Chapter 2: Understanding the EFS Assistant

Published: May 29, 2007

This chapter will help you understand how the Microsoft® Encrypting File System Assistant (EFS Assistant) tool operates as well as how it determines which files and folders to encrypt.

Basic Concepts

To understand how the EFS Assistant operates, you need to understand some basic concepts about how it classifies and encrypts folders. This section presents some details about these concepts.

Folder Classification

The EFS Assistant tool operates primarily on the folder level, encrypting folders and all the files in them. It scans the folder tree, looking for folders that should be encrypted in a process known as folder classification.

A folder can be classified in one of three ways:

• Red. The tool determined that the folder should not be encrypted.
• Green. The tool determined that the folder should be encrypted.
• Unclassified. The tool was unable to determine whether the folder should be encrypted.

A folder that is classified as Red does not mean that it cannot be encrypted. It just means that the EFS Assistant will not try to encrypt it. It's possible that the folder could be encrypted through other means (for example, the user encrypted the folder from the Microsoft Windows® user interface). Similarly, a Green folder classification does not always mean that the folder will be encrypted. There are certain situations in which the tool does not encrypt a folder that is classified as Green, such as when the folder is a shared folder and the tool is configured to leave shared folders unencrypted.

Folder Classification Methods

Depending on how it is configured, the EFS Assistant tool uses a number of different mechanisms to classify folders or files as either Red or Green. This section describes the different methods the tool uses to classify folders.

• Do Not Scan list. Before the tool starts scanning folders on the computer, it compiles a list of folders that it will not scan. Because these folders (and their subfolders) should never be encrypted, the tool does not need to scan them. These folders are classified as Red. The following folders are placed on the Do Not Scan list when the tool starts running:
  • The Windows folder. None of the files and subfolders in the Windows folder will be encrypted, because doing so can cause the operating system to fail to function correctly.
  • Other users' profiles. The profiles of other users will not be scanned or encrypted.
  • The System Volume Information folder. The System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points. There is no data in this folder that should be encrypted by anyone.
• Default Folder lists. The tool has two default folder lists: the Default Red list and the Default Green list. Any folder in either of these lists this will be categorized appropriately. When a folder is included in one of these lists, all its subfolders are also considered to be on the list. For example, if "C:\Windows" is on the Default Red list, "C:\Windows\system32" will also be on the Default Red list. The Default Red list includes the folders in the following table:Table 2.1. EFS Assistant Default Red List

  Folder	Path
  Program Files	%PROGRAMFILES%
  x86 Program Files (64-bit Windows Vista only)	%PROGRAMFILES(x86)%
  Application Data	%APPDATA%
  Start Menu Programs (Windows Vista™ and Windows XP)	%USERPROFILE%\Start Menu\Programs
  Templates (Windows Vista)	%APPDATA%\Microsoft\Windows\Templates
  Templates (Windows XP)	%USERPROFILE%\Templates

  The tool also queries the database of installed applications to see if any applications have been installed to folders outside of %PROGRAMFILES%. If the tool finds any application installation folders that are not under %PROGRAMFILES%, these folders will also be added to the Default Red list.The Default Green list includes the folders in the following table:Table 2.2. EFS Assistant Default Green List

  Folder	Path
  Documents (Windows Vista)	%USERPROFILE%\Documents
  My Documents (Windows XP)	%USERPROFILE%\My Documents
  Desktop (Windows Vista and Windows XP)	%USERPROFILE%\Desktop
  IE Favorites (Windows Vista and Windows XP)	%USERPROFILE%\Favorites
  IE History (Windows Vista)	%LOCALAPPDATA%\Microsoft\Windows\History
  IE History (Windows XP)	%USERPROFILE%\Local Settings\History
  Temporary Internet Files (Windows Vista)	%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files
  Temporary Internet Files (Windows XP)	%USERPROFILE%\Local Settings\Temporary Internet Files
  CD Burn cache (Windows Vista)	%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn
  CD Burn cache (Windows XP)	%USERPROFILE%\Local Settings\Application Data\Microsoft\CD Burning
  IE7 Feeds cache (Windows Vista)	%LOCALAPPDATA%\Microsoft\Feeds Cache
  IE7 Feeds cache (Windows XP)	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache
  Outlook OST and PST cache (Windows Vista)	%LOCALAPPDATA%\Microsoft\Outlook\
  Outlook OST and PST cache (Windows XP)	%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook
  Office Document Workspace cache (Windows Vista)	%LOCALAPPDATA%\Microsoft\OFFICE
  Office Document Workspace cache (Windows XP)	%USERPROFILE%\Local Settings\Application Data\Microsoft\OFFICE

• Group Policy folder lists. An administrator can use the Group Policy editor to configure two lists of folders: the Group Policy Red list and the Group Policy Green list. These lists are similar to the Default Red and Default Green lists, except they can be configured by the administrator. In addition, these two lists take precedence over the Default Red and Green lists. For example, if a folder is on the Default Green list and the Group Policy Red list, the folder will be classified as Red (do not encrypt). The administrator configures the Group Policy Red list using the Folders not to encrypt setting in the Group Policy editor. The Group Policy Green list is configured using the Folders to encrypt setting.

