Spat's WebLog (Steve Patrick)

When things go wrong...

Is there any debug logs or tracing logs can help us to monitor certificate importing or EFS decrypting?

Is there any debug logs or tracing logs can help us to monitor certificate importing or EFS decrypting?

Rate This
  • Comments 1

 

 

 

This is  a recent question I saw ...

 

 

You can track detailed EFS events such as EFS decrypt\encrypt and EFS engine cert enrollment via the EFS debug logging in Vista.

 

In addition – Vista has new DPAPI logging for auditing its usage ( DPAPI is what EFS uses to protect its keys so you should see some data for a key import \export  ) you can enable this via the method outlined here:

 

http://blogs.msdn.com/spatdsg/archive/2007/05/11/New-Auditing-in-Vista.aspx

 

 

Here is the EFS debug logging….

 

Enable advanced EFS logging via the eventvwr -- ( click on "enable log" )

 

              

 

 

Tests I ran…nothing super technical so I am not 100% sure of when and where we log it all in the grand scheme of things, play with it some if you want a specific event flowchart.

 

 


Encrypt a file when there is no EFS key – it  automatically got one from the Ent CA in my domain:

 

Event posted:

 

Log Name:      Microsoft-Windows-EFS/Debug

Source:        Microsoft-Windows-EFS

Date:          8/6/2007 1:56:30 PM

Event ID:      260

Task Category: None

Level:         Information

Keywords:     

User:          CRISCO1\administrator

Computer:      VistaCrisco.crisco.com

Description:

1.3634: Attempt to create a new EFS key

 

 

Log Name:      Microsoft-Windows-EFS/Debug

Source:        Microsoft-Windows-EFS

Date:          8/6/2007 1:56:36 PM

Event ID:      256

Task Category: None

Level:         Information

Keywords:     

User:          CRISCO1\administrator

Computer:      VistaCrisco.crisco.com

Description:

EFS key promoted from current key.  CertValidated: 2, cbHash: 20, pbHash: E2 B3 9B 13 ED C6 4D 2B D6 17 8D 68 63 FE 89 48 1A 37 E3 83, ContainerName: d7bbcfe2c68036677fc606f5309b0453_79f3ab01-e697-496e-afe2-672634d9bf6a, ProviderName: Microsoft Enhanced Cryptographic Provider v1.0, DisplayInformation: Administrator(administrator@crisco.com), dwCapabilities: EKU_EFS KU_GOOD_FOR_EFS KEYSPEC_EXCHANGE MASTERKEY RSA_ENCRYPT IS_TIME_VALID KEY_LARGE_ENOUGH , bIsCurrentKey: TRUE, eKeyType: RSA KEY

 

 

For an encrypt \ decrypt operation we seem to log the following so the two event highlighted  look to be a promising identifier.

 

 

4.11824: attempting to validate EFS stream

4.11926: EFS stream validated

 

 

 

 

Good luck to you…

 

spatdsg

Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Page 1 of 1 (1 items)