EFS Recovery Agent gets access denied when decrypting files
I have some files encrypted in Windows XP Pro with a user that doesn't exist anymore. I installed Windows 7 Pro and now I can't open the files (access denied).
I set the local user with FULL control after taking ownership of the folder and files.
After that I created a EFS cerificate using cipher /r:MyEFScertificate.
I ran secpol.msc to access the Public Key Policies/Encrypting File System to add Data Recovery agent browsing the certificate that I created before.
A message appeared "Windows cannot determine if the certificate has been revoked. The revokation function was unable to check revoation for the certificate."
I installed the certificate but the user appeared as USER_UNKNOWN. I finished the installation of the certificate and then ran gpupdate.
When I tried to eliminate the encryption from the file I get an error again "Error applying attributes" (Access denied)
The local user is a member of the Admitrators built-in group. However I added the user and the Administrators group with FULL control to the folder because being a member of the Administrators group it seems that is not enought for Windows 7.
Please I need help. I encrypted all my personal data and now I cannot get it back.
Answers
This is determined by the work mechanism of EFS. The files are encrypted with the current user ID. If you re-create user profile or reinstall the system, the user ID will be changed. Please see the following article.
It says:
You've formatted your hard disk and reinstalled the operating system and cannot decrypt your encrypted files. Unless you've exported your EFS keys, or a recovery agent existed and those keys are available, you may not be able to decrypt your files. If your keys, or those of the recovery agent, are available, then it should be possible to either import your keys and decrypt the file or import the recovery agent keys (if necessary) and recover the file. You can determine who the recovery agent of a file is by using esfinfo.exe in Windows 2000 or by looking at the Advanced file properties in XP Professional or Windows Server 2003.
Arthur Xie - MSFT- Marked As Answer byArthur XieMSFT, ModeratorThursday, November 05, 2009 2:41 AM
- As the article says, we are not able to decrypt the file in current situation. Not only for Windows 7, if the any system is reinstalled, whatever the new system is, if you do not backup certificate the EFS files will not be able to be decrypted. Image that if creating new certificate on current system can decrypt the file, will you consider EFS as a reliable security function?
Arthur Xie - MSFT- Marked As Answer byArthur XieMSFT, ModeratorThursday, November 05, 2009 2:40 AM
All Replies
This is determined by the work mechanism of EFS. The files are encrypted with the current user ID. If you re-create user profile or reinstall the system, the user ID will be changed. Please see the following article.
It says:
You've formatted your hard disk and reinstalled the operating system and cannot decrypt your encrypted files. Unless you've exported your EFS keys, or a recovery agent existed and those keys are available, you may not be able to decrypt your files. If your keys, or those of the recovery agent, are available, then it should be possible to either import your keys and decrypt the file or import the recovery agent keys (if necessary) and recover the file. You can determine who the recovery agent of a file is by using esfinfo.exe in Windows 2000 or by looking at the Advanced file properties in XP Professional or Windows Server 2003.
Arthur Xie - MSFT- Marked As Answer byArthur XieMSFT, ModeratorThursday, November 05, 2009 2:41 AM
Thank You for your reply. Unfortunatelly I think I did try to recover the files with the administrator account an it didn't work.
I created a new key for the administrator user because I didn't backed up any certificate under Windows XP. I used "cipher /r:newcertificate", however, when I try to see the advanced attributes of the file, the EFS checkbox appears disabled with a checkmark and I cannot uncheck it. I have ownership of the file and also added the administrator with full access to the security tab. :(
I am a little bit confused. Does Microsoft means that, In Windows XP Pro, if you don't backup the certificate or the recovery agent certificate you won't be able to see the encrypted files again on Windows 7 Pro by using a new recovery agent created for the first time after a clean installation? I don't know if I explain my self correctly so please let me know?
Thank you.- As the article says, we are not able to decrypt the file in current situation. Not only for Windows 7, if the any system is reinstalled, whatever the new system is, if you do not backup certificate the EFS files will not be able to be decrypted. Image that if creating new certificate on current system can decrypt the file, will you consider EFS as a reliable security function?
Arthur Xie - MSFT- Marked As Answer byArthur XieMSFT, ModeratorThursday, November 05, 2009 2:40 AM
- So... I have the same problem. Does this mean that I now have to deal with PERMANENT data loss of my files? As the administrator and sole user of my computer it seems kinda ridiculous that I can't in some way FORCE ownership of my own personal files on my own computer. There has got to be a way around this.
- I'm very sure that if you are willing to pay $$$$ money $$$$ and show Microsoft your data they can decrypt the files very easy. It sucks...
- <sigh> ok, thanks. I guess I'll live.
- I have the same issue, however, I also have a valid recovery agent cert which I've imported and it still won't decrypt the files. I've tried restoring the recovery certificate to both a Windows XP and Windows 7 system...both members of the same domain and on both systems I imported the listed recovery agent certificate. Suggestions????
Mark - I got it working. I was not exporting the private key because it was held on one of our DC's. I located it, exported it, imported into my W7 box and everything decrypted w/o issue. Great learning experience though...
Mark