• System folders. When the tool encounters a folder that has the system attribute set, it classifies that folder as Red. In addition, it will not scan any subfolders of such a folder.

  Note There are a few folders used by Microsoft Internet Explorer® that are marked as system folders even though they do not need to be. The tool clears the system attribute on these folders during initialization. See the "Other Features" section later in this chapter for more information.

• Folder content classification. Users often create folders in different locations, such as directly under C:\. The tool helps administrators deal with such folders by providing a capability to find them based on their contents. If this capability is enabled, the tool will examine the contents of an Unclassified folder and, if every file in that folder is on the list of encryptable files, it will classify the folder as Green and attempt to encrypt it. Unlike the list-based methods of classification, each folder is considered separately when the EFS Assistant performs folder content classification. In other words, this type of classification is not inherited by any subfolders.
• Desktop.ini encryption disabled. The desktop.ini file controls how a folder is displayed and works in Windows. One of the things this file can do is disable encryption of the folder containing the desktop.ini file. If the EFS Assistant encounters a desktop.ini file configured to disable encryption, the tool classifies that folder as Red.

Folder Encryption Modes

The EFS Assistant tool can run in one of three folder encryption modes, which are shown in the following screen shot. To understand how the tool operates, it is important to know about these modes of operation and understand what they mean. The three folder encryption modes are:

• Encrypt specified folders only. In this mode, only folders on the Default and Group Policy Green lists are encrypted. Note that the tool will not encrypt folders that are on the Group Policy Red list.
• Encrypt specified and content classified folders. In this mode, the tool encrypts specified folders as in the previous mode but also performs folder content classification. See the preceding section for more information about this classification method.

• Maximize the number of folders encrypted. In this mode, the tool assumes that every folder should be encrypted unless it (or one of its parent folders) is on either the Default or Group Policy Red list. The effect is that most folders on the computer are encrypted.

  Note As with all configurations, this mode should be thoroughly tested before it is deployed. This mode encrypts most folders, and it could cause problems by encrypting folders that should not be encrypted.

Folder and File Encryption

When a folder is classified as Green, it means that the EFS Assistant tool determined that the folder should be encrypted along with all the files in that folder. However, there are situations in which the tool will either not encrypt a Green folder or not encrypt some of the files in that folder. The following list describes some of these situations:

• Folder or file is compressed. A folder or file can be either compressed or encrypted, but not both. The tool can be configured to uncompress folders or files so that it can encrypt them, but if this setting is not configured the tool will not encrypt such files or folders.
• File has the system bit set. When a file has the system bit set, the tool assumes that the file should not be encrypted.

• Folder is shared. When a folder is marked as shared, the tool assumes that the user's intention is for that folder to be accessible to other users. Because the tool only encrypts files and folders for the current user, encrypting shared folders would prevent others from accessing them. Therefore, the tool will not encrypt shared folders by default. However, a configuration setting exists that can override this behavior and cause shared folders to be encrypted.

  Note If the tool is not configured to encrypt shared folders, it will not continue to scan the subfolders of a shared folder because those folders will also be shared.

• File or folder cannot be accessed. Sometimes the tool fails to encrypt a file or folder because access to the file or folder is denied, which usually means that the file or folder is marked read only or that it is in use. Regardless of the reason, when the tool encounters such a situation it logs the error and continues. Note that when the tool runs again, it will try again to encrypt any files or folders that it could not encrypt on its previous runs.

  Note The Desktop folder is always held open whenever the user is logged in. Therefore, this folder can never be marked as encrypted.

How the EFS Assistant Works

This section describes how the EFS Assistant tool scans and encrypts folders and files. It does not describe precisely how the tool operates for all combinations of settings, but instead focuses on the general process that the tool uses when it runs.

Initialization

The EFS Assistant tool runs in the user's context after the user logs on. The first thing the tool does when it starts is initialize its environment. During initialization, the tool performs the following steps:

1. Perform the following initialization checks:
   • Is another instance of the tool running? If so, the tool exits.
   • Is EFS disabled? If so, the tool exits.
2. Read its configuration information from the registry. This information specifies how the tool should run, whether it should run in reporting only mode, what folders the administrator wants to be encrypted and not encrypted, and so on. If the tool cannot find its configuration data, it logs an error and exits. The tool will not run if it cannot find its configuration in the registry.
3. Assemble various lists, including the Do Not Scan list, the Default Red and Green lists, and the Group Policy Red and Green lists. These lists are used during the scanning and classification processes.

When initialization is complete, the tool is ready to begin scanning the local hard disk drives on the computer.

