Question on EFS in XP

Posted on 2006-06-20
Last Modified: 2010-05-18
one of the features (as listed in the XP Help and Support Center):
* Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.

does this mean that all someone has to do is copy the file to something other than NTFS and the encryption is broken?  if so, what's the point of EFS?

also, if someone removes the password on a user's account by force (not through control panel->user accounts), will that person have access to encrypted file contents?  what if the password is just removed in control panel->user accounts?

i am trying to determine if EFS is sufficient for protecting HR files in case a computer is stolen.
Question by:zephyr_hex

Assisted Solution

MessHallMan earned 50 total points
Comment Utility
I personally would not depend on EFS for the storage of any sensitive data. There are too many programs that can crack the passwords.  If you are looking to store sensitive data on a laptop, I would recommend looking at a third party encryption program.
LVL 12

Assisted Solution

fruhj earned 50 total points
Comment Utility
Hi zephyr_hex,
> one of the features (as listed in the XP Help and Support Center):
> * Encrypted files can become decrypted if you copy or move the file to
> a volume that is not an NTFS volume.

True if the user who encrypted the file is the one doing the copy.

LVL 42

Author Comment

Comment Utility
ok, so if someone were to steal my computer and copy the file to FAT32, they would not break the encryption?

also, what about the user account password?  if that is removed, is the encryption broken?
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

LVL 42

Author Comment

Comment Utility
ok .. i may be able to answer part of the question myself...
the private key should be exported to removeable media whenever the computer is not in use.  this way, even if the computer is stolen, the encryption is not broken.  when a valid user wants to use the computer, they should import the private key from the removeable media.
LVL 69

Assisted Solution

Callandor earned 50 total points
Comment Utility

Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.
Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
LVL 59

Accepted Solution

LeeTutor earned 350 total points
Comment Utility
Also see this:

Copying, Moving and Saving Encrypted Files

Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.

When copying an encrypted file:

• If using Windows 2000 and the target server is running Microsoft® Windows NT Server 4.0, the file will be silently decrypted and copied to the server. If using Windows XP or Windows Server 2003, the user will be warned and prompted to allow the decryption operation.
• If the target server is running Windows 2000 or Windows Server 2003, and the machine account of the server is trusted for delegation in the Active Directory, the file will be silently decrypted and copied to the server where it will be re-encrypted using a local profile and encryption key.

Note The file is transmitted on the network between the client and the server in an unprotected format. If this file contains confidential information, care should be given to ensure that the network connection also provides secure transmission of the data. Such network data protection might include IP Security (IPSec).
• If the target server is running Windows 2000 or Windows Server 2003 and the machine account of the server is not trusted for delegation in the Active Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the file will not be copied and the user will receive an "access denied" error message.

The "access denied" error message is returned to applications from the NTFS file system in order to ensure compatibility with existing applications. The use of an alternate or more descriptive error message would cause many applications to fail or behave erratically.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.

The command-line tools , XCOPY and COPY, allow the same behavior through a special parameter switch to allow decryption on the copy operation.

C:\>copy /? (Copies one or more files to another location.)

COPY [/D] [/V] [/N] [/Y | /-Y] [/Z] [/A | /B ] source [/A | /B]  
[+ source [/A | /B] [+ ...]] [destination [/A | /B]]  

(Specifies the file or files to be copied.)

/D (Allows the destination file to be created decrypted.)

Note : This will allow a file to be created in plain text on the destination location/server if remote encryption is not supported on the target server.

C:\>xcopy /? (Copies files and directory trees.)

XCOPY source [destination] [/A | /M] [/D[:date]] [/P] [/S [/E]] [/V] [/W]  
       [/C] [/I] [/Q] [/F] [/L] [/G] [/H] [/R] [/T] [/U]  
       [/K] [/N] [/O] [/X] [/Y] [/-Y] [/Z]  

(Specifies the files to copy.)

destination (Specifies the location and/or name of new files.)  

/G (Allows the copying of encrypted files to a destination that does not support encryption.)

Note Windows Server 2003 and Windows XP Service Pack allow for a registry setting that will allow files to be decrypted silently by applications or by using the command-line without the additional command-line parameters. To set this option create the following registry DWORD value:


DWORD Name: CopyFileAllowDecryptedRemoteDestination

Value: 1

Saving Files with EFS File Sharing

When a file has been encrypted for multiple users, an application must call a specific API to ensure that the encryption data (certificates) for the additional users is not lost when the file is opened, modified and saved in its native application file format. Native documents opened with Microsoft Office XP will retain the multi-user EFS status while other applications may remove the additional users that were added to the file. Consult the manufacturer of your specific application for more details about its interoperability with EFS.
LVL 59

Expert Comment

Comment Utility
And from the same link I gave above, this passage about passwords should answer your other questions:

Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users.


Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now