2

I'm managing a Windows Server 2003. A couple of times the server has crashed with error message saying that the C: drive is full. After searching folders to free up space, I found that lot of temp files being created in C:\WINNT\Temp and some of them of enormous size with more than 2GB. The temp files seem to have a common name pattern, Efs###.tmp. Since we encrypt files frequently using Windows's EFS, I initially suspected Windows encryption. But as per the documentation, Efs###.tmp are created only under the folder which is currently being encrypted, not in Temp folder.

This looks very strange; unless someone tried to encrypt that Temp folder itself, the temp files(Efs###.tmp) shouldn't be created under C:\WINNT\Temp. The server has Tivoli Backup client. Could that be messing with windows Encryption? Can anyone shed some light on what could be causing the issue?

Note:Edited for brewity

BlueGene
  • 2,241
  • 9
  • 30
  • 33

2 Answers2

2

I'd setup File Monitor with a suitable filter and leave it running. Or have it triggered by Performance Monitor. Certainly leave Perfmon running to see the time as this might give an indication of a cronjob running at the same time etc..

Luke Puplett
  • 939
  • 3
  • 16
  • 24
  • File Monitor or the PA File Sight demo -- both can tell you what app is creating those files. – DougN Jun 02 '10 at 02:24
1

Have you tried to unencrypt these files? You can also use the efsinfo command from the Resource kit to get more information about the files.

Cipher /d /a Efs###.tmp
citadelgrad
  • 716
  • 6
  • 12
  • Thanks...I get a message saying that the file is not encrypted when I try to decipher. But the file content is garbled – BlueGene Jun 02 '10 at 14:48