• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Possible Security issue

Recommended Posts

JustGeorge    1,658

This method produced a result for me: https://superuser.com/questions/58878/how-to-list-encrypted-files-in-windows-7

On my machine, the encryption.txt file was generated in the root of my user Dir.

 

Quote

 

 

 

open a cmd prompt

Enter the command: cipher /s:c:\ > encryption.txt

Open the file "encryption.txt"

To find encrypted folders, search for "will be encrypted"

To find encrypted files, search for "E" at the beginning of a line

Without parameters, Cipher lists state of the current directory and all files in it. The /s parameter tells it to recurse, and c:\ gives it the starting point. From there, "> ..." just redirects the output.

Cipher's output for encrypted files and folders look like this:

 Listing c:\Dev\Encrypted\
 New files added to this directory will be encrypted.

E Default.aspx
E Default.aspx.cs
E Default.aspx.designer.cs

Cipher's output for normal files and folders look like this:

 Listing c:\Dev\Plaintext\
 New files added to this directory will not be encrypted.

U Default.aspx
U Default.aspx.cs
U Default.aspx.designer.cs

Hope that helps.

 

Also from same page...


 

Quote

 

cipher /u /n /h will find and list all encrypted files on your hard drives (as mivk commented on the other answer) without need for any additional filtering (that could go wrong). Credits for this also go to this tutorial where I found this answer.

Note: If there are no encrypted files on the system (any disk), the command returns immediately with the response:

The system cannot find the file specified.

This is not an error. It means there are no encrypted files. It seems in this case this info is cached somehow.

Important note: This does not list all encrypted files! Apparently it only lists files belonging to the current user who is running the command.

 

 

 

 

 

Edited by slamfire92

Share this post


Link to post
Share on other sites
Joe User    491
11 hours ago, slamfire92 said:

Note: If there are no encrypted files on the system (any disk), the command returns immediately with the response:

The system cannot find the file specified.

This is not an error. It means there are no encrypted files. It seems in this case this info is cached somehow.

 

Typical cryptic error message. Why wouldn't they reply 'No EFS encrypted files found'?

Share this post


Link to post
Share on other sites
bikeman25    64

Well Ended up using Western Digital Secure Erase SSD boot drive, and did a clean install, so far the problem hasn't returned,  exact cause still an unknown, being very careful what I click on/reinstall at this point.

 

Scanning other house hold PC's for any infections as well,  external drives as well, so far nothing found with Avast Free on other system boot scan, eset online scan, Malwarebytes Free.    I think soon I can declare those other drives clean lol and systems

 

one more drive to check still though, and then might check all the other flash drives.

 

Should I reinstall Avast on this system?   Or will I be fine on my main AMD FX system with Windows Defender

 

 

 

Share this post


Link to post
Share on other sites
JustGeorge    1,658
20 minutes ago, Joe User said:

 

Typical cryptic error message. Why wouldn't they reply 'No EFS encrypted files found'?

"Keyboard Error Press any key to continue"


"Something went wrong"

 

Sometimes you just have to conclude that they're intentionally messing with us  :laugh:

 

 

Edited by slamfire92

Share this post


Link to post
Share on other sites
bikeman25    64

Lmao, they could be intentionally messing with users,  heck this morning during the Secure erase of SSD procedure, after I got the drive out of frozen state, Monitor stayed dark, so I went and took shower lmao, and came back and finally showed on screen done, i'm like really great programming where monitor won't even wake up during a task lol.  

 

As for system operating fine so far, no weird popups yet, but a lot more to reinstall,  just formatted the secondary drive, I didn't zero wipe it as not sure which program works with Toshiba drives lol

 

 

I just hope all the problems are done with,  Printer full software did reinstall though, so that's progress lol

 

 

Not sure on staying with Defender though, as every other PC uses Avast in the household, but if it's best to stay with Defender, then will

 

 

Share this post


Link to post
Share on other sites
JustGeorge    1,658
5 minutes ago, bikeman25 said:

Lmao, they could be intentionally messing with users,  heck this morning during the Secure erase of SSD procedure, after I got the drive out of frozen state, Monitor stayed dark, so I went and took shower lmao, and came back and finally showed on screen done, i'm like really great programming where monitor won't even wake up during a task lol.  

 

As for system operating fine so far, no weird popups yet, but a lot more to reinstall,  just formatted the secondary drive, I didn't zero wipe it as not sure which program works with Toshiba drives lol

 

 

I just hope all the problems are done with,  Printer full software did reinstall though, so that's progress lol

 

 

Not sure on staying with Defender though, as every other PC uses Avast in the household, but if it's best to stay with Defender, then will

 

 

Create a system image after setting everything up, so you don't have to go through this again:

 

 

 

Share this post


Link to post
Share on other sites
bikeman25    64

Will do most definitely create one once all back in order.   Hopes I never have to go thru this again, and all is well now.   been up since 6a.m. running scans, and checking things, and such,  Eventually 

replacing secondary drive with a Western Digital as well so can use same diagnostic tools as all the other Western Digital drives use, but that's months away when I have money lol.  

