dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3358

jmdomini
Premium Member
join:2000-05-04
Sycamore, IL

jmdomini

Premium Member

Powershell Script to Backup Files and EFS Brick Wall

I'm trying to create a simple Powershell script that we can use to backup files rather than doing it manually before rebuilding a Windows 7 machine. Seems like a simple enough task, except I've run into a brick wall called EFS. The source directories are all EFS encrypted.

I started intending to use robocopy, it protests however that the file could not be encrypted copying to the network drive. Could not find a way around this, so I tried using Powershells own Copy-Item. Again "Copy-Item : The specified file could not be encrypted." Tried adding -Force to the command, no difference. Using the command below.

Copy-Item $ENV:USERPROFILE\Favorites $ENV:HOMEDRIVE\Win7_Bkup\Favorites -recurse -force

I don't care the the files will no longer be encrypted in the destination. However neither robocopy or Copy-Item can deal with this. They INSIST that EFS encrypted files MUST be copied to an EFS capable destination. Any ideas on how I can get around this short of first decrypting the files?

C6 Z06
join:2002-07-17
Lubbock, TX

C6 Z06

Member

Have you considered using a wim or vhd to put the files in? I havent faced the EFS issue, but a scriptable vhd tool is here: »technet.microsoft.com/en ··· 415.aspx

mmainprize
join:2001-12-06
Houghton Lake, MI

mmainprize to jmdomini

Member

to jmdomini
I run bat files to backup my user files in win8 all the time, but i am not running encrypted file system.

Not sure what you mean by EFS, but if you mean the new EFI BIOS and protected files or maybe you are running some encryption software to encrypt the drive?
Either way in some cases you limited and can not copy the encrypted files to a network drive, but you may be able to copy them to a local drive and then move them to a network drive.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to jmdomini

Premium Member

to jmdomini
As others have said, I have created a simple .bat file that runs every day at 1 AM to copy my files to a 2nd local hard drive on Windows 8 without any problems.

However, I also do not have any EFS drives. I don't think I even have EFS in my BIOS. If I do, I know I don't have it turned on.

I guess the question that needs to be asked is what happens when you go into Windows Explorer, and try to copy a file to your backup location? Does it work? Do you get any kind of error messages?

Along the same lines, if you have a 2nd local hard drive that does not have EFS on it, and you again go into Windows Explorer, and try to copy one of the files you want to backup to that 2nd local hard drive, does that work? If not, what are the error messages that you get?

If you do those tests, that could help you track down the proper way or settings that need to be done in some kind of script to get the results you need.

I also know that copying of data from a local hard drive to a network share adds a level of complexity, especially if your network share is hosted on a true server OS (Windows 2003 R2, Windows 2008, etc). There are settings / rules in place to prevent things from being copied to the server (INF files come to mind here...you have to rename the .inf file to .txt, copy it, and then rename it back, with the rename taking place from the host machine). Similar rules may be in place for EFS hard drives as well. I'm not sure, as I don't have any EFS systems, that is just a guess on my part.

--Brian
dave
Premium Member
join:2000-05-04
not in ohio

1 edit

dave to mmainprize

Premium Member

to mmainprize
said by mmainprize:

Not sure what you mean by EFS

EFS is the Encrypting File System on Windows.
dave

dave to jmdomini

Premium Member

to jmdomini
Who are you running the 'backup' as?

The thing about EFS as I understand it, is that there's no way to decrypt it except in the context of the user whose key was used to encrypt it.

Though having said that, the complaint from the software seems to be that it can't encrypt it, so perhaps it's decrypting it just fine.

Does /A-E help with Robocopy?

(I should make it clear I'm just guessing here; I don't use EFS)
dave

dave to plencnerb

Premium Member

to plencnerb
said by plencnerb:

There are settings / rules in place to prevent things from being copied to the server (INF files come to mind here...you have to rename the .inf file to .txt, copy it, and then rename it back, with the rename taking place from the host machine).

On your server, perhaps. As a general rule, not: I have never seen such a thing on any Windows server I have needed to use.

C:\Users\dave>copy foo.inf \\winserv\users\dave\foo.inf
        1 file(s) copied.
 

jmdomini
Premium Member
join:2000-05-04
Sycamore, IL

jmdomini to plencnerb

Premium Member

to plencnerb
Copying via Explorer (drag and drop) works fine, I get a prompt asking if I really want to copy to an unencrypted location click OK and off it goes. Copying to an external drive is a no go, that is blocked by a GPO. I can get around that GPO but don't like to do so unless the machine can't be connected to the network (i.e. bad TCP/IP stack is hosed).

