How to encrypt Windows 8 Professional Search index files using built-in Encrypted File System

Posted by Paul Braren on Jun 11 2013 in
  • HowTo
  • Productivity
  • Windows

    • Why would you want to encrypt the directory where Windows 8 keeps its big honkin' Windows.edb file and index files? That directory is where the very handy "Windows Search" function keeps it stuff. And searching around for a bit on Google, I noticed there's little information about whether Windows properly obfuscates all the data inside those files, with nothing definitive out there convincing me that all the issues discussed in this 2009 Thesis have been addressed. But if you have Windows 8 Pro or Windows 8 Enterprise, that also means you have the EFS (Encrypted File System) capability, built-in. So why not use it? Especially if:

    • you're considering using the Windows Search Index encrypted files option.
    • you're considering using 3rd party Windows Search add-ons that could also add sensitive data to those indices.
    • you don't have whole drive encryption, such as Bitlocker or TrueCrypt turned on, perhaps because of possible SSD/Trim issues with encryption, or a desire to allow data de-dupe in backups, etc.
    • you've read through this Microsoft TechNet article, and are still convinced you wish to proceed.
      This is an intermediate skill-level exercise, intended for home-lab environments. This is not something you should consider on a corporate issued system, which may already have whole disk encryption and power on passwords set.

    Setting up EFS for Indices requires admin rights to your Windows 8 operating system. This tip by John Savill at Windows IT Pro was the key to getting this all working.

    I'm not claiming that this encryption is absolutely necessary, or that EFS is better than BitLocker. It's not. I wouldn't even say that this procedure is even advisable for most users. I'm merely saying this quick method of turning EFS on that I developed seems to be working well for those normally tricky/untouchable index files. It doesn't seem to slow anything down noticeably, on my admittedly fast SSD based systems, or on my test VMs. And there seems to be no evidence of any side effects on Windows itself, with nary a scary error anywhere. No goofy entries littering the Event Log, for example. So that's why I'm comfortable sharing this procedure.

    Note that this is an entirely at-your-own-risk endeavor, with no certainty that Microsoft or I can possibly provide you with any support. Also note that backing up all your data first is entirely your responsibility! Ok, enough already, let's get started.

    Step-by-step guide, with a video walk through at the end.

    1) Download PsExec

    Download PsExec by Mark Russinovich, from SystInternals, extract it to C:\Tools
    technet.microsoft.com/en-us/sysinternals/bb897553

    2) Use PsExec to Run as the Local System Context in Windows 8

    a) press 'Win+X' then select 'Command Prompt (Admin)'

    b) type (or paste in) the following command (that launches a second window logged in as a system account)

    C:\Tools\psexec -sid cmd.exe

    c) close the opened in step a, leaving just the window opened in step b

    d) single-click upper-left corner of the window, choose 'Properties'

    [caption id="attachment_16012" align="aligncenter" width="658"] single-click upper-left corner of 'cmd.exe' window, choose 'Properties'[/caption]

    e) change 'Screen Buffer Size' to Height 999, click 'OK' button

    change-Screen-Buffer-Size-to-Height-999-click-OK-button
    change ‘Screen Buffer Size’ to Height 999, click ‘OK’ button

    3) Temporarily stop the "Windows Search" service

    At the command line opened in Step 2 above, type the following command

    net stop WSearch

    In a few seconds, Windows may restart this service on it's own. So please proceed to Step 4 promptly.

    4) Use Windows 8's built-in EFS (Encrypted File System) functionality to encrypt the folder that contains the indexing files

    cd \ProgramData\Microsoft\Search\Data\Applications

    CIPHER /E /S:Windows

    Scroll back through the small command window, to be sure there were no 'file in use' errors encountered. If there were, just repeat steps 3 and 4 again until you see no errors. Using the up arrow keys to go back in your command history will make this easier.

    scroll-back-up-to-verify-no-files-were-skipped
    scroll back up to verify no files were skipped

    5) Start the Windows Start Service

    Just type

    net start WSearch

    and hit enter, wait a few seconds, it should complete without any errors.

    net-start-WSearch
    net start WSearch

    6) Overwrite all empty space on this volume

    if you're extremely patient and wish to be very thorough with ensuring all deleted temp files that could possibly contain only partially obfuscated text are really overwritten, you may wish to run the CIPHER cleanup command

    CIPHER /W:Windows

    7) Verify it's all working (optional)

    On Windows 8, press Win+R, paste in the following line then hit 'Enter'

    C:\ProgramData\Microsoft\Search\Data\Applications

    and you should see a green folder entitled 'Windows', indicating it's been EFS encrypted. Double-click that folder, and you'll see the files within are also green. And you'll be able to see the size of that Windows.edb index file. You can also press Win+W and type Index then hit enter, to see the status of your Windows Search.

    Read more about EFS at www.groovypost.com/howto/windows-8-7-efs-encrypt-files-folders where the article kindly warns you to export that CERT file, should you wish to be able to recover any data inside any encrypted files or folders you work with. The article also demonstrates how easy it is to use EFS right from Windows Explorer, perhaps for your "My Documents" folder.

    That's all, your Windows Indexing should continue to work as it always did. But now you'll have just a little more peace of mind, even if you haven't gotten around to encrypting your entire disk quite yet.

    This is a TinkerTry exclusive article. As of June 11 2013, you won't find this technique anyplace else. I make no claims to be a Windows security expert, constructive feedback is always welcome!

    Video walk through:

    Additional Sources:

    “Finders Keepers” A Forensic Examination of Windows Desktop Search (Version 3) - James McCulloch Gordon, Feb 2009
    www.scribd.com/doc/94223191/A-Forensic-Examination-of-Windows-Desktop-Search-Version-3

    Protecting Data by Using EFS to Encrypt Hard Drives
    technet.microsoft.com/en-us/library/cc875821.aspx

    Indexing and Search: Frequently asked questions, Applies to Windows 8, Windows RT
    windows.microsoft.com/en-us/windows-8/search-index-faq

    Using Encrypting File System, Nov 03 2005
    technet.microsoft.com/en-us/library/bb457116.aspx

    How to enable EFS Encryption in Windows 8? - Feb 21 2013
    You need to have Windows Professional, non-pro versions won't allow it, see also:
    www.differencebetween.info/difference-between-windows-8-pro-and-windows-8-enterprise

    About Data Deduplication, Nov 02 2012
    msdn.microsoft.com/en-us/library/windows/desktop/hh769303(v=vs.85).aspx

    Make Windows Search a Million Times More Useful with These Simple Tweaks, Whitson Gordon, Feb 23 2012
    lifehacker.com/5887848/make-windows-search-a-million-times-more-useful-with-these-simple-tweaks

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi