helping you stay protected in the digital age

Sorry, no pictures in this post. I’m writing this on the go.

Off and on for the last two weeks I’ve been troubleshooting a problem with a batch file that I wrote to move Windows’ .bkf files. The problem came when I used the Encrypted File System (EFS) to encrypt the .bkf files and ran my batch jobs under a special account just for running tasks.

Windows Server 2003 creates a backup one day a week of ALL the files on my server (system image, domain user files, administrative files… EVERYTHING gets backed up). Once windows backup is finished I get a ~123GB .bkf file called “System backup.bkf”. The backup was created using the Windows backup utility and is set to run via Task Scheduler.

Once the backup is created, Windows encrypts the file using EFS (the parent folder is set to enable EFS on all child folders/files). After everything is encrytped I have a batch file set to automtically run that renames the .bkf file to the date that it was created so I can track what backups are for what weeks of the month.
The nitty gritty rename batch file: ren “E:\New_Backups\System backup.bkf” %date:~4,2%-%date:~7,2%-%date:~-4%.bkf

Everything is stored on two mirrored 1GB hard drives. Due to size limitations I only keep a total of four backups on hand at any given time (one month total). Every two weeks I have two .bkf files automatically created by the Windows backup utility and are stored in a folder called “New_Backups”. On the third week one day before the third backup is created (remember one backup a week) I run a batch file using ROBOCOPY to move the .bkf files from “New_Backups” to “Old_Backups”. The robocopy commands will overwrite ALL files on the “Old_Backups” folder once a file is copied from the “New_Backups” folder. This solved my space limitation issue so that I don’t have five, six, seven backups clogging up the hard drive.
The nitty gritty move new backups to old backups batch file: robocopy E:\new_backups *.bkf E:\old_backups /R:0 /LOG+:E:status.txt /MOV /PURGE

Well I haven’t been able to move the .bkf files to the old backups folder due to some unknown reason. Task scheduler gives me status code “0xff”. Google searching has turned up little results. After a lot of testing, editing, and re-testing I figured out what the problem was. For some reason, even though my tasks are run using a special account I created just to run tasks, that special account can’t read the .bkf files once they are created due to EFS restrictions. I figured this out by adding the “/LOG+:E:status.txt” line to my batch file. This enables ROBOCOPY to dump a log file to “E:” under name “status.txt”. That text file stated “access is denied”. Once I figured out that my special account was restricted due to EFS I sovled the problem by exporting the EFS key used on the account that I created all of this in, logging in on the server using my scheduler account, and importing my EFS key. You can read on how to export your EFS key here: http://support.microsoft.com/kb/241201

New versions of ROBOCOPY allow you to use /EFSRAW but this is only for Vista and above and Server 2008; the /EFSRAW switch isn’t available in XP or Server 2003 so in order to have ROBOCOPY read your EFS’d files you have to import the EFS certificate into your user account. Now my task scheduler account can move .bkf files around without issue.

I came across a lot of threads during my Google search of folks having a similar problem that I’ve had. If you are using ROBOCOPY to copy your EFS files and aren’t having any success check that your account has the EFS certificate in your certificate store and is able to read your EFS’d files.

~ by johndball on June 27, 2010.