Decrypting EFS Files

lukejackson · 2017-03-28T08:12:18.000Z

Morning All,

I’m hoping someone can help with this as I’m tearing my hair out over it!

Essentially a user “accidentally” encrypted a lot of files on a network share using Windows EFS Encryption.

Thought it would be an easy fix, logon as the user, on the PC I expected the user to have done it from and untick the box and all would be good in the world - this wasn’t the case.

I essentially got an “Access is denied” message when trying this.

I’ve tried several different steps, revolving around exporting the recovery certificate and attempting to use this, logged on as a domain admin, ensuring the thumbprints match and still get an “Access is denied” - this is after taking ownership.

I’m running out of options now, backups aren’t an option anymore as it was discovered they were encrypted too late.

One thing that may be worth noting, the user recently got renamed in active directory after getting married.

The certificate on the local PC (I believe) that encrypted the files, doesn’t match the thumbprint of the certificate on the certificate store on that local PC.

Any help would be really appreciated.

Gary-D-Williams · 2017-03-28T08:20:47.000Z

A rename won’t cause a problem as the display name in AD is just that, a display name. The underlying SID/GUID is what matters.

If the user encrypted the files under their logon then their logon should be able to decrypt them. At this point it might be worth a call to microsoft to resolve the certs issue.

Delodien:

I’m running out of options now, backups aren’t an option anymore as it was discovered they were encrypted too late.

Are these files local or on a server? Any snapshots or older backups?

lukejackson · 2017-03-28T08:32:41.000Z

They’re server hosted files - but the snapshots don’t cover the period they were encrypted.

Is there a way to verify the PC the encryption came from at all just to make sure I’ve got the right PC as the thumbprints don’t match.

chris.hone · 2017-03-28T08:38:23.000Z

Try this

The EFS certificate files can be found in “C:\Documents and Settings<username>\Application Data\Microsoft\SystemCertificates\My\Certificates”.

They are stored each in one file, named by thumbprint, with no extension.

If by some miracle you do manage to locate them then try this: How To Migrate EFS Files and Certificates | Microsoft Learn

If you are unable to import them you will be forever unable to access the contents of the encrypted files.