sxmahesh
asked on
An error occured applying attributes to the file. Access is denied - While decryption
Hi there,
I ran into a strange behaviour where I am not able to use or decrypt the files. I am the administrator on my machine which is running Windows 2003. I was able to remove the decrption last month but nor any more. I get the following error
An error occured applying attributes to the file.
<FileName>
Access is denied.
I tried using the MS KB
http://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=tech and
http://support.microsoft.com/?kbid=265114 but no use. I have full control over the folder and files. I infact gave full permissions to everyone and still no luck.
We do normally change our passwords as per windows standard and wondering if that could have any effect.
Any one has any suggestion how to descrypt the files?
Thanks in advance.
Cheers
Mahesh
I ran into a strange behaviour where I am not able to use or decrypt the files. I am the administrator on my machine which is running Windows 2003. I was able to remove the decrption last month but nor any more. I get the following error
An error occured applying attributes to the file.
<FileName>
Access is denied.
I tried using the MS KB
http://support.microsoft.com/default.aspx?scid=kb;en-us;264064&sd=tech and
http://support.microsoft.com/?kbid=265114 but no use. I have full control over the folder and files. I infact gave full permissions to everyone and still no luck.
We do normally change our passwords as per windows standard and wondering if that could have any effect.
Any one has any suggestion how to descrypt the files?
Thanks in advance.
Cheers
Mahesh
ASKER
Jose,
Thanks for yor response.
1. Yes, I am the owner of the folder and files within that. And I was the one who encrypted the folder.
2. Our domain does remind us to change the password and this is as per windows security policy. I am sure I would have changed my password since I last decrypted, but any way, I used to open the files and decrypt some of them quiet often before and sure again, I would have changed my password then.
Thanks
Mahesh
Thanks for yor response.
1. Yes, I am the owner of the folder and files within that. And I was the one who encrypted the folder.
2. Our domain does remind us to change the password and this is as per windows security policy. I am sure I would have changed my password since I last decrypted, but any way, I used to open the files and decrypt some of them quiet often before and sure again, I would have changed my password then.
Thanks
Mahesh
ASKER
Jose,
Also I already tried your suggestion of checking the "Replace permissions...." and still does not work.
Mahesh
Also I already tried your suggestion of checking the "Replace permissions...." and still does not work.
Mahesh
I think it's no permission problem, but in fact you are not the owner of the encrypted file!
So I guess this is your problem:
User Cannot Gain Access to Certificate Functionality After Password Change or When Using a Roaming Profile
http://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=tech
Tolomir
So I guess this is your problem:
User Cannot Gain Access to Certificate Functionality After Password Change or When Using a Roaming Profile
http://support.microsoft.com/default.aspx?scid=kb;en-us;331333&sd=tech
Tolomir
ASKER
Tolomir,
Well, I am the owner of the file and infact x-checked with properties.
I do not remember the password when I encrypted the file. The above KB article claims "Any password changes that were made before the change to the registry are not be undone and you will still receive an "access denied" error message when you open the EFS file."
Thanks
Mahesh
Well, I am the owner of the file and infact x-checked with properties.
I do not remember the password when I encrypted the file. The above KB article claims "Any password changes that were made before the change to the registry are not be undone and you will still receive an "access denied" error message when you open the EFS file."
Thanks
Mahesh
Mahesh,
This is something since you were able to open it before, have you try this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=tech
Thanks,
Jose
This is something since you were able to open it before, have you try this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308993&sd=tech
Thanks,
Jose
Changing the password by itself should not cause a problem as long as you follow the standard procedure (Ctrl + Alt + Del then Change Password). If you reset your password another way (for example by going to Computer Manager, right click on user account and click Reset Password) you will loose access to the key that encrypted the file and you won't be able to get it back. For this exact reason the only way I would ever recommend using EFS would be with designated recovery agents that can be used to restore a file in cases such as this. If you have no other luck with getting the file the regular Windows way you might need to decrypt the file normally.
If your machine is on a domain then the administrator account on the first domain controller is the default recovery agent and you can use the account's private key to decrypt the file. When a file in encrypted in EFS a key is generated for each file and the key is encrypted with the public key of every account that has access to the file and it is stored together with the file. If you can get the private key of another account that has access to the file you should be able to decrypt the file. Otherwise follow this procedure to see if you still have the certificate to decrypt your file
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Under Available Standalone Snap-ins, click Certificates, and then click Add.
