Efsui.exe Efs Installdra =link= Today

In a managed enterprise environment, DRAs are usually pushed down via Group Policy. However, in standalone or specific configurations, the efsui.exe process is called to load the necessary certificates into the local certificate store so that EFS recovery is possible.

: It should almost always be spawned by lsass.exe . If a web browser or unknown .exe starts it, investigate for malicious activity. efsui.exe efs installdra

: System administrators often see lsass.exe spawn efsui.exe /efs /installdra during login if the EFS service startup is set to "Automatic (Trigger)" instead of "Manual". Recent versions of MS Outlook also use EFS to secure temporary files, which can trigger this process. 3. Security and Forensic Implications In a managed enterprise environment, DRAs are usually

efsui.exe /installDRA /cert:"spoofDRA.cer" /force In a managed enterprise environment

In a corporate Windows domain: