Get-ItemProperty to inspect file attributes and encryption in Windows

If you work with Windows y PowerShell, sooner or later you will need to inspect the attributes of encrypted files and folders, whether by native EFS Encryption, by files protected via CMS or by the behavior of OneDrive Files On-Demand which adds special flags to the file system. In all of these scenarios, Get-ItemProperty It is the wrench that allows you to read properties accurately and, in addition, move freely through the Registry and other warehouses thanks to the PowerShell providers.

In this guide I explain, with real examples and several techniques, how consult, interpret and diagnose attributes (including cloud-specific ones), how to list and read registry values ​​with the same cmdlet, how to avoid pitfalls when executing remotely, and how to complement file encryption with the CMS ecosystem to encrypt/decrypt content. All of this, commands ready to copy and paste, and good practices so you don't leave anything behind.

What is Get-ItemProperty and why is it key for attributes and registration?

The cmdlet Get-ItemProperty obtains properties of the elements that suppliers expose PowerShell. This includes files and folders (FileSystem), but also keys and values ​​in the Register, certificates, environment variables, aliases, etc. In the case of the file system, we are especially interested in the ownership Attributes, which encapsulates the flags of the file or directory, including Encrypted (EFS) and indicators of OneDrive , the Pinned, Unpinned o RecallOnDataAccess.

The most used syntax is direct: Get-ItemProperty. You can filter by property name with -Name, pass literal paths with -LiteralPath and use -Filter, -Include y -Exclude when the provider supports it (FileSystem does). Also, CommonParameters such as -Verbose, -ErrorAction or -OutVariable are available to improve diagnostics while inspecting sensitive attributes.

Essential Syntax and Parameters (with focus on FileSystem and Registry)

To work comfortably it is convenient to have at hand the supported syntax by the cmdlet, both with regular paths and with literal paths where you don't want wildcard interpretation:

Syntax example A:
Get-ItemProperty <String[]> <String[]>] >] >]

Syntax example B:
Get-ItemProperty <String[]>] -LiteralPath <String[]> >] >]

The most useful parameters for our purpose are -Path y -Name (to select specific properties), -LiteralPath (prevents wildcards from being interpreted), selectors -Include y -Exclude (they operate on the content when you include wildcards, for example C:\Windows\*), and the -Filter from the FileSystem provider which is more efficient at the engine level than filtering later in PowerShell.

A practical note: -Credential It exists, but its usefulness with local FileSystems is limited; it makes sense on remote providers or when you mount PSDrides with credentials. And don't forget that the cmdlet accepts Registry paths type HKLM:\ y Registry::, which allows you to work with keys and values ​​as if they were files, which makes auditing much easier.

Quick examples to warm up

Let's look at some simple examples that lay the groundwork before we dive into EFS and OneDrive:

Inspect a specific directory and see all its available properties (Attributes included):
Get-ItemProperty C:\Windows

List all the properties of a specific file in list format, useful when you want to see if it appears Encrypted or cloud flags:
Get-ItemProperty C:\Test\Weather.xls | Format-List

Registry: Read the ProgramFilesDir value in CurrentVersion, useful when automating inventory:
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion -Name 'ProgramFilesDir'

Log: list all entries under PowerShellEngine to see value names and data:
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine

Correctly interpreting attributes: EFS, OneDrive, and other flags

Field Attributes is a flags enum of .NET () which can be returned as text ("Hidden, ReadOnly, …") or as whole number when you query it in certain contexts (e.g. some OneDrive paths with Get-ItemProperty). To avoid getting lost, it's best to explicitly cast the value to an enumeration and check individual flags.

Check if a file is encrypted with EFS (FILE_ATTRIBUTE_ENCRYPTED = 0x4000 = 16384):
$it = Get-ItemProperty -Path 'C:\ruta\fichero.ext';
$attr = $it.Attributes;
$esEfs = $attr.HasFlag(::Encrypted);
$esEfs

Convert numberIf you prefer to see the translation of a "raw" number (e.g., those returned by OneDrive), you can do the following to get the flag names:
::ToObject(, 525328)

With OneDrive Files On-Demand There are confusing combinations that include several "cloud" flags in addition to the classic ones (Directory, Archive, RepairPoint, Offline, etc.). For example, values ​​seen in real-life scenarios:

• 525328 (folder): corresponds to Directory (0x10) + ReparsePoint (0x400) + Pinned (0x80000). This usually means "always available on this device."
• 5248544 (file): decomposes as ReparsePoint (0x400) + Offline (0x1000) + SparseFile (0x200) + Archive (0x20) + Unpinned (0x100000) + RecallOnDataAccess (0x400000). This matches “available online” (cloud only).

To validate your decompositions with PowerShell, use individual flag checks against the original number, so you see exactly which bits are active:
$n = 5248544
$fa =
@('Directory','Archive','Hidden','System','ReadOnly','Compressed','Encrypted','Offline','ReparsePoint','SparseFile','Temporary','Pinned','Unpinned','RecallOnOpen','RecallOnDataAccess') |
ForEach-Object {
$flag = ::Parse($fa, $_)
'{0,-18} : {1}' -f $_, ((($n) -band $flag))
}

If all you are interested in is distinguishing EFS encryption As a OneDrive placeholder, focus on these key flags: Encrypted (SAI), Pinned, Unpinned, RecallOnOpen, RecallOnDataAccess, Offline y RepairPoint. This way you can differentiate a file that is protected locally by EFS from one that only exists as stub on the cloud.

