The Cipher.exe command-line tool can be use to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a Command Prompt. Cipher.exe tool can be use to manage encrypted data by using the Encrypting File System (EFS).

Microsoft has developed an improved version of the Cipher.exe tool that provides the ability to permanently overwrite (or "wipe") all of the deleted data on a hard disk. This feature improves security by ensuring that even an attacker who gained complete physical control of a Windows 2000 and later versions of Windows computer would be unable to recover previously-deleted data.

IMPORTANT: Please note the following important information:

  • You must close all programs before you start Cipher.exe.
  • Cipher.exe is not a cure-all that makes it safe to store sensitive data in a plain-text format. Although you can use this tool to remove sensitive data from a drive, if best practices are followed, such data would not normally be created on the drive.

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, you can recover the deleted data by using a low-level disk editor or data-recovery software.

When you encrypt plain text files, Encrypting File System (EFS) makes a backup copy of the file so that the data is not lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data is not completely removed until it has been overwritten.

This tutorial will show you how to use the cipher command to overwrite deleted data on a hard drive in Windows 7, Windows 8, and Windows 10.

EXAMPLE: Cipher command usage. The switch we are going to be using is the /w switch.
How to Use Cipher Command to Overwrite Deleted Data in Windows-rxteomn.png

To overwrite the deallocated data:

1 Quit all programs.

2 Open an elevated command prompt.

3 Type following command and press Enter key:

cipher /w:folder path

Where folder path is the full path of any folder in the volume that you want to clean. For example, the Cipher /w:c:\test command causes all deallocated space on drive C to be overwritten. If C:\folder is a Mount Point or points to a folder on another volume, all deallocated space on that volume will be cleaned.

You can use the Cipher /w:C command line command to remove deleted files permanently. To wipe deleted files from a drive other than C:, substitute the actual drive letter that you wish to scan.

Data that is not allocated to files or folders is overwritten. This permanently removes the data. This can take a long time if you are overwriting a large amount of space.

How to Use Cipher Command to Overwrite Deleted Data in Windows-ns13tv6.png