Home
  •  

DFS-R: Encrypted File Detection

Microsoft.Windows.FileServer.DFSR.EncryptedFileMonitor (UnitMonitor)

This object monitors replication and creates a Warning alert if any files encrypted by using the Encrypting File System (EFS) are found in a replicated folder. DFS Replication doesn’t replicate files encrypted by EFS.

Knowledge Base article:

Summary

This object monitors replication and creates a Warning alert if any files encrypted by using the Encrypting File System (EFS) are found in a replicated folder. It does so by looking for the presence of DFS Replication Event 4402. DFS Replication doesn’t replicate files encrypted by EFS.

Causes

An unhealthy state of this monitor indicates that DFS Replication found a file encrypted by EFS in a replicated folder. This can occur if a user used EFS to encrypt a file stored in a replicated folder.

Resolutions

Decrypt or remove the file

To replicate the file, decrypt it by using the Cipher /d <filename> command where <filename> is the path to the encrypted file. After the file is decrypted, it will replicate normally.

If the file should remain encrypted, move it out of the replicated folder, or decrypt it and then encrypt it by using a non-Microsoft encryption program that doesn’t set the FILE_ATTRIBUTE_ENCRYPTED attribute on the file.

Additional

DFS Replication Event 4402 (http://go.microsoft.com/fwlink/?LinkId=187141)

Element properties:

TargetMicrosoft.Windows.FileServer.DFSR.ReplicatedFolder
Parent MonitorSystem.Health.AvailabilityState
CategoryStateCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.2SingleEventLog2StateMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
DFS-R: EFS-Encrypted File Found in a Replicated Folder
The DFS Replication service encountered a file encrypted by using the Encrypting File System (EFS) in a replicated folder. This file will not be replicated because the replication of files encrypted by EFS is not supported by the DFS Replication service.
Additional Information:
File Path: {0}
Replicated Folder Root: {1}
Replicated Folder Name: {2}
Replicated Folder ID: {3}
Replication Group Name: {4}
Replication Group ID: {5}
Member ID: {6}
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Windows.FileServer.DFSR.EncryptedFileMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.FileServer.DFSR.ReplicatedFolder" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>StateCollection</Category>

  <AlertSettings AlertMessage="Microsoft.Windows.FileServer.DFSR.EncryptedFileMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Params/Param[2]$</AlertParameter1>

      <AlertParameter2>$Data/Context/Params/Param[3]$</AlertParameter2>

      <AlertParameter3>$Data/Context/Params/Param[4]$</AlertParameter3>

      <AlertParameter4>$Data/Context/Params/Param[1]$</AlertParameter4>

      <AlertParameter5>$Data/Context/Params/Param[5]$</AlertParameter5>

      <AlertParameter6>$Data/Context/Params/Param[6]$</AlertParameter6>

      <AlertParameter7>$Data/Context/Params/Param[7]$</AlertParameter7>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="FirstEventRaised" MonitorTypeStateID="FirstEventRaised" HealthState="Warning"/>

    <OperationalState ID="SecondEventRaised" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>DFS Replication</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">4402</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">DFSR</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Params/Param[1]</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">$Target/Property[Type="Microsoft.Windows.FileServer.DFSR.ReplicatedFolder"]/ReplicatedFolderGUID$</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>DFS Replication</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">DFSR</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Params/Param[1]</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">$Target/Property[Type="Microsoft.Windows.FileServer.DFSR.ReplicatedFolder"]/ReplicatedFolderGUID$</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <Or>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">4010</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">4114</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <And>

                <Expression>

                  <Or>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">9008</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">9111</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                  </Or>

                </Expression>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="String">Params/Param[3]</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="String">$Target/Property[Type="Microsoft.Windows.FileServer.DFSR.ReplicatedFolder"]/ReplicatedFolderGUID$</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

              </And>

            </Expression>

          </Or>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>