Skip to content

%SystemRoot%\system32 secrets: cipher

Next command in my list is what you never remember about unless user comes in with a cry: “I’ve reset my password and now all my EFS-encrypted files are gone!!!”. Are you familiar with the situation? I am not, fortunately, but I heard some related horror stories. Backup the encryption keys is the key. And updating of keys on the files. And creating of recovery keys. And backing up the encryption keys. All that the utility in the question can do for you.

There are plenty of articles about the actions described above. But when I tried to look at the utility’s description more closely, I found one new function: cipher with arguments “/W” and a folder will remove all data from unused disk space on the volume where the folder is placed. What it is doing is:

1) Creating folder EFSTMPWP on the volume:

2) Creating there a temp file (or several, according to some sources)

image

3) Writing there zeros, then ones, and polishes it with some random values:

image

It does each step until the whole disk is filled up and then repeats:

image

image

image

Of course it is quite time consuming, especially on large volumes. But if I was the person to design the command, I’d rather made it to write not just zeros and ones, but just encrypt every free cluster with a random key. Luckily it wasn’t me, so it is not even more long procedure ;)

The command asks you to close all the applications to make the effort as effective as it is possible, mostly to eliminate all the temp files with data in them.

Further reading:

cipher /?

http://technet.microsoft.com/en-us/library/cc771346(WS.10).aspx

http://support.microsoft.com/kb/295680

http://support.microsoft.com/kb/814599