Ask a new question

Find and check EFS encrypted files

I need a quick and easy way, (or a script) to find EFS encrypted files on my computer. I got a prompt after downloading an image, I'm wondering why i got this prompt in surprisingly quick succession of downloading the image, suspicious much? anyway, running a defender scan, going to run a malware-bytes scan, and looking for an easy way to track down the cause. 

I know I can get the access rules with EFSDump: 

https://docs.microsoft.com/en-us/sysinternals/downloads/efsdump

i just need to find the files, anyone know of a way to do this? or is this an MSDN question? 

a valid reason for this is the image i downloaded was encrypted or something like that. Alternatively it had a payload. I need to find this payload and stop it, if it exists. or even better, whatever caused the EFS popup... if the image was not responsible. 

Processes showed nothing eye catching, services looked typical, and i already deleted the image, i'm running defender, i'm planning on running malware bytes, and i'm looking for other options to find and mitigate whatever the cause of this is. Any help you can give is welcome (including any and all troubleshooting tips and analysis techniques.)

Moved from:  Virus and Malware / Other / Scanning, Detecting, and Removing Threats / Windows 10

See if this does the trick:

 

https://www.tenforums.com/tutorials/77325-find-all-encrypted-files-windows-10-a.html

 

 

GreginMich

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

See if this does the trick:

https://www.tenforums.com/tutorials/77325-find-all-encrypted-files-windows-10-a.html

GreginMich

Did this with the system account and my user account found nothing, strange... or not, not sure how that command works, but the way that article is written it seems to only work for files you own. I want to find all files owned by anyone, or any part of the system. i could try doing it with runas but... which accounts do i use? there is always the possibility that it's nothing and there are not any encrypted files, but i want to make sure. getting a popup like this, better safe then sorry. but a better question is what ransomware would use Microsoft built in encryption software to encrypt things?

also checked net users, and there are no strange accounts there so it wouldn't be hidden via another user account. saw "defaultuser0" though, but that is reportedly linked to the windows install. it's also disabled, password protected and last logged onto on 12/1/2017, so not likely. 

Call me Darth
Only Computers can call me Sidious.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

The cipher command line is documented here:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cipher

Also see this documentation:


https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior

But I don’t have any experience with these command line options, and can’t provide any support for them.

Windows Defender users have the option of enabling Controlled Folder Access when they get the jitters about ransomware – although no one should be waiting for “warning signs” with this menace, because the only warning normally comes in the form of a ransom note after the damage is done:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard

If your third-party AV app doesn’t include any ransomware protection, then you might want to consider uninstalling it temporarily, since this will automatically enable Windows Defender and allow you to turn on CFA:

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/

https://www.microsoft.com/en-us/wdsi/threats/ransomware

https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/

GreginMich

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

@GreginMich

So according to that documentation, Cipher should find any and all encrypted files associated with it. Thus, my system shouldn't have any encrypted files on it, and since MalwareBytes and Windows Defender didn't find, anything, I feel that for now, I'm safe. Thanks for the help, But i still can't figure out why a popup like that would be show, unless the image that I downloaded was encrypted or something. If anything is wrong I can't figure out what.

thanks

Darth

Call me Darth
Only Computers can call me Sidious.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated April 19, 2025 Views 3,827 Applies to: