Defend your data!

What is it?

Folderfication is a Windows application that can be used to enhance the security of your file system through the use of denial, deception and encryption. Folderfication helps to protect against malware, ransomware, and snoopers from stealing or destroying your data.

Why should I care?

Data privacy and security is fundamental but there are many ways that your data can be compromised. One way is through ransomware. Ransomware is a serious problem for individuals and organizations. First-line defensive tools, such as anti-virus, are not able to keep up with the constant threats. And besides destroying data, newer strains of ransomware are known to steal sensitive data as hostage on the threat of public release.

Folderfication helps protect against ransomware and other types of attacks by walling off files and folders so that only authorized applications and users are able to access the data.


Folderfication supports eight (8) different protection options with most based around only allowing authorized applications access to the data. Each one provides a different level of protection. The protections can be broken down into two groups. The first group are the protections that work at the folder level.

  • Deceive: The contents of a folder are removed from the directory listing. This means that a folder will appear empty when in fact it may have many files and sub-folders in it.
  • Deny: Access to the folder contents are denied. While the folder itself will be visible no read or write access from unauthorized applications is allowed.
  • Default Deny: This works opposite of the regular Deny setting. For Default Deny, everything is denied except for the authorized folders. This helps to isolate a process from making unauthorized changes outside of its normal directories.
  • Encrypt: Encrypt applies transparent cryptography to file and folders in a protected directory. What this means is that data along with names are automatically encrypted when written to the folder and then automatically decrypted when read. This gives you a way to protect your data at rest while still be able to access it.
  • Hide: Similar to the deceive setting, when a folder is hidden it is removed from the directory listing. So while with deceive you would see an empty folder, hiding the same folder would remove it all together.
  • Read Only: Data within a read only folder can be read but not modified. This includes deletes and renames. Any action other than reading will be denied.
The second group works at the file level.
  • Encrypt Filter: Whereas the encrypt setting above protects your data at rest, the encryption filter setting protects it on the move. Encryption filtering means that data read by certain applications will be presented with data that has been transparently encrypted on the fly. The primary use case here would be to add a layer of protection to cloud backup applications that may not offer encryption. Or it provides a second layer of encryption that you can control. Encryption filtering can also be used for secure file sharing. And when coupled with the public key share that Folderfication makes available, safely and securely sharing keys has never been easier. Also, like with the transparent data at rest encryption, files protected through encryption filtering are also automatically decrypted.
  • Extension Filter: Extension filtering removes select file type extensions from directory listings. For example, you can filter all Word document files (*.DOCX) so that only Word itself is able to see and open those file types. This has a big anti-ransomware capability because only authorized applications are able to view and access certain file types.
  • No Execute: When a folder is configured for No Execute, it means that no executable process will be allowed to run if located within the selected folder. While not directly data protection related, when configured against common ransomware locations it can be a way to stop some attacks before they can cause damage.

Get Started

The first thing to do is download Folderfication. There are two versions available. One has support for encryption and the other does not. All other capabilities are the same. The current releases are:

1.2021.189.154 [No Encryption]


Installing Folderfication is easy. The installer will ask for some installation settings as well as initial configuration options. While the installation options are self-explanatory, such as where to install Folderfication and if you want to create icons, the initial configuration settings require a bit more explanation. These are found on the second window of the installation process.

Database Security

  • The database can be password protected for additional security. If you would like it to be password protected, you have one of two options to do that. But first, you must check the 'Set a database password' checkbox.
  • If the 'Require a password to start' radio button is checked, then you must enter a password and confirm it in the provided text boxes. When this option is selected, then every time Folderfication starts, you must manually enter the database password. If you forget your password, it cannot be recovered and you will have to delete the database file to start over. It's important to note that when a password must be manually entered, this impacts how Folderfication is able to start. Folderfication has as Windows service component which is able to load at Windows start-up however, if the database requires a password then the service will not be able to access the database. Therefore, a manual database password means that Folderfication cannot load with Windows.
  • The second option is to store the password in Windows Credential Manager. Windows Credential Manager is a built-in password store that applications can use to save and retrieve credentials. It is not designed for high security because any application is able to access the Credential Manager and query for stored credentials. But if the password is saved to the Credential Manager, then Folderfication will be able to load with Windows.
  • If the 'Set a database password' is NOT checked then the database password settings are ignored.
Loading and Account
  • Folderfication can be configured to load with Windows. There are two primary components of Folderfication: the Windows service and the user interface. When configured to load with Windows, the service will run at system boot while the user interface will automatically load when the first user logs on. As mentioned, the database password settings impact how the loading works.
  • The 'Create service user account' relates to Credential Manager access. For most Windows services, the service will run under the LocalService or NetworkService accounts. You can see these in the Task Manager. When running under these built-in accounts, the service cannot access Credential Manager because Credential Manager is a user-based function. Therefore, Folderfication can create a new service account named 'HDFFSvc' that is only for the Folderfication service to run under. This allows Folderfication to have access to the Credential Manager to store not only the database password (if selected), but also other encryption passwords that may be generated for encrypted folders and encryption filtering. If your license does not support encryption or you do not plan to use the Credential Manager, then you can uncheck this option and the service will be installed under the LocalService account.

