indexing and encrypted folders

[Chris Erskine]

Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Drew Cooper [MSFT]]

The indexing service is not running as one of the accounts that's a user or
recovery agent on the files. by default it runs as local system. Running
it as your account *should* work (meaning I was the EFS tester and I never
tested this configuration) as long as the account's user profile is loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.

 

[Chris Erskine]

Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local System' to
my logon profile, and then Administrator. What happened on each time I
started the Indexing service was that cisvc.exe took 99% of CPU continuously
over several hours until I rebooted. Attempting to Stop the service left it
at 'Stopping', but it did not stop. Neither did attempting to end the job
via Task Manager stop the task. Attempts to use the indexing service whilst
it was running resulted in a 'Error 80041820 - Service is not running'
message (confirmation of this was given by no data alongside each catalog)

I tried this on systems running both Win200 and Win2000 Server with the same
results. It looks like cisvc.exe does not like being run under a non
Local-System profile.

Any suggestions?

Chris

The indexing service is not running as one of the accounts that's a user or
recovery agent on the files. by default it runs as local system. Running
it as your account *should* work (meaning I was the EFS tester and I never
tested this configuration) as long as the account's user profile is loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Drew Cooper [MSFT]]

Ouch! (Like I said - I never tested that. Sorry.)

You were able to get the service back up and running as system again, I
hope?

You could add system as a user on all of the encrypted files. This sucks
for several reasons:
- Anyone who gets physical access to your machine could use well-known hacks
to become system, thus access all of the files. Defeats the purpose of EFS.
- We don't ship a scriptable tool to add users to files. If you code, you
can check out the AddUsersToEncryptedFile API.
- Even if we did have a tool to bulk-add users to files, we don't have a way
to keep them up to date on newly-created files. The only good approach
would be to use the change journal, but even then it gets really complicated
to get everything right.

You could create a recovery keypair ("cipher /r") and make system the
recovery agent. This sucks, too, because again anyone with physical access
to your machine could read all of your files.

Other than that, I'm stumped.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local System' to
my logon profile, and then Administrator. What happened on each time I
started the Indexing service was that cisvc.exe took 99% of CPU continuously
over several hours until I rebooted. Attempting to Stop the service left it
at 'Stopping', but it did not stop. Neither did attempting to end the job
via Task Manager stop the task. Attempts to use the indexing service whilst
it was running resulted in a 'Error 80041820 - Service is not running'
message (confirmation of this was given by no data alongside each catalog)

I tried this on systems running both Win200 and Win2000 Server with the same
results. It looks like cisvc.exe does not like being run under a non
Local-System profile.

Any suggestions?

Chris

The indexing service is not running as one of the accounts that's a user or
recovery agent on the files. by default it runs as local system. Running
it as your account *should* work (meaning I was the EFS tester and I never
tested this configuration) as long as the account's user profile is loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Chris Erskine]

Its OK. When I restored the 'Local System' as the Log On user for the
Indexing Service, all went back to normal again (On both systems).

Because I am soon to be taking my laptop out on the road with me I will
stick with the EFS the way it is, and make do without the Indexing Service,
even though I have become used to heavily relying on it to locate documents.

Is there any chance that the fix for this will be issued in the next Service
Pack, and when might this be?

Chris

Ouch! (Like I said - I never tested that. Sorry.)

You were able to get the service back up and running as system again, I
hope?

You could add system as a user on all of the encrypted files. This sucks
for several reasons:
- Anyone who gets physical access to your machine could use well-known hacks
to become system, thus access all of the files. Defeats the purpose of EFS.
- We don't ship a scriptable tool to add users to files. If you code, you
can check out the AddUsersToEncryptedFile API.
- Even if we did have a tool to bulk-add users to files, we don't have a way
to keep them up to date on newly-created files. The only good approach
would be to use the change journal, but even then it gets really complicated
to get everything right.

You could create a recovery keypair ("cipher /r") and make system the
recovery agent. This sucks, too, because again anyone with physical access
to your machine could read all of your files.

Other than that, I'm stumped.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local

System'

to
my logon profile, and then Administrator. What happened on each time I
started the Indexing service was that cisvc.exe took 99% of CPU continuously
over several hours until I rebooted. Attempting to Stop the service left it
at 'Stopping', but it did not stop. Neither did attempting to end the job
via Task Manager stop the task. Attempts to use the indexing service whilst
it was running resulted in a 'Error 80041820 - Service is not running'
message (confirmation of this was given by no data alongside each catalog)

I tried this on systems running both Win200 and Win2000 Server with the same
results. It looks like cisvc.exe does not like being run under a non
Local-System profile.

