To troubleshoot EFS, or to be able to design proper EFS recovery and EFS policy for the organization, you must understand how EFS works.
EFS is a component of the NTFS file system of Windows 2000 and above. Thus, its operations are mostly transparent to the user and to the application that needs to open and close the files. If the user has the ability to encrypt and decrypt the files, when the file is opened, it is decrypted, and when it is saved, it is encrypted. The setup of shared EFS files is not transparent.
Several operating system components both in user space and in the kernel participate in the operation of the EFS. These components are listed and described in Table 6-2.