I wonder if there is another GPO at play here that I'm not aware if that's causing this issue?

In the mean time, I think I found a work around, Teracopy.
JoeSchmoe007
Premium Member
join:2003-01-19
Brooklyn, NY

JoeSchmoe007 to plencnerb

Premium Member

to plencnerb
said by plencnerb:

As others have said, I have created a simple .bat file that runs every day at 1 AM to copy my files to a 2nd local hard drive on Windows 8 without any problems.

However, I also do not have any EFS drives. I don't think I even have EFS in my BIOS. If I do, I know I don't have it turned on.

I guess the question that needs to be asked is what happens when you go into Windows Explorer, and try to copy a file to your backup location? Does it work? Do you get any kind of error messages?

Along the same lines, if you have a 2nd local hard drive that does not have EFS on it, and you again go into Windows Explorer, and try to copy one of the files you want to backup to that 2nd local hard drive, does that work? If not, what are the error messages that you get?

If you do those tests, that could help you track down the proper way or settings that need to be done in some kind of script to get the results you need.

I also know that copying of data from a local hard drive to a network share adds a level of complexity, especially if your network share is hosted on a true server OS (Windows 2003 R2, Windows 2008, etc). There are settings / rules in place to prevent things from being copied to the server (INF files come to mind here...you have to rename the .inf file to .txt, copy it, and then rename it back, with the rename taking place from the host machine). Similar rules may be in place for EFS hard drives as well. I'm not sure, as I don't have any EFS systems, that is just a guess on my part.

--Brian

EFS has nothing to do wiht BIOS. It is 100% software implemented and is supported starting from Windows XP. Also saying "EFS drive" is not quite correct because EFS works as a folder or file attribute - you can't set whole drive to be EFS encrypted similar to Bitlocker.

jmdomini
Premium Member
join:2000-05-04
Sycamore, IL

jmdomini to plencnerb

Premium Member

to plencnerb
You can read more about what exactly EFS is here....

»technet.microsoft.com/en ··· 811.aspx

I will have to keep looking for another solution as I noticed that Teracopy is NOT free for commercial use. I took a look at all of our GPO's and did not see anything that would prevent files from being copied to an unencrypted network share.

What really confuses me is that we used EFS under XP and did not have this problem at all.
dave
Premium Member
join:2000-05-04
not in ohio

2 edits

dave to jmdomini

Premium Member

to jmdomini
What is 'the network drive'? Windows, or something else?

Totally wild guesswork: this is a feature intended to prevent accidental exposure of plaintext versions of files you think are encrypted.

Explorer has a way round it, as you reported.
So does copy (I went looking since it seemed unlikely there wouldn't be such a thing, if Explorer could do it).

C:\users\dave>copy /?
Copies one or more files to another location.
 
COPY [/D] [/V] [/N] [/Y | /-Y] [/Z] [/L] [/A | /B ] source [/A | /B]
     [+ source [/A | /B] [+ ...]] [destination [/A | /B]]
 
  source       Specifies the file or files to be copied.
  /A           Indicates an ASCII text file.
  /B           Indicates a binary file.
  /D           Allow the destination file to be created decrypted
                  :
                  :
 

xcopy has a similar switch (/g)

Did you try /a-e on robocopy?

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to dave

Premium Member

to dave
I know in my case dave See Profile, this was an XP Pro Workstation coping to a Windows 2003 Enterprise R2 Server. I had mapped a drive like \\home-server\d$. When I would copy an .inf file, it would give me an error.

I don't have that server on right now, so I cannot get an exact screen shot. But, it said something to the effect that inf files could not be copied.

I now just thought of something. I don't think it was all .inf files, but specifically autorun.inf ones. Would that make a difference?

--Brian
plencnerb

plencnerb to JoeSchmoe007

Premium Member

to JoeSchmoe007
said by JoeSchmoe007:

EFS has nothing to do wiht BIOS. It is 100% software implemented and is supported starting from Windows XP. Also saying "EFS drive" is not quite correct because EFS works as a folder or file attribute - you can't set whole drive to be EFS encrypted similar to Bitlocker.

I think I am thinking then of the wrong thing. Doesn't Windows 8 do something new too, and it also has some setting in the BIOS as well for some feature of Windows 8? I thought that was EFS, but it looks like I'm wrong. Sorry about that.

jmdomini See Profile: Thanks for the link that explains what EFS is. I now know that I was thinking of something totally different.

--Brian

jmdomini
Premium Member
join:2000-05-04
Sycamore, IL

jmdomini

Premium Member

I did come up with a passable solution, Microsoft's Richcopy. It's free and does the job well enough.