 

 

Might stay with Defender for Antivirus protection 

 

 

 

 

 

Share this post


Link to post
Share on other sites
The Evil Overlord    18,442
12 hours ago, bikeman25 said:

Does secure erasing the SSD shorten it's life though?   First ever SSD, so nervous on killing it too soon,

Can't say for sure, but my Kingston ssd is 4 or 5 years old now (possibly older), and I've reformatted it a few times, ssd life still recons it's good for another 6 years (I doubt it personally, but time will tell)

Spoiler

Image1.thumb.jpg.962e8ea6cab477e5088b87b6377abe9d.jpg

 

  • Like 1

Share this post


Link to post
Share on other sites
bikeman25    64

Yeah mine don't really support SSD life lol, states unable to determine life span lol,  but rating in Western Digitals Lifeguard program shows 99 percent life rating, so guess its ok still, But does show Healthy though, so guess that's just fine then lol

 

 

 

Share this post


Link to post
Share on other sites
goretsky    1,065

Hello,

 

One thing to check in the future (if it happens again) is whether your security software has some kind of anti-ransomware feature, whether or not it is enabled, and if it is compatible with your build of Windows 10  If so, that could have been what was blocking Cipher (filename: CIPHER.EXE) and/or causing the EFS dialog to appear.

Regards,

Aryeh Goretsky

  • Like 1

Share this post


Link to post
Share on other sites
bikeman25    64

Avast did have Behavior shield, though I don't see it happening on upstairs Desktop that is also Running same version of Windows 10 Pro Creators 1703 Build 15063.296, but i'll go up and check that one again 

 

 

Share this post


Link to post
Share on other sites
adrynalyne    12,427
2 hours ago, Joe User said:

 

Typical cryptic error message. Why wouldn't they reply 'No EFS encrypted files found'?

I don't get an error, nor does it show any encrypted files on my drive. I do have them, but I'm not using efs for it. 

Share this post


Link to post
Share on other sites
adrynalyne    12,427
2 hours ago, The Evil Overlord said:

Can't say for sure, but my Kingston ssd is 4 or 5 years old now (possibly older), and I've reformatted it a few times, ssd life still recons it's good for another 6 years (I doubt it personally, but time will tell)

  Hide contents

Image1.thumb.jpg.962e8ea6cab477e5088b87b6377abe9d.jpg

 

Secure erasing I believe also writes zeroes to the drive which could potentially lower life span, but I don't know by how much. A regular format doesn't do such things. 

Share this post


Link to post
Share on other sites
bikeman25    64

Secure Erasing of SSD was done thru Western Digital SSD Dashboard bootable usb, unknown if it wrote zeros or not, since Monitor went black during the process, the drive was in frozen locked state, PC went into suspend mode, 20 seconds later, woke it back up, and then had no monitor picture, so no idea what it actually did after I pressed enter (as a guess to continue), then plugged in Windows 10 Pro 64bit USB drive, and did the install.   

 

SSD dashboard shows 99 percent for life remaining, same as before as of right now

 

 

Share this post


Link to post
Share on other sites
JustGeorge    1,658
20 minutes ago, adrynalyne said:

I don't get an error, nor does it show any encrypted files on my drive. I do have them, but I'm not using efs for it. 

Whats the hash of your cipher.exe?

 

Just tested on my PC @ work. Same result as the other 3 I've tried.

Share this post


Link to post
Share on other sites
+DonC    621

I'm getting:

 

cipher.thumb.png.2731caa8eb61d989039bb67c5d41303f.png

 

The first time I ran the cipher command, I got the error message but not the second time.

 

(SHA256 hash included)

 

Edit: This is on Windows 10 Home.

Share this post


Link to post
Share on other sites
JustGeorge    1,658

Untitled.thumb.png.1f0cccea9f32751793d88ccab02d92d9.png

 

 

Edited by slamfire92

Share this post


Link to post
Share on other sites
+DonC    621
1 minute ago, slamfire92 said:

Here's mine:

PS-hash.png

Here's mine:

Oh wait, this machine isn't on the Creators Update since it's about to go in for repair and it's likely the drive will be reset to a factory image. (My version string starts with 10.0.14)

Share this post


Link to post
Share on other sites
adrynalyne    12,427
40 minutes ago, slamfire92 said:

Whats the hash of your cipher.exe?

 

Just tested on my PC @ work. Same result as the other 3 I've tried.

I'm not at home to see. I'll post it later. 

Share this post


Link to post
Share on other sites
adrynalyne    12,427
4 hours ago, slamfire92 said:

Untitled.thumb.png.1f0cccea9f32751793d88ccab02d92d9.png

 

 

 

Capture3.PNG

Share this post


Link to post
Share on other sites
JustGeorge    1,658

Well they match, so its not that.

 

 

 

 

 

Share this post


Link to post
Share on other sites
bikeman25    64

Well System running perfectly fine now,  Getting System Image done in a moment here, Perhaps i got something when i was testing myself using Defender for Antivirus protection or left over infection from previous one,  plan on checking all flash drives with secondary system later on before connecting to this one.

 

Thank you everyone for the replies and help in this matter so appreciate it

 

Really thought i was a safe surfer, not sure if previous issue was indeed infection or something accidently encrypted, but anyhow everything is working fine now, so relieved in that matter

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.