Click here to get back home

Windows Desktop Search and Encrypted Files
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.msn.search    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Windows Desktop Search and Encrypted Files Zian 05-14-2007
Posted by Zian on May 14, 2007, 1:54 pm
Please log in for more thread options
 How can I get Windows Desktop Search to index my encrypted folders?

Right now, WDS doesn't return any results from my encrypted files. The files
are encrypted using Windows XP's EFS.

Posted by Lucvdv on May 15, 2007, 2:12 am
Please log in for more thread options
 wrote:

> How can I get Windows Desktop Search to index my encrypted folders?
>
> Right now, WDS doesn't return any results from my encrypted files. The files
> are encrypted using Windows XP's EFS.

The indexer is a service and runs under the local system account, which
means that it can't unencrypt those files. It doesn't have the key.

That's the point of using encryption. Indexing them would mean that parts
of those files end up in the (unencrypted) index, which would mean a
security risk.


There may be a workaround, if you don't mind a little less security. I
haven't tried if it works, but if the service is running under your user
account instead of local system, it should be able to index those files.

The account that the service runs under can be changed through the services
control panel.
You can specify only one account, so there's still the limitation that it
can only get to encrypted files belonging to one user account.

Posted by Zian on May 15, 2007, 2:40 am
Please log in for more thread options
That's an interesting point. I'd always thought the service inherited the
security token from the notification area app.

I see what you mean though.

If I give it my credentials, then the database becomes a vulnerability
unless I lock it down. But if I lock it down, then other users won't be able
to use Windows Desktop Search.

Microsoft made the right choice for 99.999% of the users but for me, since
the other account is just an emergency account, I don't mind not having WDS
on it.
-Zian

I hope that the access denied errors that WDS will get in the other account
won't confuse WDS though. Here's hoping to good QA at Microsoft. :)

"Lucvdv" wrote:

> wrote:
>
> > How can I get Windows Desktop Search to index my encrypted folders?
> >
> > Right now, WDS doesn't return any results from my encrypted files. The files
> > are encrypted using Windows XP's EFS.
>
> The indexer is a service and runs under the local system account, which
> means that it can't unencrypt those files. It doesn't have the key.
>
> That's the point of using encryption. Indexing them would mean that parts
> of those files end up in the (unencrypted) index, which would mean a
> security risk.
>
>
> There may be a workaround, if you don't mind a little less security. I
> haven't tried if it works, but if the service is running under your user
> account instead of local system, it should be able to index those files.
>
> The account that the service runs under can be changed through the services
> control panel.
> You can specify only one account, so there's still the limitation that it
> can only get to encrypted files belonging to one user account.
>

Posted by Lucvdv on May 15, 2007, 4:48 am
Please log in for more thread options
wrote:

> That's an interesting point. I'd always thought the service inherited the
> security token from the notification area app.

I'm not saying that's exactly how it is, I was just giving it my best
guess. Sorry if I made the impression that I'm an expert on the field ;)


But if it worked differently (i.e. using the credentials of the logged on
user), that would practically mean the indexer has to stop indexing when
you log off - right when it's the best time to do some work because the
system is almost guaranteed to be idle, just sitting there waiting for a
new logon.

Running under the local system account, the indexer hass full access to all
local files except for encrypted ones, so it can keep indexing all the
time.

And as I said, indexing encrypted files poses a security risk.


There is something else however, that points towards using the user's
credentials as well: you can add UNC paths to network resources, but the
local system account can't access those (it can if you're in a domain and
the computer account has access, but never in a workgroup configuration).

Posted by Zian on May 15, 2007, 3:22 pm
Please log in for more thread options
Well, you was right. :)
-Zian

"Lucvdv" wrote:

> wrote:
>
> > That's an interesting point. I'd always thought the service inherited the
> > security token from the notification area app.
>
> I'm not saying that's exactly how it is, I was just giving it my best
> guess. Sorry if I made the impression that I'm an expert on the field ;)
>
>
> But if it worked differently (i.e. using the credentials of the logged on
> user), that would practically mean the indexer has to stop indexing when
> you log off - right when it's the best time to do some work because the
> system is almost guaranteed to be idle, just sitting there waiting for a
> new logon.
>
> Running under the local system account, the indexer hass full access to all
> local files except for encrypted ones, so it can keep indexing all the
> time.
>
> And as I said, indexing encrypted files poses a security risk.
>
>
> There is something else however, that points towards using the user's
> credentials as well: you can add UNC paths to network resources, but the
> local system account can't access those (it can if you're in a domain and
> the computer account has access, but never in a workgroup configuration).
>

Similar ThreadsPosted
Indexing of OneNote (.one) files by Windows Desktop Search September 8, 2005, 7:06 am
Windows desktop search does not find files on truecrypt drives August 16, 2007, 5:39 am
Desktop Search for Windows 98, Windows 2000, Windows XP. November 17, 2005, 4:41 pm
WDS Windows Desktop Search API in Windows Service August 9, 2005, 2:00 pm
msn desktop search deleted my files - please help!!!! May 19, 2005, 4:12 pm
MS Publisher files in MSN Desktop search May 21, 2005, 9:57 am
Windows Desktop Search November 22, 2005, 10:51 am
Windows Desktop Search December 20, 2005, 12:30 am
windows desktop search May 5, 2006, 5:48 pm
Scalibility of windows desktop search November 18, 2005, 11:38 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap