I'm managing a Windows Server 2003. A couple of times the server has crashed with error message saying that the C: drive is full. After searching folders to free up space, I found that lot of temp files being created in C:\WINNT\Temp and some of them of enormous size with more than 2GB. The temp files seem to have a common name pattern, Efs###.tmp. Since we encrypt files frequently using Windows's EFS, I initially suspected Windows encryption. But as per the documentation, Efs###.tmp are created only under the folder which is currently being encrypted, not in Temp folder.
This looks very strange; unless someone tried to encrypt that Temp folder itself, the temp files(Efs###.tmp) shouldn't be created under C:\WINNT\Temp. The server has Tivoli Backup client. Could that be messing with windows Encryption? Can anyone shed some light on what could be causing the issue?
Note:Edited for brewity
I'd setup File Monitor with a suitable filter and leave it running. Or have it triggered by Performance Monitor. Certainly leave Perfmon running to see the time as this might give an indication of a cronjob running at the same time etc..
Have you tried to unencrypt these files? You can also use the efsinfo command from the Resource kit to get more information about the files.