Any suggestions?

Chris

The indexing service is not running as one of the accounts that's a

user
or

recovery agent on the files. by default it runs as local system. Running
it as your account *should* work (meaning I was the EFS tester and I never
tested this configuration) as long as the account's user profile is loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.



Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Chris Erskine]

Btw, I also tried the same thing out on WindowsXP, latest Service Pack and
Windows Updates, exactly the same results with cisvc.exe hanging when 'Log
On as' changed from 'Local System'.

Chris

 

[Drew Cooper [MSFT]]

I doubt that would meet the bar for a service pack fix, but I'm sure our
lawyers wouldn't want me to speculate.

I let the current EFS team know about the problem.

I also thought of something else - if you don't mind using syskey in offline
(password or floppy) mode, you could safely let system be the DRA. Offline
syskey is kind of a burden so most folks don't use it - and it completely
slipped my mind earlier. Here's a link in case you're interested:
http://support.microsoft.com/default.aspx?kbid=310105
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Its OK. When I restored the 'Local System' as the Log On user for the
Indexing Service, all went back to normal again (On both systems).

Because I am soon to be taking my laptop out on the road with me I will
stick with the EFS the way it is, and make do without the Indexing Service,
even though I have become used to heavily relying on it to locate documents.

Is there any chance that the fix for this will be issued in the next Service
Pack, and when might this be?

Chris

Ouch! (Like I said - I never tested that. Sorry.)

You were able to get the service back up and running as system again, I
hope?

You could add system as a user on all of the encrypted files. This sucks
for several reasons:
- Anyone who gets physical access to your machine could use well-known hacks
to become system, thus access all of the files. Defeats the purpose of EFS.
- We don't ship a scriptable tool to add users to files. If you code, you
can check out the AddUsersToEncryptedFile API.
- Even if we did have a tool to bulk-add users to files, we don't have a way
to keep them up to date on newly-created files. The only good approach
would be to use the change journal, but even then it gets really complicated
to get everything right.

You could create a recovery keypair ("cipher /r") and make system the
recovery agent. This sucks, too, because again anyone with physical access
to your machine could read all of your files.

Other than that, I'm stumped.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local

System'

to
my logon profile, and then Administrator. What happened on each time I
started the Indexing service was that cisvc.exe took 99% of CPU continuously
over several hours until I rebooted. Attempting to Stop the service

left
it

at 'Stopping', but it did not stop. Neither did attempting to end the job
via Task Manager stop the task. Attempts to use the indexing service whilst
it was running resulted in a 'Error 80041820 - Service is not running'
message (confirmation of this was given by no data alongside each catalog)

I tried this on systems running both Win200 and Win2000 Server with

the
same

results. It looks like cisvc.exe does not like being run under a non
Local-System profile.

Any suggestions?

Chris


The indexing service is not running as one of the accounts that's a user
or
recovery agent on the files. by default it runs as local system. Running
it as your account *should* work (meaning I was the EFS tester and I never
tested this configuration) as long as the account's user profile is loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.



Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Chris Erskine]

Thanks, I'll look into this. Sorry, what is DRA, can't find a reference to
it? Would using syskey in offline mode prevent a thief of my laptop from
reinstalling windows (or mounting the drive as a 2nd hard disk), and viewing
the contents of my data files and documents?

Chris

I doubt that would meet the bar for a service pack fix, but I'm sure our
lawyers wouldn't want me to speculate.

I let the current EFS team know about the problem.

I also thought of something else - if you don't mind using syskey in offline
(password or floppy) mode, you could safely let system be the DRA. Offline
syskey is kind of a burden so most folks don't use it - and it completely
slipped my mind earlier. Here's a link in case you're interested:
http://support.microsoft.com/default.aspx?kbid=310105
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Its OK. When I restored the 'Local System' as the Log On user for the
Indexing Service, all went back to normal again (On both systems).

Because I am soon to be taking my laptop out on the road with me I will
stick with the EFS the way it is, and make do without the Indexing Service,
even though I have become used to heavily relying on it to locate documents.

Is there any chance that the fix for this will be issued in the next Service
Pack, and when might this be?

Chris

Ouch! (Like I said - I never tested that. Sorry.)

You were able to get the service back up and running as system again, I
hope?

