Published: May 29, 2007
This chapter will help you understand how the Microsoft® Encrypting File System
Assistant (EFS Assistant) tool operates as well as how it determines which files
and folders to encrypt.
To understand how the EFS Assistant operates, you need to understand some basic
concepts about how it classifies and encrypts folders. This section presents some
details about these concepts.
The EFS Assistant tool operates primarily on the folder level, encrypting folders
and all the files in them. It scans the folder tree, looking for folders that should
be encrypted in a process known as folder classification.
A folder can be classified in one of three ways:
- Red. The tool determined that the folder should not be encrypted.
- Green. The tool determined that the folder should be encrypted.
- Unclassified. The tool was unable to determine whether the folder should
A folder that is classified as Red does not mean that it cannot be encrypted. It
just means that the EFS Assistant will not try to encrypt it. It's possible that
the folder could be encrypted through other means (for example, the user encrypted
the folder from the Microsoft Windows® user interface). Similarly, a Green folder
classification does not always mean that the folder will be encrypted. There are
certain situations in which the tool does not encrypt a folder that is classified
as Green, such as when the folder is a shared folder and the tool is configured
to leave shared folders unencrypted.
Folder Classification Methods
Depending on how it is configured, the EFS Assistant tool uses a number of different
mechanisms to classify folders or files as either Red or Green. This section describes
the different methods the tool uses to classify folders.
Folder Encryption Modes
The EFS Assistant tool can run in one of three folder encryption modes, which are
shown in the following screen shot. To understand how the tool operates, it is important
to know about these modes of operation and understand what they mean. The three
folder encryption modes are:
- Encrypt specified folders only. In this mode, only folders on the Default
and Group Policy Green lists are encrypted. Note that the tool will not encrypt
folders that are on the Group Policy Red list.
- Encrypt specified and content classified folders. In this mode, the tool
encrypts specified folders as in the previous mode but also performs folder content
classification. See the preceding section for more information about this classification
- Maximize the number of folders encrypted. In this mode, the tool assumes
that every folder should be encrypted unless it (or one of its parent folders) is
on either the Default or Group Policy Red list. The effect is that most folders
on the computer are encrypted.
Note As with all configurations, this mode should
be thoroughly tested before it is deployed. This mode encrypts most folders, and
it could cause problems by encrypting folders that should not be encrypted.
Figure 2.1. Folder encryption modes in the Group Policy editor
Folder and File Encryption
When a folder is classified as Green, it means that the EFS Assistant tool determined
that the folder should be encrypted along with all the files in that folder. However,
there are situations in which the tool will either not encrypt a Green folder or
not encrypt some of the files in that folder. The following list describes some
of these situations:
- Folder or file is compressed. A folder or file can be either compressed
or encrypted, but not both. The tool can be configured to uncompress folders or
files so that it can encrypt them, but if this setting is not configured the tool
will not encrypt such files or folders.
- File has the system bit set. When a file has the system bit set, the tool
assumes that the file should not be encrypted.
- Folder is shared. When a folder is marked as shared, the tool assumes that
the user's intention is for that folder to be accessible to other users. Because
the tool only encrypts files and folders for the current user, encrypting shared
folders would prevent others from accessing them. Therefore, the tool will not encrypt
shared folders by default. However, a configuration setting exists that can override
this behavior and cause shared folders to be encrypted.
Note If the tool is not configured to encrypt
shared folders, it will not continue to scan the subfolders of a shared folder because
those folders will also be shared.
- File or folder cannot be accessed. Sometimes the tool fails to encrypt
a file or folder because access to the file or folder is denied, which usually means
that the file or folder is marked read only or that it is in use. Regardless of
the reason, when the tool encounters such a situation it logs the error and continues.
Note that when the tool runs again, it will try again to encrypt any files or folders
that it could not encrypt on its previous runs.
Note The Desktop folder is always held open
whenever the user is logged in. Therefore, this folder can never be marked as encrypted.
How the EFS Assistant Works
This section describes how the EFS Assistant tool scans and encrypts folders and
files. It does not describe precisely how the tool operates for all combinations
of settings, but instead focuses on the general process that the tool uses when
The EFS Assistant tool runs in the user's context after the user logs on. The first
thing the tool does when it starts is initialize its environment. During initialization,
the tool performs the following steps:
- Perform the following initialization checks:
- Is another instance of the tool running? If so, the tool exits.
- Is EFS disabled? If so, the tool exits.
- Read its configuration information from the registry. This information specifies
how the tool should run, whether it should run in reporting only mode, what folders
the administrator wants to be encrypted and not encrypted, and so on. If the tool
cannot find its configuration data, it logs an error and exits. The tool will not
run if it cannot find its configuration in the registry.
- Assemble various lists, including the Do Not Scan list, the Default Red and Green
lists, and the Group Policy Red and Green lists. These lists are used during the
scanning and classification processes.