  • The initial window of the installer has location and icon options. Also you can specify if you would like the installer to create a System Restore point. Never hurts to periodically create restore points. Before moving to the next window, you must agree to the license agreement. If you do not agree, then you cannot use Folderfication.

  • The next window contains some more settings that configure how Folderfication will run.

  • Before installation can begin, you must provide a valid license key or request a free 7-day trial key. Only one trial key is allowed per-system.

Icons and Notifications

During installation Folderfication can add an icon to the Desktop and to the Start Menu.

When the user interface component of Folderfication is running, then the icon will also be visible in the task tray. However, Folderfication can run in the background without the user interface component so it is possible that it is running without any visual signs. You'll have to check Task Manager to verify.

The primary way to interface with Folderfication is through the task tray menu that is accessed by right-clicking the task tray icon. While Folderfication has a number of windows designed to configure different aspects of the software, there is no "main" window.

Toast notifications will appear to show whether an action completed successfully or not. Additional information can be found in the messages window which is accessed through the menu shown above.


Using Folderfication should be relatively intuitive. The basic principle for most of the protections are that you select a folder that you want protected and then add 1 or more processes that should be exempted from that protection. In order for a protection to be enabled, at least 1 process must be added with the exception of the 'No Execute' and the 'Encrypted Folder' protections.

  • Most of the protection tabs are divided into two parts. Each part has action buttons that will display a menu when you hover over it.

  • File and folder browse dialogs are used to select the folders to protect and the processes to exempt.

  • Configured folders can also be easily moved between protections without the hassle of having to re-configure settings.

  • The row icon beside each entry, whether a folder or process, is used to select that entry. When selected, the icon turns to a checkmark and the counter on the action button will increment. When checked, you can then perform actions on those entries such as delete, enable, disable or swap.

  • A properly configured folder for read-only protection with 1 process exempted and one folder path exempted. When a folder path is exempted, any process within that path will be exempted. It essentially acts as a wildcard match so multiple individual processes within a folder do not have to be added.

  • When configuring Default Deny, you'll first start by adding a process. This is opposite of most of the other protections. When a process is added, Folderfication will automatically add the processes containing folder so that it has access to its own data. When a web browser is added (which Folderfication determines based on the filename), the typical profile directories are also added. Note that for some processes, you will have to add additional exemptions to the list so that the program can function properly. To help debug issues, Folderfication will write access denied messages to the log file. This will help tune your settings for a particular process.

Once a folder is configured, it can be toggled on or off depending on user requirements. The toggling can be done at the individual folder level or at the global level by disabling the protection category. There are three global protection categories: Folder, Encryption Filter, and Extension Filter. The global toggle switches can be found at the top of the respective windows and from the task tray menu.

One behavior of Folderfication may seem unusual and is worth mentioning here. If Folderfication is started by the user interface component and the service component is not running, a password prompt dialog will appear regardless if a database password has been set or not. The reason for this is because if a database password is set, it must be entered manually or accessed through the Credential Manager. Obviously a manually entered password is not stored anywhere and any credentials stored in the Credential Manager are only accessible through the service component but the user interface component has no way of knowing at that point in time which, if any, is correct. So, it will display the password prompt in the event that a manual password is required. If no password is set, you can simply leave it blank and hit the 'Ok' button.


Process triggers can be configured to automatically turn on or off a folder protection. A particular use case for a process trigger is for backups. If your data folder is protected but you like to run nightly backups, you can set the trigger on the backup program so that the folder protection is turned off when it loads and then turned back on when the process exits.

  • Adding a new process trigger is easy. Simply open the context menu and click 'Add Trigger.' This will open a file browse dialog where you select the process you want to act as the trigger.

  • Once a process is selected, another window will open where you select the configured folder protection from the list and then set the action that should be taken when the process loads and when it exits.

  • Configured triggers can be seen in the window. The first line is the process that acts as the trigger. Below that is the folder that will be acted upon and then the next two rows simply state what actions to take.


File tripwires can be configured to generate an alert when the specified file is read from, written to or modified in other ways. Currently, the alerts are written to the local file log, the Windows Event Log (with an Event Id of 2003) and, if configured, to a remote Syslog.

