Subscribe to Windows IT Pro
November 06, 2000 12:00 AM

Decrypting EFS

Mark Minasi
Windows IT Pro
InstantDoc ID #15907
Rating: (1)

Inadvertent Decryption
More devilish details concern copying, editing, backing up, and recovering encrypted files: Can any of those actions inadvertently decrypt a file? And does encryption interfere with backing up a file?

Before I go further, let me say that encrypting entire folders, rather than particular files, is a good idea, particularly if you're encrypting files that you've used simple applications to produce. Many simple text editors, word processors, and spreadsheets never actually "save as" when you tell them to Save As. For example, in many editors, if you edit a file named stuff.txt and tell the editor to save the file, the editor takes several steps. First, the editor renames the old stuff.txt file—for example, to stuff.$$$. Then, the editor saves the revised stuff.txt to disk as a new file. Finally, the editor deletes the renamed file, stuff.$$$, or changes its extension (e.g., to .bak). Thus, if a problem occurs in the middle of saving the file, the editor can retrieve the original file (i.e., stuff.$$$).

This multistep approach to saving files is good belt-and-suspenders programming. But if you encrypt stuff.txt, then later edit it and save changes, the editor eliminates the original stuff.txt, so EFS figures that its job is done and doesn't encrypt the revised stuff.txt file. Not all applications exhibit this behavior, but many do. When you encrypt the entire folder rather than only the file, EFS encrypts everything you store in the folder and your files remain encrypted no matter how your application saves them.

If you copy an encrypted file to another NTFS5 volume, NTFS5 encrypts the copy as well, even if the volume is across the network. Of course, if you copy the file to a floppy disk, a FAT drive, or some other non-NTFS5 drive, the copy isn't encrypted. (However, only you can copy a file you've encrypted, so another user can't decrypt your file by copying and then reading the decrypted copy.) If you're using Offline Files on your workstation and you cache an encrypted file, the copy in your local cache isn't encrypted. (Offline Files warns you before it caches an encrypted file.) I haven't figured out a way to encrypt \winnt\csc, so you might want to make an administrative decision to disallow caching on shares that contain encrypted data.

Assuming that you're an administrator (and so have backup and restore rights), you can back up and restore encrypted files. The backup or restore routine simply copies the encrypted bits to or from the backup medium.

Beyond the Basics
This information will start you off learning your way around the basics of administering systems with EFS, but you still have lots more to learn. (See "Related Articles in Previous Issues" for more EFS-related information.) Do yourself a favor and try a bit of encryption, backup, restoration, and recovery on a file or two now, before a user presents you with an encryption-related problem.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com/.

SEAN DAILY
"NTFS5 vs. FAT32," April 2000, InstantDoc ID 8294
MARK RUSSINOVICH
NT Internals, "Inside Encrypting File System,
Part 2," July 1999, InstantDoc ID 5592
NT Internals, "Inside Encrypting File System,
Part 1," June 1999, InstantDoc ID 5387

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Eric
    7 years ago
    Feb 19, 2005

    I also am having an identical problem to some of the others. I have encrypted pictures and files on a secondary drive and due to a system error i re-installed server 2003 on the main drive...hence wiping out the user profile that created the encryption.
    How can i recover the files as i did not see any resolution comments in response to that.
    please help....I'd hate to lose those pictures.

  • Anonymous User
    8 years ago
    Dec 24, 2004

    I have a MAJOR PROBLEM...Its complicated to explain. But try to understand what happened.

    I tried to do a home network using Windows 2003 Server Enterprise (Active Directory), and connected my Windows XP Pro to it.

    Somehow some of my personal files kept on D:\\ got ENCRYPTED on my XP machine, which I dont remember doin it.

    Because I couldnt get Active Directory to do what I wanted (a friend managed to do it on his PC), I decided to scrap the Server installation, and put XP on the server as well.

    I tried to view the files on my 1st XP machine, and it wouldn't let me do anything with the files. I found out they got encrypted with EFS, and now I can't decrypt them.The Recovery Agent that was on the Server's HD has been formatted and put into another PC, which I have sold. So I no longer own that HD.

    So no I'm stuck here without any Recovery Agent, or any way of decrypting my files.

    I have tried EFSINFO and CIPHER, but it wont let me. Somehow, the files don't even recognise my several standard passwords. NOBODY else has used my PC's, I KNOW that.

    I have tried a number of software. One program finds the decrypted files, and asks me for a password (which I don't know anymore), but I can't find a Password Recovery software for EFS encrypted files.

    PLEASE can someone help me with this, or the whole problem I have. I don't even have a Recovery Agent or Certificates.

  • issay
    9 years ago
    Dec 21, 2003

    i have deleated the user profile of the encrypted user. I try to decrypt files, login as administrator. but no use. what shall i do. can i decrypt.

  • Sofoklis karapidakis
    9 years ago
    Dec 12, 2003

    I found the article very informative and interesting.
    I am in the following trouble. I have had some files decrypted in drive D. Since my operational system had some trouble, I decided to format my disk without however exporting the keys for encryption. As a result, I can not access important files (those encrypted). Do you have any suggestion?
    Thanks in advance

  • Jan
    9 years ago
    May 04, 2003

    Could anyone tell me how can in decrypt a file which is encrypted by a user. I know that only the user can open it and there is a recovery agent who can do it. I added the recovery agent but still when I open the file I find the
    access denied message. Can some tell me the complete process of decryping the file. I will be greatful

    thanks.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.