This is a recent question I saw ...
You can track detailed EFS events such as EFS decrypt\encrypt and EFS engine cert enrollment via the EFS debug logging in Vista.
In addition – Vista has new DPAPI logging for auditing its usage ( DPAPI is what EFS uses to protect its keys so you should see some data for a key import \export ) you can enable this via the method outlined here:
Here is the EFS debug logging….
Enable advanced EFS logging via the eventvwr -- ( click on "enable log" )
Tests I ran…nothing super technical so I am not 100% sure of when and where we log it all in the grand scheme of things, play with it some if you want a specific event flowchart.
Encrypt a file when there is no EFS key – it automatically got one from the Ent CA in my domain:
Log Name: Microsoft-Windows-EFS/Debug
Date: 8/6/2007 1:56:30 PM
Event ID: 260
Task Category: None
1.3634: Attempt to create a new EFS key
Date: 8/6/2007 1:56:36 PM
Event ID: 256
EFS key promoted from current key. CertValidated: 2, cbHash: 20, pbHash: E2 B3 9B 13 ED C6 4D 2B D6 17 8D 68 63 FE 89 48 1A 37 E3 83, ContainerName: d7bbcfe2c68036677fc606f5309b0453_79f3ab01-e697-496e-afe2-672634d9bf6a, ProviderName: Microsoft Enhanced Cryptographic Provider v1.0, DisplayInformation: Administrator(email@example.com), dwCapabilities: EKU_EFS KU_GOOD_FOR_EFS KEYSPEC_EXCHANGE MASTERKEY RSA_ENCRYPT IS_TIME_VALID KEY_LARGE_ENOUGH , bIsCurrentKey: TRUE, eKeyType: RSA KEY
For an encrypt \ decrypt operation we seem to log the following so the two event highlighted look to be a promising identifier.
4.11824: attempting to validate EFS stream
4.11926: EFS stream validated
Good luck to you…
very nice. Thanks.