Drive crashed, have backup of EFS encrypted files, new machine Windows pre-loaded, can't open encrypted files

Posted on 2005-05-02
Last Modified: 2010-04-03
Machine hard drive crashed. Have a backup using Retrospect, but files in My Documents and below are EFS encrypted. Have a new machine, Windows XP Pro is pre-loaded. Restored files from backup but can't read encrypted files. Imported the license from the old system:  Documents and Settings/Application Data/Microsoft/Certificate System/My/Certificates (or something similar). Didn't do any good.

There's no EFS group policy defined on the new machine. Tried to add one, but I don't have the certificates available. Imported again but now I"m way over my head and not sure what to do. Machine is in a workgroup, not a domain. I created the exact same user name, machine name and workgroup name as the old machine. I don't want to do an image restore on this new machine, but I can start all over from scratch because it's brand new.

Appreciate any help you can give me!
Question by:swmcdonnell
    LVL 10

    Expert Comment

    I believe EFS will only function based on the UID that the user had previously, since you have recreated the PC, same username, and same workgroup all you have is a PC that happens to have these characteristics but does not have the same UID as the past user.  EFS is meant to protect everyone other than user who encrypted them from using them.  This wouldn't be very secure if I could walk into the office with my own computer, using the same workgroup and username and read all these files.  There is really no way to recover these that I know of in a workgroup environment.  In a domain environment you can have a more structured recovery environment for EFS files.  Sorry to say I believe you may be out of luck .
    LVL 87

    Expert Comment

    Logon to the PC as administrator, then right click those folders, select security and then take ownership of those folders. Now you should have sufficient rights to change the rest of the permissions of those folders.
    LVL 10

    Accepted Solution

    huh, this is not a security issue.  This is an issue of dealing with encrypted files.

    If something should happen to affect the opening of encrypted files, such as changing you user account or some system instability, this is where your backed up keys are going to come into play. My philosophy is: don't wait for a catastrophe to learn how to recover your system.

    So with that said let's take a look at how to restore your certificate, which will allow you to open these files once again.

    1. You need to encrypt at least one file on your PC—this will prompt Windows to create a certificate for your user account.

    2. Log on as the local administrator (usually the main account on the PC, and it should be password protected)

    3. Start a Microsoft Management Console by going to Start/Run and in the field type "mmc" (without the quotes) and select OK.

    4. Go to File, Add/Remove snap-in and click the Add button. Next, highlight the "Certificates" snap-in and click Add. Choose the "My User Account" radio button and click Finish. Finally, click Close and then click OK.

    5. In the left pane, expand "Certificates-Current User" by clicking the + sign. Proceed to "Personal" then "Certificates".

    6. In the right pane, right-click and select "All Tasks" then "Import" to start the Certificate Import Wizard.

    7. Click Next. Enter the name of the certificate file

    8. Enter the Password for the certificate, and check mark the "Private key as Exportable". Click Next twice, and then click Finish.

    You should now be able to open the files that you couldn't before.

    I used these directions one time, a long while ago...i believe it worked for me.  I didn't realize that you said you had backups of your certificates...
    LVL 13

    Expert Comment

    I am not in a data loss situation, but have been trying to figure out how to create EFS encrypted files on one machine and read them on another (will full access to the certificates on the "creation" machine, and with both machines fully functional.  I've been playing with this for 6 weeks, and I have not figured out how to do it yet.  Exporting the keys and certificates on the creation machine and importing them on the "read" machine doesn't do it, although I believe that it is a necessary step (that is, if you don't have the ".PFX" file, then I think that all hope is lost, but even with it, I have not yet succeeded).  Taking ownership seems to have nothing to do with it.  I believe that the answer lies in something microsoft calls a "recovery agent" and "recovery policy", but my attempts to create one have not been successful.

    A contact at Microsoft recommended these two links for information (have not read them yet):


    Good luck and keep us posted.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you have a USB Drive that is not recognized by Windows the problem is usually that you have too many network drives or other drives that occupy all the drive letters D: E: or F: which is the normal drive letter of a usb drive. The way to correct …
    I have written before on the benefits of using a Boot media other than your HDD when it has become infected.   The article I wrote about creating a bootable CD/DVD/USB ( was mainly concerned with building a UBCD4Win on CD …
    This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now