Welcome to MSDN Blogs Sign in | Join | Help

Is there any debug logs or tracing logs can help us to monitor certificate importing or EFS decrypting?

 

 

 

This is  a recent question I saw ...

 

 

You can track detailed EFS events such as EFS decrypt\encrypt and EFS engine cert enrollment via the EFS debug logging in Vista.

 

In addition – Vista has new DPAPI logging for auditing its usage ( DPAPI is what EFS uses to protect its keys so you should see some data for a key import \export  ) you can enable this via the method outlined here:

 

http://blogs.msdn.com/spatdsg/archive/2007/05/11/New-Auditing-in-Vista.aspx

 

 

Here is the EFS debug logging….

 

Enable advanced EFS logging via the eventvwr -- ( click on "enable log" )

 

              

 

 

Tests I ran…nothing super technical so I am not 100% sure of when and where we log it all in the grand scheme of things, play with it some if you want a specific event flowchart.

 

 


Encrypt a file when there is no EFS key – it  automatically got one from the Ent CA in my domain:

 

Event posted:

 

Log Name:      Microsoft-Windows-EFS/Debug

Source:        Microsoft-Windows-EFS

Date:          8/6/2007 1:56:30 PM

Event ID:      260

Task Category: None

Level:         Information

Keywords:     

User:          CRISCO1\administrator

Computer:      VistaCrisco.crisco.com

Description:

1.3634: Attempt to create a new EFS key

 

 

Log Name:      Microsoft-Windows-EFS/Debug

Source:        Microsoft-Windows-EFS

Date:          8/6/2007 1:56:36 PM

Event ID:      256

Task Category: None

Level:         Information

Keywords:     

User:          CRISCO1\administrator

Computer:      VistaCrisco.crisco.com

Description:

EFS key promoted from current key.  CertValidated: 2, cbHash: 20, pbHash: E2 B3 9B 13 ED C6 4D 2B D6 17 8D 68 63 FE 89 48 1A 37 E3 83, ContainerName: d7bbcfe2c68036677fc606f5309b0453_79f3ab01-e697-496e-afe2-672634d9bf6a, ProviderName: Microsoft Enhanced Cryptographic Provider v1.0, DisplayInformation: Administrator(administrator@crisco.com), dwCapabilities: EKU_EFS KU_GOOD_FOR_EFS KEYSPEC_EXCHANGE MASTERKEY RSA_ENCRYPT IS_TIME_VALID KEY_LARGE_ENOUGH , bIsCurrentKey: TRUE, eKeyType: RSA KEY

 

 

For an encrypt \ decrypt operation we seem to log the following so the two event highlighted  look to be a promising identifier.

 

 

4.11824: attempting to validate EFS stream

4.11926: EFS stream validated

 

 

 

 

Good luck to you…

 

spatdsg

Published Tuesday, August 07, 2007 7:39 AM by SpatDSG
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker