{
	"id": "35fd0f37-ca35-424c-8645-9990e52c5dac",
	"created_at": "2026-04-06T02:11:21.389598Z",
	"updated_at": "2026-04-10T13:12:37.652028Z",
	"deleted_at": null,
	"sha1_hash": "a595405a52a78d415730a923667d1ee866feefc4",
	"title": "Cipher.exe Security Tool for the Encrypting File System",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38696,
	"plain_text": "Cipher.exe Security Tool for the Encrypting File System\r\nArchived: 2026-04-06 02:04:54 UTC\r\nSummary\r\nCipher.exe is a command-line tool (included with Windows 2000) that you can use to manage encrypted data by\r\nusing the Encrypting File System (EFS). As of June 2001, Microsoft has developed an improved version of the\r\nCipher.exe tool that provides the ability to permanently overwrite (or \"wipe\") all of the deleted data on a hard\r\ndisk. This feature improves security by ensuring that even an attacker who gained complete physical control of a\r\nWindows 2000 computer would be unable to recover previously-deleted data.\r\nIMPORTANT: Please note the following important information:\r\nYou must install Cipher.exe by using the installer package instead of copying the new version of Cipher.exe\r\nto your computer. The tool relies on additional NTFS functionality that is added as part of the installation\r\nprocess. If you only copy the Cipher.exe file to your computer and then run it, you could destroy data on\r\nthe drive.\r\nYou must close all programs before you start Cipher.exe.\r\nCipher.exe is not a cure-all that makes it safe to store sensitive data in a plain-text format. Although you\r\ncan use this tool to remove sensitive data from a drive, if best practices are followed, such data would not\r\nnormally be created on the drive. For additional information about these best practices, click the following\r\narticle number to view the article in the Microsoft Knowledge Base:\r\n223316 Best Practices for the Encrypting File System\r\nFor additional information about the latest service pack for Windows 2000, click the article number below to view\r\nthe article in the Microsoft Knowledge Base:\r\n260910 How to Obtain the Latest Windows 2000 Service Pack\r\nMore Information\r\nHow to Obtain Cipher.exe\r\nCipher.exe is available in Windows 2000 Service Pack 3 or later or the Windows 2000 Security Rollup Package 1\r\n(SRP1) or individually via the links below. For additional information on SRP1, click the article number below to\r\nview the article in the Microsoft Knowledge Base:\r\n311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002 Q298009_W2K_SP3_x86_en.exe\r\ncontains the following files: Date Time Version Size Filename ------------------------------------------------------ May-30-2001 16:25 5.0.2195.3653 36,112 Cipher.exe May-26-2001 07:48 5.0.2195.3649 512,272 Ntfs.sys\r\nhttps://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4\r\nPage 1 of 2\n\nHow to Use Cipher.exe\r\nTo overwrite the deallocated data:\r\n1. Quit all programs.\r\n2. Click Start, click Run, and type cmd, and then press ENTER.\r\n3. Type cipher/w:'folder', and then press ENTER, where folder is optional and can be any folder in a local\r\nvolume that you want to clean. For example, thecipher /w:c:\\test command causes the deallocated space on\r\ndrive C: to be overwritten. If c:\\test is a mount point or points to a folder in another volume, deallocated\r\nspace on that volume will be cleaned.\r\nFor more information about EFS, please see the following Microsoft Web site:\r\nhttp://technet.microsoft.com/en-us/library/cc700811.aspx\r\nNeed more help?\r\nWant more options?\r\nExplore subscription benefits, browse training courses, learn how to secure your device, and more.\r\nSource: https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab\r\n7e4\r\nhttps://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4"
	],
	"report_names": [
		"cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441481,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a595405a52a78d415730a923667d1ee866feefc4.pdf",
		"text": "https://archive.orkl.eu/a595405a52a78d415730a923667d1ee866feefc4.txt",
		"img": "https://archive.orkl.eu/a595405a52a78d415730a923667d1ee866feefc4.jpg"
	}
}