EFS private key missing. Certificate is still there...

[DevinWeston]

Hi there,

I have encrypted files in my profile (desktop) but I can't decrypt them anymore.

When I right click on one of these files, I can see that it has been encrypted on some user@computer (the computer has been renamed since then) using Certificate Thumbprint :

When I check my personal certificates, I am actually able to find one matching the same Thumbprint :

But, it looks like that for some reasons, the Private Key is missing, the option to export the private key along with the certificate is greyed out :

I do have a file named after the Certificate Thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

So since the file has been encrypted, my computer has been renamed, I changed my account password, and permissions may have changed on the files (but I still have admin privileges on them).
The computer has not been formatted or anything, "EFS Recovery" tool from DiskInternals were not able to recover the private key.

Is there any chance to recover my files ?
Where is the private key stored, can I find it back somehow in the registry ?
Would renaming my computer to the old name and resetting my password to the old password help ?

Thanks for your clues

 

[Pinhedd]

Hi there,

I have encrypted files in my profile (desktop) but I can't decrypt them anymore.

When I right click on one of these files, I can see that it has been encrypted on some user@computer (the computer has been renamed since then) using Certificate Thumbprint :

When I check my personal certificates, I am actually able to find one matching the same Thumbprint :

But, it looks like that for some reasons, the Private Key is missing, the option to export the private key along with the certificate is greyed out :

I do have a file named after the Certificate Thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

So since the file has been encrypted, my computer has been renamed, I changed my account password, and permissions may have changed on the files (but I still have admin privileges on them).
The computer has not been formatted or anything, "EFS Recovery" tool from DiskInternals were not able to recover the private key.

Is there any chance to recover my files ?
Where is the private key stored, can I find it back somehow in the registry ?
Would renaming my computer to the old name and resetting my password to the old password help ?

Thanks for your clues

The private key is stored within the certificate itself, but it is also protected by a password. The key which is used to encrypt your file system is itself encrypted by a plaintext password. If you have lost the password to the certificate you are unfortunately SOL and there is no way to recover the data short of remembering or brute forcing the password.

In the future, you should create a backup of your EFS certificate that is not password protected (EDIT: The certificate will still be password protected, but you may choose the password when exporting, so it can be unique to that certificate only which means that you can write it down) and store this offline in a safe and physically secure location. I recommend using floppy disks (I know, they're archaic but they are extremely resilient) or CDs; if you have a safe in your residence, put it in there. Do not use anything that is based on Flash memory.

 

[DevinWeston]

Thanks for your reply Pinhedd,

If the private key is protected by password (generated automatically I guess because it never assked my anything), how did the certificate lost it ?
Must be somewhere on the computer...

Well, if I can't retreive the key password, I still have 0 byte files encrypted, so I should be able to perform a brute force on one of them with good performances, do you know a tool that does that on EFS ?

 

[Pinhedd]

Thanks for your reply Pinhedd,

If the private key is protected by password (generated automatically I guess because it never assked my anything), how did the certificate lost it ?
Must be somewhere on the computer...

Well, if I can't retreive the key password, I still have 0 byte files encrypted, so I should be able to perform a brute force on one of them with good performances, do you know a tool that does that on EFS ?

By default the certificate password is synchronized with the password of the Windows account that it belongs to. It is decrypted when the user logs in and will be changed whenever the user changes his or her password while logged in. It will not be changed if the user's password is reset or forcibly changed by an administrator, this is a security feature to prevent administrators from accessing EFS data. This means that the password protecting the certificate can become out of sync with the users' Windows account password.

To recover from this, you should change your password to the same one that was used with the EFS certificate prior to reformatting, and then reboot your PC. Then, import the certificate (if you haven't done so already) and attempt to access the EFS data. If this still doesn't work then for some reason the certificate that is installed does not contain the private key (it's a public certificate) and you're SOL.

 

[DevinWeston]

Thank you for that, I did change the password using an other admin account, so now I know how I did lost the private key, I will change it back to the old password, I still hope that once it's broken it can be resynched, which I'm not sure of...