Click My user account, and then click Finish.
Click Close, and then click OK.
Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.
Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the Intended Purposes column.
If you cannot find a certificate with that purpose then you might be in trouble. You can follow the above procedures to export the key of another user that has access to the file. If you are not on a domain and you are not currently using the default built-in Administrator account you should be able to use that account to recover the file as it is the default recovery agent for files when a machine is not on a domain. Hope this helps.
Regards,
Cosmin Stejerean
If your machine is on a domain then the administrator account on the first domain controller is the default recovery agent and you can use the account's private key to decrypt the file. When a file in encrypted in EFS a key is generated for each file and the key is encrypted with the public key of every account that has access to the file and it is stored together with the file. If you can get the private key of another account that has access to the file you should be able to decrypt the file. Otherwise follow this procedure to see if you still have the certificate to decrypt your file
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Under Available Standalone Snap-ins, click Certificates, and then click Add.
Click My user account, and then click Finish.
Click Close, and then click OK.
Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.
Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the Intended Purposes column.
If you cannot find a certificate with that purpose then you might be in trouble. You can follow the above procedures to export the key of another user that has access to the file. If you are not on a domain and you are not currently using the default built-in Administrator account you should be able to use that account to recover the file as it is the default recovery agent for files when a machine is not on a domain. Hope this helps.
Regards,
Cosmin Stejerean
ASKER
Hi everyone,
I have got back the files after trying various things. The conclusion is changing the password does have effect on the EFS.
I am the administrator on my machine and is domain account. (eg. NT\Mahesh). I tried the work arounds mentioned in various KB, exported the certificates and even added them trused store, changed security permissions on the folder/files to give evryone full access, changed the ownership to myself deliberately etc.. all with NO LUCK.
Then I thought may be the EFS does not have access to the certificate which was used to encrypt the files. How do I check that? The first thing I thought was may be to change the password to one I had when I encrypted the file. I changed the password (ofcourse after various retries and logging off) and at last the decryption worked. I change the password onlt through CTRL+ALT+DEL and no other way.
So changing the password does not allow you to decrypt or open the encrypted files. I will not recommend using the encryption if you are changing your password often.
Thanks everyone for their inputs.
Mahesh
I have got back the files after trying various things. The conclusion is changing the password does have effect on the EFS.
I am the administrator on my machine and is domain account. (eg. NT\Mahesh). I tried the work arounds mentioned in various KB, exported the certificates and even added them trused store, changed security permissions on the folder/files to give evryone full access, changed the ownership to myself deliberately etc.. all with NO LUCK.
Then I thought may be the EFS does not have access to the certificate which was used to encrypt the files. How do I check that? The first thing I thought was may be to change the password to one I had when I encrypted the file. I changed the password (ofcourse after various retries and logging off) and at last the decryption worked. I change the password onlt through CTRL+ALT+DEL and no other way.
So changing the password does not allow you to decrypt or open the encrypted files. I will not recommend using the encryption if you are changing your password often.
Thanks everyone for their inputs.
Mahesh
Great you made it.
One has to keep in mind that changing ownership, permissions etc. of a file will not affect it's efs encryption status.
But indeed, I often have to recover files for various reasons, I stick with drivecrypt (maybe truecrypt a freesolution would be wiser but since I paided for it...)
With drivecrypt/truecrypt you can encrypt en entire parition, so even if you have to reinstall windows, that partition is not affected by it and you can always get access by entering the proper "seperate" password you provided during configuration of that tool.
www.truecrypt.com
Tolomir
One has to keep in mind that changing ownership, permissions etc. of a file will not affect it's efs encryption status.
But indeed, I often have to recover files for various reasons, I stick with drivecrypt (maybe truecrypt a freesolution would be wiser but since I paided for it...)
With drivecrypt/truecrypt you can encrypt en entire parition, so even if you have to reinstall windows, that partition is not affected by it and you can always get access by entering the proper "seperate" password you provided during configuration of that tool.
www.truecrypt.com
Tolomir
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. Are you the owner of this folder? I understand you are the Administrator, but does one of you user encrypted this folder? Have he/she tried to open it while he/she is logged on the machine?
2. Has the domain requested to change the passwords since you last were able to decrypt this folder?
Try to add your account in the Security for this folder, however, when you do click on the Advanced button and check the box "Replace permissions...." click Ok and it will start replacing/updating the permissions on the folder. Try to decrypt the folder again and let's see if this works.
Thanks,
Jose