Find and remove invisible EFS*.TMP files that are created by NTFS encrypting file system

1

On my Win7 64 Pro I encrypted a subdirectory using the standard Windows Explorer right-click context menu Properties -> Advanced function but I found out some time later that it created a bunch of files named EFS0.TMP, EFS1.TMP etcetera.

Apparently these files are created when NTFS is encrypting files to allow the system to rollback the encryption if it fails. But it seems that they sometimes get left behind. Disconcertingly the files are actually unencrypted versions of the actual files, which defeats the purpose of encryption and can give you a false sense of security.

At first I didn't know they were there because while I had configured Windows Explorer to Show hidden files, folders and drives it was still hiding protected operating system files as shown in the screenshot below: Folder options dialog

Unchecking the indicated setting allowed them to be seen in Windows Explorer, though not by using DIR in the Windows CMD command line.

Once I discovered they were there I found that they couldn't be deleted with Windows Explorer saying "You need permission to perform this action".

What's more there were lots of them at various levels of the directory tree.

Glenn Lawrence

Posted 2015-08-31T07:56:45.913

Reputation: 151

Answers

2

I found the EFS*.TMP files were all owned by SYSTEM so in order to be able to remove them I had to either make them owned by me or set their permissions to allow them to be deleted by me. I couldn't see an easy way of changing ownership recursively and didn't want to visit each of them individually so my solution was to propagate the read/write permissions from the top directory by:

  1. Right click the folder in Windows Explorer and choose Properties
  2. Select the Security tab in the properties dialog
  3. Select Advanced to bring up the advanced settings
  4. Select Change permissions to bring up more advanced settings
  5. Check "Replace all child object permissions with inheritable permissions from this object"

I then clicked Apply and confirmed the action when prompted.

I then did a search for "EFS*.TMP" from my top level directory, group selected the results and then Delete from the context menu to move them all to the recycle bin.

Glenn Lawrence

Posted 2015-08-31T07:56:45.913

Reputation: 151

Asked: 2015-08-31T07:56:45.913

Viewed: 1 226 times

Active: 2015-08-31T07:56:45.913