EFS Decryption

Posted on 2007-07-29
Last Modified: 2012-06-21
Hi, I have a problem similar to others that have been asked here regarding EFS decryption.

Some time ago I was using a laptop with Windows XP Professional SP2 that I used to encrypt some files using Windows' EFS system (Right click/Properties/Advanced/Encrypt contents to secure data). That laptop I was using well and truly screwed up, but I was able to access my hard drive via a program called Winternals and copy all of my files to a CD.. this means I did not backup any Certificates or Recovery Agents or anything, I simply copy & pasted the files to a different location.

Now I am using a completely computer and I sold the old laptop. Now my problem is that I want to decrypt some files that I had previously encrypted on the older machine using Windows XP's EFS. Now that I have the files on my current machine, they appear to be just simple files to the computer, that is they are not regarded as encrypted and thus aren't coloured in green. But when I try to open them they are still encrypted.

The files are .jpg image files and when they are opened don't preview and aren't recognised by the applications but they are still regarded as .jpg files in windows explorer (i.e. they still have .jpg extension and have the .jpg file icon).

I have done a lot of research on this and can't come up with any results.
- I've tried AEFSR from elcomsoft but that doesn't work as it tries to search my computer for keys of which don't exist.
- I can't use data recovery although I have tried, since this machine has never had the original decrypted files and hence weren't deleted from this hard disk when encrypted by EFS. I also don't have the old machine that did encrypt the files.
- contains and interesting article that I have tried my best to follow but find a lot of the instructions unclear.
- Apparently Microsoft have developed reccerts.exe and can send it to me for a fixed £40 charge (for contacting their support professionals). I'm not sure whether this would fix my problem so I'm unwilling to waste £40 on this unless I know for sure its gonna' work.

As a quick introduction to decrypting in EFS apprently it is done by:
- Taking either: private key of user or recovery agent
- Using this to decrypt the FEK (File encryption key) stored inside the encrypted file via RSA algorithm
- Using this FEK in turn to decrypt the file using either one of the following algorithms: DES, AES, DESX, Triple-DES. (I'm pretty sure that DES was used when encrypting my files as it tend to be default according to my registry on my current machine)

I'm out of ideas now, which is why I'm asking you guys for help.

Thanks in advance, Jonathon.
Question by:henderbops
    LVL 27

    Expert Comment

    You could give this a try:

    but I doubt with just the encrypted files and no windows systemfiles in the background, it will not be possible to really decrypt your files.But give it a try:

    An unregistered (trial) version of Advanced EFS Data Recovery decrypts only first 512 bytes of all files, padding the rest of content with zeros (the source/encrypted files remain untouched).

    LVL 1

    Author Comment

    I have tried that application and as mentioned above it did not work because it searched for non-existant keys within my current machine. As of yet I am still stuck for clues on how to do this. Thanks for your attempt.

    LVL 1

    Expert Comment

    You can't recover those files. You need your original PC with original OS. Keys are 512 to 2048 bits - cracking will be entirely unrealistic.
    LVL 1

    Author Comment

    Yeah I thought as much..

    I'm sure I've read somewhere about the windows username and password being hashed to create something to help you decrypt. Well, I'm still hopeful, surely it can be done, its just extremely difficult.
    LVL 4

    Accepted Solution

    Unfortunately, the "extremely difficult" prospect is as NetSecX indicated - brute-force cracking the actual encryption keys without the files in which the keys were stored is pretty unrealistic for anyone but the NSA (or other orgs with large budgets for dedicated key-cracking hardware).

    The only practical possibility that hasn't been definitively answered by you yet is this: did you backup ANY files under C:\Documents and Settings\ ?  If not, then it's off to the NSA... If so, and you still have that backup, then look for files under the following directories:
    c:\documents and settings\USERNAME\application data\microsoft\protect\
    c:\documents and settings\USERNAME\application data\microsoft\crypto\RSA\
    c:\documents and settings\USERNAME\Application Data\Microsoft\SystemCertificates\My\Certificates

    A little more information in the other post I made today on this:

    [Yes, I suspect you already answered this implicitly by what you indicated about AEFSDR not finding non-existent files, but I really want to be sure before we slam the door on this, the only real option.]

    If AEFSDR fails, then I wouldn't waste the extra 40 quid on Microsoft - Reccerts will just go looking for those same non-existent files, and will make you feel worse for paying $$ to the dopes got you into this situation in the first place. :(
    LVL 1

    Author Comment

    yeah that is about my only hope I guess, do you know how to go about brute forcing the encryption keys? Exactly what is brute forced? is it the FEK or is it the private key used to decrypt the FEK? Are there any apps that can attempt this?

    LVL 1

    Author Comment

    Does anyone know of any applications that could attempt to brute force the keys for a file?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Microsoft EFS has gone through a few changes over the years, depending on the OS you're trying to recover EFS data from you may have to use different tactics. Overall however 3rd party recovery solutions like that of Passware or Elcomsoft's AEFSDR m…
    Cryptanalysis is the science of cracking codes and decoding secrets. It is used to violate authentication schemes, to break cryptographic protocols, and, more benignly, to find and correct weaknesses in encryption algorithms. It may be used in in…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now