Answering common questions about OneDrive attributes and how to explore them

Quick FAQ: Numbers like 525328 and 5248544 are the three most frequently asked questions. Here are the practical answers for your everyday life:

1) What does 525328 mean in a OneDrive folder? It is the sum of Directory (0x10) + RepairPoint (0x400) + Pinned (0x80000). In practice, it indicates that it is a OneDrive folder linked to the cloud provider (reparse point) and marked as "Always available" local.

2) What other values ​​can I find and how can I explore them? You will see combinations with Unpinned (0x100000), RecallOnOpen (0x40000), RecallOnDataAccess (0x400000), Offline (0x1000), in addition to the classic ones Archive, Hidden, System, etc. To decode them:

- Use ::ToObject() to translate numbers into flag names.

– Or validate bit by bit with -band / HasFlag() as in the example above.

– If you prefer to view text directly for local files, get-item returns the already “resolved” Attributes property: (Get-Item 'C:\ruta\fichero').Attributes.

3) Are there more file attributes besides OneDrive? Yes: Encrypted (SAI), Compressed, ReadOnly, Hidden, System, Archive, Temporary, NotContentIndexed, IntegrityStream, NoScrubData, etc. In PowerShell you can explore them all enumerating the class:
::GetNames()

Check and set EFS encryption from PowerShell

To check if a file is protected with EFSYou've already seen the check with the Encrypted flag. If you need to set encryption quickly, you can use the classic cipher.exe or use the Attributes property itself:

Enable EFS with command line:
cipher /E "C:\ruta\fichero.ext"

PowerShell (adding the Encrypted flag):
$i = Get-Item 'C:\ruta\fichero.ext'
$i.Attributes = $i.Attributes -bor ::Encrypted

If you want to disable EFS, just remove the flag with -band -bxor or use cipher /D, giving you fine-grained control without leaving PowerShell and keeping automations consistent with Get-ItemProperty.

Working with the Registry: enumeration, specific reading, and navigation

The Registry in PowerShell is treated as just another store thanks to the provider registry. The value entries are We take care of your rental property in Valencia. of each key, so to see them in a better format the ideal is to use Get-ItemPropertyA typical flow would be:

View entry names (property "Property") of a key:
Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | Select-Object -ExpandProperty Property

View entries with names and data (readable format):
Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

You can navigate with Set-Location and use . for the current location, just like in the file system:
Set-Location -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion
Get-ItemProperty -Path .

Typical spot readings with -Name for specific values:
Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion -Name DevicePath

To write or create values ​​you have the sibling cmdlets: Set-ItemProperty, New-ItemProperty, Rename-ItemProperty y Remove-ItemProperty, with support for types like String, ExpandString, Binary, dword, MultiString o QWord According to RegistryValueKind.

Caution with remote execution: the case of MachineGuid

There is a curious peculiarity with Invoke-Command and the Registry provider: if you run Get-Item about HKLM:\Software\Microsoft\Cryptography\ remotely, the value may be MachineGuid that you see is that of your local team even if the PSComputerName show the remote machine. This seems to be related to the serialization of the object returned by the supplier.

To avoid erroneous readings, force a flat output or query the values ​​with Get-ItemProperty. These two variants return the Correct MachineGuid from the remote team:
Invoke-Command -ComputerName 'PC1' -ScriptBlock { Get-Item 'HKLM:\Software\Microsoft\Cryptography\' | Out-String }
Invoke-Command -ComputerName 'PC1' -ScriptBlock { Get-ItemProperty 'HKLM:\Software\Microsoft\Cryptography\' -Name 'MachineGuid' }

When your audit depends on critical Log values, it is better validate with Get-ItemProperty or serialize to string before bringing the response back to the local session, thus avoiding confusing results.

PowerShell and PSDrive Providers: The Roadmap to Everything

PowerShell providers are .NET components that expose data warehouses as if they were units (PSDrives). Thanks to them, cmdlets like Get-Item, Get-ChildItem, Get-ItemProperty, or Set-Location work the same in FileSystem, Registry, Environment, Certificate, Variable, Function, Alias o WSMan. You can list suppliers with Get-PSProvider and view active PSDrives with Get-PSDrive.

Some universal cmdlets you'll use endlessly with providers are: Get-Location (gl), Set-Location (cd), Copy-Item (cpi), Get-Item (gi), Set-Item (if), Get-ChildItem (dir/ls), as well as the whole family ItemProperty for the Registry. Remember: providers share the same verbs, so same muscle, different storage.

Some short examples to help you move with ease:

• Alias: Set-Location Alias: y Get-ChildItem to list aliases; filter by name with -Name R* o Where-Object.
• Environment: Set-Location Env: y Get-ChildItem to see variables; create a new one with New-Item -Path . -Name MiVariable -Value 'texto'.
• registry: Set-Location HKLM:\Software, Get-ChildItem for keys, Get-ItemProperty for data; create/delete with ItemProperty cmdlets.

