EFSDump: What it is, what it's for, and how to use this Sysinternals tool in depth.

Worried about who can actually access your encrypted files in Windows? If you've ever managed NTFS-based systems or wondered how to ensure your sensitive data isn't exposed to unauthorized users, you've probably heard of the Encrypting File System (EFS), one of the most powerful but least transparent features of Windows. However, figuring out which users have privileges to read encrypted files can be a real headache if you're limited to conventional graphical tools. This is where it comes in. EFSDump, a utility specific to the Sysinternals suite that simplifies auditing permissions on protected files.

In this article, I'll explain in detail what EFSDump is, what it's used for, how it works internally, and when it can save your life in system administration. Whether you're an IT professional, dedicated to security, or simply an advanced user looking to understand every detail of EFS access control, here's the most comprehensive and practical guide in Spanish, integrating all the relevant information from technical sources and providing clear, structured advice. Get ready to master this tool and take real control of your data protection in Windows.

What is EFSDump and what is it used for?

EFSDump is a small command-line utility developed by Sysinternals, now part of Microsoft, which was born with a very simple objective: to immediately and automatically display the list of accounts (users and recovery agents) that can access EFS-encrypted files on NTFS volumes. Before the arrival of EFSDump, if you wanted to audit EFS permissions on multiple files or directories, you had to navigate through Windows Explorer and navigate through each file's advanced properties tab one by one—a manual, tedious, and extremely error-prone process when dealing with large volumes of data.

Thanks to EFSDump You can do this quickly and in bulk directly from the console, filtering by names, extensions, or even applying wildcard characters to paths. It's essentially a precise and straightforward solution for any encrypted file access review or auditing task in corporate or personal environments.

Download from the official portal of Microsoft SysinternalsIt's free and the download is less than 200 KB.

Context: EFS in Windows and its problems

From Windows 2000 was introduced the Encrypting File System (EFS) in NTFS, allowing users to protect sensitive information from prying eyes. The inner workings of EFS are quite meticulous: each encrypted file integrates in its header what we could call "secret fields" (DDF and DRF), where the file encryption keys (FEK) protected by public key cryptography by each authorized user, and the recovery camps associated with recovery agents designated by company policies.

That means There may be more than one user and more than one agent with effective access to each encrypted file. It's not enough for a file to be "green" or for you to be the owner: an administrator may unknowingly grant access to other users or services through mistake or carelessness. This is where EFSDump becomes the ideal ally by allowing you to list quickly all effective permits associated with each encrypted file.

What information does EFSDump provide?

When you run EFSDump on a file or a set of them, you get a clear list of all users, service accounts, and recovery agents associated with the encryption of that fileInternally, the utility extracts data using the specific API QueryUsersOnEncryptedFile, which is what actually “reads between the lines” of the NTFS header metadata to find out who can decrypt the content.

Therefore, the tool presents you with information such as:

• Users with direct access to the encrypted file (those who originally encrypted it or those who have been granted additional access)
• Predefined recovery agents (configured in local security policy or by the system administrator)
• Identity of each account (name and, where relevant, the security identifier or SID)

This allows both system administrators and advanced users detect misconfigurations, unwanted access, or potential vulnerabilities before it's too late.

Main features of EFSDump

• Lightweight and portable: No installation required, just download and run directly from the console.
• Compatible with modern versions of Windows: It can be used from Windows Vista and Server 2008 onwards.
• Allows you to scan entire directories recursively: Thanks to its -s parameter, you can audit entire folder and subfolder structures without repeating commands.
• Wildcard support: Makes it easy to select files by extension (e.g. all encrypted .docx files in a folder).
• Clean and easily interpretable output: Displays accounts, SIDs, and recovery agents in an orderly manner for audit or reporting purposes.
• Silent mode: The -q parameter suppresses error messages or warnings, useful for integrating EFSDump into automated scripts.

EFSDump Syntax and Parameters

Using EFSDump is fairly straightforward, but like any console tool, it's important to master its syntax to get the most out of it.

General format of the command:

efsdump   <archivo o directorio>

• -s: Tells EFSDump to process all files in subdirectories recursively.
• -q: Suppresses error printing (silent mode), ideal for massive scripts or when we don't want the console to be filled with repetitive messages.
• : You can specify either the name of a specific file or a folder (to audit all files within it), or a pattern with wildcards.

Practical examples:

• To list the users who can access all encrypted .docx files in your documents folder:

  efsdump C:\Users\MiUsuario\Documents\*.docx

• To audit an entire folder and its subfolders:

  efsdump -s C:\DataCifrada

• To run the command without error messages, ideal for scripting:

  efsdump -q -s C:\CarpetaSegura

Internal operation and NTFS structures

EFSDump works directly on files stored on NTFS partitions, taking advantage of the internal fields in the header of each encrypted file.

In NTFS, each EFS-protected file incorporates two key structures:

• DDF (Data Decryption Fields): They store file encryption keys, encrypted with each authorized user's public key. Here's the actual list of people who can directly access the content, without having the system key.
• DRF (Data Recovery Fields): They include encrypted FEK keys, but this time with the public key of the recovery agents, i.e., accounts predetermined by the administrator for emergency situations or data recovery.

EFSDump Compatibility and Requirements

The tool It was created by Mark Russinovich, one of the most well-known Windows developers in the world and founder of Sysinternals. Although originally designed for Windows 2000, the utility remains perfectly valid in much newer environments:

• Customers: Works on Windows Vista and later, including current versions like Windows 10 and 11.
• Servers: It is compatible with Windows Server 2008 and higher.

It doesn't require installation, doesn't modify the registry, and doesn't leave any traces on the system: just unzip the executable and open a command window with read permissions for the files you want to audit. To understand other analysis tools, you can also review How to use Windbg.

Related article:

How to use WinDbg to analyze dump files and resolve BSOD errors

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.