the paths provided in the log file and decrypt or remove them. Afterward, you can rerun EFS-Find.vbs and the error level check to confirm that no EFS folders or files exist.


Popular posts from this blog

How to schedule an Automatic Reboot of WatchGuard Firebox?

We have a Customer who having some issues with the WatchGuard Firewall,
We want to schedule a Reboot of the Firebox Each morning at 04:30AM so that when customer arrive in the office he would not face any problem.
For this :
1) Click on WatchGuard Firebox ICON (You may be having a Shortcut on your Desktop)
2) Give the Password to connect to Concern Firewall
3) Once you Connected, Go to File > Connect to Device > Choose the Firewall IP and Click on Connect. It may ask for the password, Please provide that.
4) Once you connected it will show you the Firewall with all the configuration.
5) Right Click on it and Go to Policy manager > When Policy manager Open, Click on "Setup" and then "Global Settings", At the Last you will found an option to define the time when you want a Schedule Reboot.

After making the change, Don't forget to make it Save in the Firewall Config File.

ShadowProtect:Cannot Consolidate:Keyfile not found

We have ShadowProtect MSP version installed on a Server. We are using the StorageCraft Image Manager to consolidate and Verify the image. We found that we are getting Error "Cannot Consolidate:XXXXXX.spi Keyfile not found
We checked and found that everything is correct.
Finally when we contacted the StorageCraft team they suggest us to create a Key file from C:\PrgramFiles\StorageCraft\Keymaker.exe
Run this EXE, Use the Password (Any password which you can remember), Browse the Same file (Which is in the Error),After selection give the extention .spk and save it.
Refresh the Image manager (Restart the service) and Check.
It will be resolved.

For details follow this article.

"Options" option not working on OWA (Outlook Web Access)

When we opening a OWA and Going to options to change the password/Configure the Out of Office or something else, We are getting logged out.


To resolve this you must have to connect to your Exchange Server.
Go to EMC > Server Configuration > Exchange Control Panel > ECP > Properties. Made the change the ECP Settings (changed from Use Form based authentication to Basic Authentication). It will work now.