Using Efsinfo.exe to determine information about encrypted files


This article describes how to use the Efsinfo.exe utility from the Windows 2000 Resource Kit. You can use Efsinfo to determine who the designated Encrypting File System (EFS) recovery agent is for an encrypted file, and to determine who originally encrypted the file.

More Information

Efsinfo syntax

efsinfo [/u] [/r] [/c] [/i] [/y] [/s:dir] [pathname[...]] [/?]

  • /u displays encryption information about the files and folders in the current folder. This is the default option. If you run Efsinfo without switches the same output is generated.
  • /r displays Recovery agent information.
  • /c displays certificate thumbnail information.
  • /i continues to perform the specified operation even after errors have occurred. By default, Efsinfo stops when an error is encountered.
  • /y displays the current EFS certificate thumbnail on the local computer. The files that are specified might not be on this computer. If no items are returned, there are no encrypted files on the computer.
  • /s:dir performs the specified operation on folders in the given folder and all subfolders.
  • pathname[...] specifies the path of one or more files or folders to display encryption information for.
  • /? displays command-line Help.

Using Efsinfo

To determine who the designated recovery agent is after installing the Windows 2000 Resource Kit:

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  2. Use the cd (change directory) command to change to the folder that contains the encrypted file.
  3. Type efsinfo /r /u filename, where filename is the name of the file you want to check. Or, leave the filename parameter off to report information for all the files in the current folder.

Sample Output from Efsinfo

C:\Encrypt3>efsinfo /r /c /u C:\Encrypt3\New Text Document.txt:

New Text Document.txt: Encrypted

Users who can decrypt:
MHUNTERDOMAIN\administrator (CN=administrator,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: A85D 0DC1 BB76 7450 C7AE 479C F6E8 F7FD A2BF 72B4
Recovery Agents:
MHUNTERDOMAIN\administrator (OU=EFS File Encryption Certificate, L=EFS, CN=administrator)
Certificate thumbprint: 8BE0 F03F 530E AC91 B72F CB18 7735 350E 9129 2458

You must have the proper thumbprint in order to decrypt a file.

The output indicates that the New Text Document.txt file was encrypted by domain user "administrator" from domain "MHUNTERDOMAIN." The "administrator" account in domain "MHUNTERDOMAIN" is the designated EFS recovery agent for the file.

NOTE: Stand-alone Windows 2000 workstations and servers do not display the recovery agent information. The default recovery agent for all stand-alone computers is the local Administrator account.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

223316 Best practices for the Encrypting File System


Article ID: 243026 - Last Review: Mar 1, 2007 - Revision: 1