When initialization is complete, the tool is ready to begin scanning the local hard
disk drives on the computer.
Scanning, Classification and Encryption
After the EFS Assistant tool finishes initializing, it begins its main processing
routine. The following subsections describe that process.
The EFS Assistant tool starts the scanning process by identifying all NTFS-formatted
hard disk drive volumes that are physically connected to the computer (not including
special volumes such as the BitLocker System Volume or a Windows Recovery Environment
volume). For each volume, the tool starts scanning at the root folder (for example,
C:\). The tool classifies each folder and, if necessary, attempts to encrypt it.
It then recursively scans all subfolders until it has classified every folder on
the volume. The tool then repeats the process for every other NTFS-formatted hard
disk drive volume that is physically connected to the computer.
If the tool encounters a folder on the Do Not Scan list or a folder with the system
attribute set, it will mark that folder as Red, write this activity to the WMI log,
and proceed to the next folder. It will not scan these folders.
When the tool scans each folder, folder classification depends on which folder encryption
mode the tool is configured to use. If the tool is running in Encrypt Specified
Folders Only mode, the tool only considers the Red and Green lists to determine
whether the folder should be classified as Green. If the tool is running in Encrypt
Specified and Content Classified Folders mode and the folder is not on either
the Green or Red lists, it considers the contents of the folder. If the folder contains
only encryptable data files (as configured by the administrator), the tool classifies
the folder as Green. In Maximize the Number of Folders Encrypted mode, the
tool assumes the folder is Green unless it (or one of its parent folders) is on
either the Default Red or Group Policy Red list.
If the folder is classified as Red after the preceding process is completed, this
information is logged to the WMI database and the tool proceeds to the next folder.
If the folder is classified as Green, the tool begins the encryption process. If
the folder is Unclassified, the tool checks to see if it is configured to Encrypt
Individual Files. (More information about this setting is available in the
"Group Policy Settings" section of
Chapter 3: Configuring and Deploying the EFS Assistant in this guide.) If
it is, the tool encrypts any data files (as specified by the administrator) that
are in that folder. It then logs its actions in WMI and proceeds to the next folder.
If a folder is classified as Green, the tool encrypts the folder and the files in
the folder. As mentioned earlier in this chapter, it is possible for a folder to
be classified as Green but not be encrypted (for example, if it is a compressed
When the tool encrypts a folder and its files, it completes the following procedures:
To encrypt a folder
- The tool checks to see if the folder is already encrypted. If it is, the tool
logs this information in WMI and proceeds to encrypt the files in the folder as
described in the following procedure.
- If the folder is shared and the tool is not configured to encrypt shared folders,
the tool logs this information and checks the next folder. The tool will not encrypt
files under a shared folder.
- If the folder is compressed and the tool is not configured to uncompress compressed
folders, the tool logs this information and proceeds to encrypt the files in the
folder as described in the following procedure. If the tool is configured to Force
decompression, it uncompresses the folder, encrypts it, and then logs its
- Otherwise, the folder is marked as encrypted and the tool logs this information.
The tool then iterates through all the files in the folder and encrypts them by
performing the steps in the following procedure.
To encrypt a file
- The tool checks to see if the file is compressed.
- If the file is compressed and the tool is not configured to uncompress files to
encrypt them, this information is logged and the file is left as is.
- If the tool is configured to uncompress files, the file is uncompressed.
- If the file is already encrypted, the tool does nothing.
- The tool attempts to encrypt the file (it logs the results if an error occurs).
- After the last file in a folder is processed, the tool proceeds to the next folder.
The EFS Assistant tool has some other features that help improve how it works in
a typical environment.
- The tool will suspend operations when it detects that the computer is on battery
power (to extend battery life).
- The tool runs at a low priority so that it will have minimal impact on performance.
- The tool has a reporting-only mode in which it performs all the tasks described
in this chapter but only logs what it would encrypt. This mode does not actually
cause any files or folders to be encrypted.
- The tool processes certain folders used by Internet Explorer in a special way.
These folders have the system attribute set, which in typical circumstances would
cause the tool to categorize them as Red. However, the system attribute is not required
for Internet Explorer to work properly. This attribute is set on these folders only
to keep the files hidden from the user. Because the contents of these folders may
also contain sensitive data, the tool removes the system attribute from these folders
so that they can be classified as Green. The affected folders are listed in the
following table:Table 2.3. Internet Explorer Folders that Will be Encrypted
IE7 Feeds cache (Windows Vista)
IE7 Feeds cache (Windows XP)
%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache
IE History (Windows Vista)
IE History (Windows XP)
Temporary Internet Files (Windows Vista)
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files
Temporary Internet Files (Windows XP)
%USERPROFILE%\Local Settings\Temporary Internet Files