Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

EFS decryption without any original keys !!!

  • Filter
  • Time
  • Show
Clear All
new posts

  • EFS decryption without any original keys !!!

    I have a few files which are encrypted using EFS in NTFS v5. I cannot decrypt these files as I do not have a key for it, I am a local Administrator. I have also tried logging on as Admin, but same errors occur.

    If anyone knows of a utility that will 'crack' into my data so as to decrypt it, so I can work with it, it would be great.

  • #2
    You might want to log in as whoever encrypted them, export their key, and then log in as admin and use their key to read the files.
    May want to print this out.

    Few steps for 2k (only set I've written up so far):
    Saving your Key
    1) Stay logged in as the user.
    2) Get a blank floppy diskette and put it in the disk drive.
    3) Click on Start, Run and type: mmc
    4) A console window will open up. Click on the Console menu, and then click on “Add/Remove Snap In”
    5) Click the Add button in the bottom left of the new window, and then select certificates and click Add.
    a. Select “My User Account” and click finish. Then close the Add Standalone Snap In window and the Add/Remove Snap In window.
    6) Click the + next to certificates, and then click the + next to personal.
    7) Single click on the Certificates in the left hand window.
    The certificates for the username should now be displayed on the right hand part of the window.
    9) Double click your certificate, and then click on the Details tab.
    10) Click the “Copy To File” button, and the certificate export wizard should show up.
    11) Click next, then make sure “Yes, Export the private key” is selected, and click next again.
    12) Make sure “Enable Strong Protection….” is checked, but nothing else is aside of “Personal Information Exhange…” and then click next
    13) Type in a password, and make sure it’s something you can remember, but don’t make it too easy to guess. I do not suggest making it your current network password because this will change in 90 days, and if you need it a year from now chances are no one will remember it. You can write this password down somewhere, but do NOT keep it with the disk.
    14) After you click next one more time, it will ask you where you want to export the file, click the browse button, and find the floppy drive (usually A: ) and then name the file something of your choice. Click OK.
    15) The path to the A: drive will be in the filename, so click Next and then Finish.
    16) If it says Export was successful, you can close out all of the windows currently open and say No to saving the console settings.

    Importing Certificate to work off premises:
    1) Log into the computer how you normally do when off site.
    2) Insert the floppy disk with your key on it.
    3) Click on Start, and then click on Run. Type: mmc and click OK.
    4) A console window will open up. Click on the Console menu, and then click on “Add/Remove Snap In”
    5) Click the Add button in the bottom left of the new window, and then select certificates and click Add.
    6) Click the + next to Certificates, and then click the + next to Personal.
    7) Single click on “Certificates”
    Click on the “Action” Menu, then click on All Tasks, and then Import. This will bring up the Import Wizard.
    9) Click Next, and then click browse. Find the Floppy drive, and locate the file within it that contains your key. Click Open. Then click Next.
    10) Type in the password that you (hopefully) remember or have written down somewhere other than on the disk. Click Next
    11) Make sure the “Place all Certificates in the following store…” is checked, and then click Next and then click Finish.
    12) It will hopefully say “The import was successful” and then you can close out all the console windows and say No to saving the console settings.
    13) You should now be able to access “My Documents” and all the other folders and files that were encrypted.

    You can ignore all the stuff about what folders to encrypt, I'm just too lazy to take that out, you can read around it.
    "One thing a computer can do that most humans can't is be sealed up in a cardboard box and sit in a warehouse."
    -- Jack Handey [Deep Thoughts]


    • #3
      But what if I cannot log in anymore as the original user.

      Somebody deleted the engrypting useraccount, and recreated it with the same name, but this resulted in a different Unique ID. We have this ID. but that is about it.


      • #4
        Are you on an active directory domain?

        If so, the administrator has the ability to decrypt users files using recovery agents:;en-us;230490

        I dont know if this will help you as AFAIK they need to be set up before files are encrypted

        Good luck!
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd

        ** Remember to give credit where credit is due and leave reputation points where appropriate **