File tripwires are primarily useful in environments with either local or remote log analysis capabilities. Tripwires are not currently designed to perform any active response to the detected changes. They are strictly for early warning.

  • Adding and removing file tripwires is similar to adding other types of protections. To enable tripwire alerting, make sure that the toggle switch is in the 'On' position at the top of the tripwire window.


There are two types of encryption capabilities offered by Folderfication. Encrypted Folders is for data-at-rest and Encryption Filtering is for data on the move. Encrypted Folders allows you to safely store data on your hard drive without the hassle of mounting drives while still being able to access the data as if it were not encrypted. Encryption Filtering provides a layer of protection to existing applications by automatically encrypting data that is read by those applications.

Your license will determine whether or not your version of Folderfication supports encryption. Due to US Government regulations surrounding the export of encryption products, Folderfication with encryption will be restricted in its release.

Encryption Filter

  • Encryption filtering automatically encrypts and decrypts file read and write operations.

  • The menu has a number of encryption specific menu options.

  • When a selected program reads a file from a specified directory then the contents will be encrypted. Once encrypted the key can be shared so that remote users can access the file.

Folder Encryption

  • Folder level encryption allows you to transparently protect your files.

  • Simply add a folder that you want to make encrypted.

  • Next set a password if your settings are configured for a per-folder password. Other options include allowing Folderfication to generated and store passwords for you.

  • Once the password is set, the encryption is enabled. Now any file written to the folder will be automatically encrypted. Decryption is automatic too.

  • When folder encryption is disabled, the password must be entered again to re-enable it.

  • Here we can see the decrypted contents of a file inside a protected folder.

  • However, once the protection is disabled we are able to see the actual encrypted contents that are on disk. Also notice how the file name is encrypted as well. The folder (~!$db) seen in the image below contains meta-data that Folderfication needs in order to decrypt the directory. When protection is enabled, that folder is hidden from view and while Folderfication is running is also protected from modification. Any damage to the contents of that folder will result in a potential total loss of encrypted file access.

  • Once protection is re-enabled, the file is back to the expected form and the data is accessible.

Key Share

Key sharing is a way to securely share file encryption keys with other users of files that have been protected through Encryption Filtering. The main use case here being if you upload or email a protected file to another user. In order to protect the file contents, you do not want to just email the password to decrypt the file because that defeats the whole purpose of encryption. You need a secure channel to share the key.

Folderfication's key sharing mechanism can be used to securely send the decryption key to the user by encrypting it with their public key. This is just like PGP. Folderfication takes care of all the underlying complexity of generating and exchanging key pairs so it's as easy as point and click.

Key sharing only facilatates the sharing of the key data. Any actual files you want to share with other users must be done yourself. Also, your license must support encryption for key sharing to work.

  • A public/private key pair can be imported or generated by Folderfication. The public key can then be synced with Heilig Defense so that other users can search for and download the public key. The built-in public key address book stores public keys that you have downloaded and can then be used for securely sharing encryption keys. Keys that have been shared with you are automatically synced when Folderfication loads but can also be manually synced by clicking the 'Sync Shared Keys' button shown below.

  • Public keys can be given a nick-name when generated so that users can find your key by the nick-name or the public key hash value. When you want to share encryption keys, you will have to exchange public key nick-names or the public key hash values in order to search for and download the respective public key.

  • When a process is protected by Encryption Filtering and is running, the process can be seen in the 'Protected Processes' list. This just lets you know that Folderfication is monitoring the process for file activity.

  • When a file is read by a protected process and the data is encrypted, the decryption key for the file is ready to be shared. Once you are ready to share, simply select the file and click the 'Share Key' button. This will cause the Address Book the open to allow you to select the recipient(s) of the key by selecting the appropriate public keys.

  • Other options include unsharing the key and deleting the key. Unsharing only works if the recipient has not yet sync'd shared keys yet. If they have already downloaded the shared key then unsharing has no effect. Deleting the key implicitly unshares but also removes it from the local database.


Folderfication options cover general settings, security, and customizations. Many of the settings should be self-explanatory but a few may require a bit of explanation.

