Registry Keys Used to Tune EFS Caching (278256)


The information in this article applies to:

  • Microsoft Windows XP Professional
This article was previously published under Q278256

SUMMARY

In Microsoft Windows 2000, there are no options to adjust the cache-validation time for either the user or for Kernel mode Encrypting File System (EFS) caches. However, for faster performance, Microsoft Windows XP provides the flexibility to adjust the cache-validation time for both the Kernel and User mode components of EFS. This article provides and describes registry keys that you can use to tune EFS caching.

MORE INFORMATION

You can use the following registry values to tune EFS caching: 
   Key: HKLM\System\CurrentControlSet\Services\NTFS\EFS\Parameters
   Value name:    EFSKCACHEPERIOD
   Value type:    REG_DWORD
   Default value: 5
   Minimum value: 2
   Maximum value: 30
   Description:   The number of seconds the kernel will cache the
                  session key for a user for a given file. The Kernel
                  will not validate the user credentials during this
                  cache period. This has the net effect of faster
                  access to encrypted files that may be opened several
                  times during a given time period.

                  Cached session keys are stored in nonpaged pool
                  memory. Increasing the value of EFSKCACHEPERIOD will
                  result in higher usage of nonpaged pool memory. This
                  increased nonpaged pool usage might cause problems
                  for some machines, especially machines that are
                  trusted for delegation for remote encryption.


   Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\EFS
   Value name:    KeyCacheValidationPeriod
   Value type:    REG_DWORD
   Default value: 3600 (1 hour)
   Minimum value: 60
   Maximum value: 86400 (1 day)
   Description:   The number of seconds that the user-mode component of
                  EFS will cache a user's certificate chain. Adjusting the
                  user mode cache validation time upwards will improve the
                  performance of systems that use EFS operations
                  frequently.

                  When EFS operations are in use, processing time is needed
                  for the system to obtain and validate the certificates
                  and keys. This will significantly slow system performance
                  if the user mode cache validation time is set too low.

                  The higher the user mode cache validation setting, the
                  less often the system validates; the lower the
                  setting, the more often the system validates. If EFS
                  security is a priority in your system, then you will
                  want appropriate EFS credentials to be validated more
                  frequently. For maximum security, the lowest setting
                  will provide the most frequent validation.
Modification Type:MinorLast Reviewed:1/15/2006
Keywords:kbCertServices kbEFS kbenv kbinfo w2000certsrv w2000efs KB278256
©2004 Microsoft Corporation. All rights reserved.