Scanning, Classification and Encryption

After the EFS Assistant tool finishes initializing, it begins its main processing routine. The following subsections describe that process.

Scanning

The EFS Assistant tool starts the scanning process by identifying all NTFS-formatted hard disk drive volumes that are physically connected to the computer (not including special volumes such as the BitLocker System Volume or a Windows Recovery Environment volume). For each volume, the tool starts scanning at the root folder (for example, C:\). The tool classifies each folder and, if necessary, attempts to encrypt it. It then recursively scans all subfolders until it has classified every folder on the volume. The tool then repeats the process for every other NTFS-formatted hard disk drive volume that is physically connected to the computer.

If the tool encounters a folder on the Do Not Scan list or a folder with the system attribute set, it will mark that folder as Red, write this activity to the WMI log, and proceed to the next folder. It will not scan these folders.

Classification

When the tool scans each folder, folder classification depends on which folder encryption mode the tool is configured to use. If the tool is running in Encrypt Specified Folders Only mode, the tool only considers the Red and Green lists to determine whether the folder should be classified as Green. If the tool is running in Encrypt Specified and Content Classified Folders mode and the folder is not on either the Green or Red lists, it considers the contents of the folder. If the folder contains only encryptable data files (as configured by the administrator), the tool classifies the folder as Green. In Maximize the Number of Folders Encrypted mode, the tool assumes the folder is Green unless it (or one of its parent folders) is on either the Default Red or Group Policy Red list.

If the folder is classified as Red after the preceding process is completed, this information is logged to the WMI database and the tool proceeds to the next folder. If the folder is classified as Green, the tool begins the encryption process. If the folder is Unclassified, the tool checks to see if it is configured to Encrypt Individual Files. (More information about this setting is available in the "Group Policy Settings" section of Chapter 3: Configuring and Deploying the EFS Assistant in this guide.) If it is, the tool encrypts any data files (as specified by the administrator) that are in that folder. It then logs its actions in WMI and proceeds to the next folder.

Encryption

If a folder is classified as Green, the tool encrypts the folder and the files in the folder. As mentioned earlier in this chapter, it is possible for a folder to be classified as Green but not be encrypted (for example, if it is a compressed folder).

When the tool encrypts a folder and its files, it completes the following procedures:

To encrypt a folder

1. The tool checks to see if the folder is already encrypted. If it is, the tool logs this information in WMI and proceeds to encrypt the files in the folder as described in the following procedure.
2. If the folder is shared and the tool is not configured to encrypt shared folders, the tool logs this information and checks the next folder. The tool will not encrypt files under a shared folder.
3. If the folder is compressed and the tool is not configured to uncompress compressed folders, the tool logs this information and proceeds to encrypt the files in the folder as described in the following procedure. If the tool is configured to Force decompression, it uncompresses the folder, encrypts it, and then logs its actions.
4. Otherwise, the folder is marked as encrypted and the tool logs this information.

The tool then iterates through all the files in the folder and encrypts them by performing the steps in the following procedure.

To encrypt a file

1. The tool checks to see if the file is compressed.
   1. If the file is compressed and the tool is not configured to uncompress files to encrypt them, this information is logged and the file is left as is.
   2. If the tool is configured to uncompress files, the file is uncompressed.
2. If the file is already encrypted, the tool does nothing.
3. The tool attempts to encrypt the file (it logs the results if an error occurs).
4. After the last file in a folder is processed, the tool proceeds to the next folder.

Other Features

The EFS Assistant tool has some other features that help improve how it works in a typical environment.

• The tool will suspend operations when it detects that the computer is on battery power (to extend battery life).
• The tool runs at a low priority so that it will have minimal impact on performance.
• The tool has a reporting-only mode in which it performs all the tasks described in this chapter but only logs what it would encrypt. This mode does not actually cause any files or folders to be encrypted.
• The tool processes certain folders used by Internet Explorer in a special way. These folders have the system attribute set, which in typical circumstances would cause the tool to categorize them as Red. However, the system attribute is not required for Internet Explorer to work properly. This attribute is set on these folders only to keep the files hidden from the user. Because the contents of these folders may also contain sensitive data, the tool removes the system attribute from these folders so that they can be classified as Green. The affected folders are listed in the following table:Table 2.3. Internet Explorer Folders that Will be Encrypted

  Folder	Path
  IE7 Feeds cache (Windows Vista)	%LOCALAPPDATA%\Microsoft\Feeds Cache
  IE7 Feeds cache (Windows XP)	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache
  IE History (Windows Vista)	%LOCALAPPDATA%\Microsoft\Windows\History
  IE History (Windows XP)	%USERPROFILE%\Local Settings\History
  Temporary Internet Files (Windows Vista)	%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files
  Temporary Internet Files (Windows XP)	%USERPROFILE%\Local Settings\Temporary Internet Files