You could add system as a user on all of the encrypted files. This sucks
for several reasons:
- Anyone who gets physical access to your machine could use well-known hacks
to become system, thus access all of the files. Defeats the purpose

of
EFS.

- We don't ship a scriptable tool to add users to files. If you code, you
can check out the AddUsersToEncryptedFile API.
- Even if we did have a tool to bulk-add users to files, we don't have

a
way

to keep them up to date on newly-created files. The only good approach
would be to use the change journal, but even then it gets really complicated
to get everything right.

You could create a recovery keypair ("cipher /r") and make system the
recovery agent. This sucks, too, because again anyone with physical access
to your machine could read all of your files.

Other than that, I'm stumped.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local System'
to
my logon profile, and then Administrator. What happened on each time I
started the Indexing service was that cisvc.exe took 99% of CPU
continuously
over several hours until I rebooted. Attempting to Stop the service left
it
at 'Stopping', but it did not stop. Neither did attempting to end

the
job

via Task Manager stop the task. Attempts to use the indexing service
whilst
it was running resulted in a 'Error 80041820 - Service is not running'
message (confirmation of this was given by no data alongside each catalog)

I tried this on systems running both Win200 and Win2000 Server with the
same
results. It looks like cisvc.exe does not like being run under a non
Local-System profile.

Any suggestions?

Chris


The indexing service is not running as one of the accounts that's

a
user

or
recovery agent on the files. by default it runs as local system.
Running
it as your account *should* work (meaning I was the EFS tester and I
never
tested this configuration) as long as the account's user profile is
loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.



Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris

 

[Drew Cooper [MSFT]]

Data Recovery Agent. Sorry about the TLA (Three Letter Acronym).

Syskey is not needed to protect against that attack. EFS would already
prevent someone mounting the drive in one of those ways.

Here's the attack that makes syskey a requirement for stuff encrypted as
local system:
Bad guy gets your machine. Through some means (boot another OS) the bad guy
deletes/edits your SAM (slightly different, but I'm not going to get into
all the details here). Bad guy boots back into your OS and can run as
administrator. An administrator can run as the local system and decrypt
those files.
Syskey protects LSA secrets (geeky stuff omitted). Ultimately (more geeky
detailed stuff omitted) for files encrypted as local system, getting the LSA
secret is enough to decrypt the files. You want to use it in password or
floppy mode.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks, I'll look into this. Sorry, what is DRA, can't find a reference to
it? Would using syskey in offline mode prevent a thief of my laptop from
reinstalling windows (or mounting the drive as a 2nd hard disk), and viewing
the contents of my data files and documents?

Chris

I doubt that would meet the bar for a service pack fix, but I'm sure our
lawyers wouldn't want me to speculate.

I let the current EFS team know about the problem.

I also thought of something else - if you don't mind using syskey in offline
(password or floppy) mode, you could safely let system be the DRA. Offline
syskey is kind of a burden so most folks don't use it - and it completely
slipped my mind earlier. Here's a link in case you're interested:
http://support.microsoft.com/default.aspx?kbid=310105
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Its OK. When I restored the 'Local System' as the Log On user for the
Indexing Service, all went back to normal again (On both systems).

Because I am soon to be taking my laptop out on the road with me I will
stick with the EFS the way it is, and make do without the Indexing Service,
even though I have become used to heavily relying on it to locate documents.

Is there any chance that the fix for this will be issued in the next Service
Pack, and when might this be?

Chris



Ouch! (Like I said - I never tested that. Sorry.)

You were able to get the service back up and running as system

again,

I code,
you

have

a

way
to keep them up to date on newly-created files. The only good approach
would be to use the change journal, but even then it gets really
complicated
to get everything right.

You could create a recovery keypair ("cipher /r") and make system the
recovery agent. This sucks, too, because again anyone with physical
access
to your machine could read all of your files.

Other than that, I'm stumped.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.


Thanks. However this caused a problem...

I changed the 'Indexing Service' property 'Log On as' from 'Local
System'
to
my logon profile, and then Administrator. What happened on each

time

I service
left with
the

that's

a

and

I

never
tested this configuration) as long as the account's user profile is
loaded
on service start. If it works, it would allow any user who uses the
indexing service to read the encrypted files, though.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.



Help!

I am running Windows 2000 and have recently encrypted my folders.
However indexing will not index those files which are encrypted,
whether or not the catalog is stored in an encrypted folder.

Is there any way to get indexing to work with enqrypted folders?

Thanks, Chris