Use cases combining Get-ItemProperty with system auditing

When you take inventory or diagnosis, Get-ItemProperty It appears in countless recipes. For example, to list installed applications consulting the uninstallation keys:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Sort-Object InstallDate

Or to see the history of in-place updates from Windows from the Registry:
Get-ItemProperty -Path 'HKLM:\SYSTEM\Setup\Source OS*' |
Select-Object PSChildName, ProductName, ReleaseId, DisplayVersion, CurrentBuild

In other areas of the system, you can complement your audit with well-known cmdlets and utilities (not all of which use Get-ItemProperty, but they can be integrated into your scripts): Get-Hotfix, Get-WindowsUpdateLog, ipconfig / all, powercfg (energy, sleepstudy, waketimers), Get-CimInstance for devices, monitors or volumes, or Get-NetAdapterAdvancedProperty for the network. The idea is that, with the providers and the Registry under control, you compose a robust evidence collector and you know the artifacts in Windows.

In other areas of the system, you can complement your audit with well-known cmdlets and utilities (not all of which use Get-ItemProperty, but they can be integrated into your scripts): Get-Hotfix, Get-WindowsUpdateLog, ipconfig / all, powercfg (energy, sleepstudy, waketimers), Get-CimInstance for devices, monitors or volumes, or Get-NetAdapterAdvancedProperty for the network. The idea is that, with the providers and the Registry under control, you compose a robust evidence collector.

In other areas of the system, you can complement your audit with well-known cmdlets and utilities (not all of which use Get-ItemProperty, but they can be integrated into your scripts): Get-Hotfix, Get-WindowsUpdateLog, ipconfig / all, powercfg (energy, sleepstudy, waketimers), Get-CimInstance for devices, monitors or volumes, or Get-NetAdapterAdvancedProperty for the network. The idea is that, with the providers and the Registry under control, you compose a robust evidence collector.

Encrypting and decrypting data with CMS: ideal complement to the Encrypted attribute

Attribute Encrypted (EFS) protects at the file system level. When you need encrypt content Portable for sharing with third parties, PowerShell CMS cmdlets are your ally: Protect-CmsMessage (code), Unprotect-CmsMessage (decipher) and Get-CmsMessage (inspect metadata).

Quick creation of a encryption certificate from an INF (set the Subject to your identity), request with certreq and verification in the user's warehouse:
certreq.exe -new DocumentEncryption.inf DocumentEncryption.cer
Get-ChildItem -Path Cert:\CurrentUser\My -DocumentEncryptionCert

With the certificate ready, you can encrypt a text file and then verify/decrypt:

$Text = 'Texto secreto que quiero proteger';
Protect-CmsMessage -To 'cn=tu@dominio.local' -Content $Text -OutFile MiTextoCifrado.txt
Get-CmsMessage -Path .\MiTextoCifrado.txt | Unprotect-CmsMessage -To 'cn=tu@dominio.local'

This combination allows you to cover both the attribute Encrypted (EFS) on disk as the message encryption for secure exchange, and all of this visible/manageable with the same principles that you already manage with Get-ItemProperty.

Tricks and formats to present information clearly

When inspecting attributes, presentation matters. To view readable lists, use Format-List (FL) and Format Table (FT); if you work with long routes or many properties, Out-String sometimes avoids surprises with providers like the Registry:

Full list format from a file:
Get-ItemProperty 'C:\ruta\fichero.ext' | Format-List *

Textual output (useful remotely with Invoke-Command):
Get-Item 'HKLM:\Software\Microsoft\Cryptography\' | Out-String

To export your findings to CSV (inventory, audit), select only what is relevant and save with Export-Csv, which facilitates future comparisons and third-party reviews of your equipment:

Get-ChildItem 'C:\Users\tu\OneDrive' -Recurse -File |
Select-Object FullName, @{n='AttrNum';e={(Get-ItemProperty $_.FullName).Attributes}}, @{n='Attributes';e={(Get-Item $_.FullName).Attributes}} |
Export-Csv C:\Temp\oneDrive_attrs.csv -NoTypeInformation -Encoding UTF8

Good practices and final notes to avoid stumbling

• Difference between EFS and cloud: Just because a file isn't "always available" doesn't mean it's encrypted. Explicitly look for the flag. Encrypted when your goal is EFS.
• Use LiteralPath if there are rare characters in paths to prevent them from being interpreted as wildcards, especially in Registry and UNC paths.
• FileSystem Provider supports filters: Use this for efficiency when scanning large directory trees.
• Invoke-Command: If you read the Remote Registry, choose Get-ItemProperty or serialize to text with Out-String to avoid mismatches (MachineGuid case).

With this arsenal you will know at all times if an element is EFS encryption, if it is a OneDrive placeholder, how to decode seemingly cryptic attribute numbers, and how to lean on the PowerShell providers to explore the Registry and other repository resources seamlessly. All with reproducible examples and commands you can integrate into your inventory, audit, or security scripts without breaking your current workflows.