  • Self-protection: Folderfication can protect itself from malicious processes. This can be important to ensure encryption keys are not stolen from memory. It also prevents killing Folderfication through the Task Manager.
  • Require password: As an extra security precaution, a password can be set that must be entered before certain operations can be performed. This includes changing settings, accessing folder configurations and closing Folderfication.
  • Encryption Keys: There are three methods that can be used to for Encrypted Folders and Encryption Filtering. You can manually set a password for each folder and process, set one master password, or have Folderfication generate unique passwords for you. The key setting you choose directly relates to how keys are stored. If keys are generated then you must enable one of the two different Credential Manager storage options. And as mentioned above, in order to use Credential Manager the service must be running under the 'HDFFSvc' service account. The difference between the system Credential Manager and the current user Credential Manager is that Folderfication attempts to limit key query requests based on the user. However, this is only a Folderfication enforcement mechanism because Credential Manager is queryable by all users.
  • As an extra security precaution, Folderfication can wipe the Encryption Folder keys from memory when it detects the system has locked. If password settings require a manual key, then you will have to re-enter your password before the encryption can be enabled.
  • For the key sync options, if you enable key sync then your public key will be pushed to the server so that other users can query and download it. If you disable key sync, then your public key will not be pushed to the server and other users will not be able to share file keys with you.
  • Folderfication can generate a public/private key pair for you. However, if you would like to generate your own and import it, Folderfication allows that too. Importing requires a PFX certificate without a password.
  • The database settings are similar to the settings first seen during installation. Here you can set or remove the database password and change the storage method.
  • Folderfication can now write alerts to a remote Syslog. The remote server can be TCP or UDP, with or without security and use either RFC 3164 or 5424 formatting. Additionally, you can select which alert types should be sent. There are three categories of messages. They are:
    • Tripwires: Files that have been designated as tripwires and then had read, write or update operations performed.
    • Folder Access: Non-exempted processes attempting to access a protected folders.
    • Blocked Process: Any processes that attempts to run but is blocked by a No Execute rule.
    All alerts are in JSON format with the following format:
    Message (string): "Alert" Version (int): 1 System (string): Name of system AlertType (string): "FOLDER" "PROCESS" "TRIPWIRE" Details (string): Additional alert details. DTG (long): Windows FILETIME of alert.

  • General settings, security and import/export functions.

  • Encryption settings.

  • Key share and key pair options.

  • Viewing the generated or imported public key.

  • Database security settings.

  • Syslog configuration.

  • Folderfication color customization.

Group Policy

Folderfication can now be controlled remotely, in a domain environment, through Group Policy. Once the ADMX file has been installed on the domain controller, Windows clients running Folderification can be updated with a common options baseline.

For home end-users, updating options via Group Policy is not a typical way of controlling software. However, in an enterprise environment where common settings are necessary to control data access, Group Policy updating is a simple way to ensure Folderfication is configured properly.

The Folderfication Group Policy ADMX bundle can be downloaded here:


You can try Folderfication free for 7 days. Once your trial period is up you will have to purchase a license to continue using Folderfication.

When you install Folderfication, you will have the option of entering a license key or requesting a trial license. When Folderfication starts, it will validate the license key or the trial period. If the trial period has ended, then you must enter a valid license key to continue using Folderfication.

Once a license is used for the first time, it becomes associated with that particular system. While the license is a floating license, it first must be released from the current system before it can be re-used on a new system. In order to release the license, you need to open the license window from the task tray menu, and click the Release button. If the license was successfully released, then Folderfication will close. The key is then free to be used on a new system.

If for some reason you are not able to release the key on the old system, please contact Heilig Defense ( for assistance.


v1.2021.189.154 [No Encryption] (13 Jul 2021)

  • ADDED: Group Policy management.
  • ADDED: File tripwires.
  • ADDED: Better reporting of events to include Event Log and Syslog capabilities.
  • ADDED: Path, hash, and publisher exemptions for No Execute.
v1.2021.149.1745 [No Encryption] (29 May 2021)
  • ADDED: Can now add a folder to Default Deny so that all processes within that folder are restricted.
  • UPDATED: Task tray icon starts out gray while initialization completes. Will turn normal color when ready.
  • FIXED: A number of bugs related to folder and process selection and removal.
v1.2020.328.335 [No Encryption] (23 Nov 2020)
  • ADDED: Default Deny process protection allows you to file system isolate applications to a defined set of directories.
  • FIXED: A few minor bugs.
v1.2020.194.1525 [No Encryption] (12 Jul 2020)
  • FIXED: A few process trigger bugs.
v1.2020.183.1420 [No Encryption] (01 Jul 2020)
  • ADDED: Process triggers to toggle protections on and off.
  • FIXED: Database backup bug that invalidated exempted processes.
v1.2020.157.1400 [No Encryption] (05 Jun 2020)
  • ADDED: Manual updating option.
  • UPDATED: Changed installer to have 'hd' prefix for easier white listing.
  • FIXED: Bug caused by switching protections that made Deceive and Hide options to not work.
v1.2020.141.1955 [No Encryption] (20 May 2020)
  • FIXED: Short name normalization issue during file and process creates.
  • FIXED: Delete on close flag not properly monitored.
v1.2020.125.400 [No Encryption] (04 May 2020)
  • Initial release.