One last thing, what does SOL means ?
I understood that it means something like "screwed" but well, what the letters mean exactly ?

Edit : this did work, solution was so simple in the end, thank you for showing it to me

 

[Someone Somewhere]

S!*# Out of Luck.

 

[Pinhedd]

Thank you for that, I did change the password using an other admin account, so now I know how I did lost the private key, I will change it back to the old password, I still hope that once it's broken it can be resynched, which I'm not sure of...

One last thing, what does SOL means ?
I understood that it means something like "screwed" but well, what the letters mean exactly ?

Edit : this did work, solution was so simple in the end, thank you for showing it to me

Excellent! Glad to hear it worked.

As for SOL, it's what SS said ^

 

[FreedomRydr]

I realize this is an old post, and an even older issue. The forums all over the net reporting the same issue of unwanted EFS for many different reasons. It has now been about 3 years I have been following this long-stretched thread about lost, inaccessible, protected files. Mine is similar. My main drive reported it was about to fail, so I took the 30+ years of photos and videos and copied them to an empty hard drive. It was so long ago now, I do not recall the details of how it happened, all I know is I did not ask for it, and Windows did not tell me it was doing it. After copying the 12000 plus files, I replaced the main drive. Brand new, clean install. No 'knowledge' of what was on the external drive. When I tried to copy them back, I noticed they were all green. I googled 'green files' and found out. Encrypted. How? Why? Who knows? I tried to access them and copy them back, but it said I did not have permission. I looked at the permissions and it said I was the 'owner' and had full rights. But I still could not access it. I always use the same username and password, but every time I tried to use it, same answer, 'no permission'. I tried to take ownership. 'no permission, contact the administrator'- That's ME. Cannot copy, cannot move, cannot rename, cannot change ownership cannot take ownership, as I already have it! It says I have 'full control', but there must be a clone of me, because I cannot access anything on the drive, I cannot even add files to it! I have been fighting this for 3 years now, hoping Microsoft would heed the thousands of complaints about un-requested encryption. There is software out there that claims to be able to get around 'green files', but I have yet to find one that works. I cannot give up. I am a photographer and this is almost 40 years of my work, locked on a stupid hard drive encrypted, allegedly by me, owned by me, permitted to me, but I cannot access it. Some 'expert' on this forum made a crack to another user with this issue, "if you cannot teach it, you have no business using it" CROCK! I don't care if I was a senior EFS technician. The first thing I would teach about EFS, is unless you work for the CIA and have names of undercover agents on your disk, DO NOT USE IT!! Someone else (probably the same guy) said "If you do not have the key, you are SOL! EFS does its job well, you will NEVER get your files back" So WHERE exactly is this KEY? On the crashed drive? The NEW drive? The External drive? Who generated it and why? The only encryption I use is Bit Locker, but I did that, and I know where the keys and passwords are! (This same drive is double encrypted using Bit Locker,but when I decrypt it, guess what? "No Permission- contact your administrator". Look, somebody, or some geek team, wrote this program. There is no programming geek in the Universe, that creates a program without a 'back door'. Somebody know how to decrypt green files without a key! So out with it Microsoft! YOU did this. Not me, not the thousands of others I have been reading about, around the world, with the same problem. "WHY is this drive encrypted?" "I did not ask for it", "I did not even know what EFS was until I tried to open my files". The list goes on and on, "I want my files back!". Well ME TOO! My LIFE is those files! Somebody knows a way in. GEEKS Unite!! WRITE THE CODE! Do not let MS tell you "you cannot have your files back, because WE encrypted them for you" Thanks, but no thanks, now give them back! SOL, my patootie! I want my work back! Where is the 'back door'? 'nuff said? Yup!

 

[Someone Somewhere]

Post a new thread - stuff may be different. Also, please use paragraphs.

IMHO, encryption standards should never have backdoors. If it's got a backdoor, it's not good encryption.

Any data you have encrypted should be backed up in an unencrypted or differently encrypted form elsewhere (this of course goes for all data, not just encrypted data. But it's more important for encrypted data).