Decrypt EFS files without password

Posted on 2009-12-23
Last Modified: 2013-12-04
Hi there,

I got some EFS files from a failed harddisk and I am currently trying to decrypt it. I do have the .pfx cert that I exported when I initially create the encrypted folder but unfortunately I no longer have the password that I used to encrypt the private key. (Therefore I can't import the cert on a different machine). Is there any ways that I can get around that?

Thanks in Advance. :)
Question by:obstech
    LVL 6

    Expert Comment

    There are so many tools, but I am not sure which one is good. I beleive the encryption will be lost when you copy them to a FAT file . (just a try)
    LVL 12

    Expert Comment

    Was the PC on a domain? What OS did you use? I once recovered encrypted files from Windows Xp by attaching the hard disk to a Windows 2000 PC. Don't know if that will still work.
    LVL 1

    Author Comment

    laptop was not on domain.
    OS is windows XP .
    problem is, that the encrpted files have been backed up to an online backup storage provider where the files are split into pieces for security, therefore we can gain access to the files until we provide the password.  it would appear an impossible task.

    Is there no master key, password that one can use
    LVL 8

    Accepted Solution

    Going to take a stab at this...

    There is no master key, password that one can use.

    There are about three ways I can think of that may be helpful to recover in this case, BUT FIRST there are some other things you do well to be aware of...

    To my limited understanding Window EFS files will lose their encryption header info, which I think is stored in their ntfs stream file portions, if saved to storage other than ntfs, with few exceptions, only a couple that I know of...
    1) if the files are stored in RAW (non-filesystem based) then you can recover them
    2) if the files are saved with something like robocopy using the /efsxxx switch then they can be stored anywhere as well
    3) you need to be careful and check that the backup service that you use will properly store efs encrypted files.  For instance, I learned the hard way that Acronis True Image cannot restore EFS encrypted files because it does not store the relevant stream data .

    I thought for a while that the efs files might also lose their ability to be decrypted if copied from a disk where the $MFT had become relevantly corrupted, but I think that would only affect whether or not you can get the actual files... there something about $EFS in the high HD sector though that I think is more likely connected to maintaining or tabling (?) the integrity of the EFS filestreams that manage their encrypted state so that, if that goes bad maybe you will not be able to decrypt the files without professional dissection.  I don't really know, I mention it so that an astute expeert who may knwo more on this point would please comment, but regardless, it may be relevant to mention.

    Now, here's what I think the easiest, or most direct options may be if your files are intact (and there are other methods)....

    1) Use Elcomsoft's Advanced Password Recovery to try to re-assemble the password.  Not necessarily the easiest method, but it addresses your question directly.

    2) Evidently EFS is not fool-proof.  Google the following
     copy efs raw
    ...this turns up some interesting information, and I unexpectedly found good leads to possible third party professional options for sending your files out to be decrypted "by the masters".
    Looked very viable.

    3) If you can save the Raw Data off the failed hard drive using something like Active@ File Recovery, Disk Image, etc related tools,

    3a) you may be able to rebuild the system enough to use it for natively decrypting those files, or even recover the whole darned thing.  
    Note: when restoring a raw image you may need to repair partitions and/or mbr/boot sectors.
    In one case, I had all the raw image restored, but could not for the life of me recover the NTFS (NT file system) after doing just about everything possible.  Finally Acronis Disk Director was able to restore the NTFS by running its own version of chkdsk on the raw partition, rendering it back to a Windows recognizable NTFS partition (freaking amazed me - I mean I had thrown everything at it with no success).  I was able to rebuild a bootable system from there and gain access to encrypted files!

    3b) or  you may be able to reconstruct the failed machine in well enough state to decrypt the files, something like (short version here)...
     a) install a new system resetting the user sid and machine Id same as the old one
     b) copy the relevant crypto + protect + systemcertificates recovered either in the RAW Disk Image or in the File Recovery data files you saved the relevant new directories in the new system
      c) gain access to the encrypted files without worrying about the pfx import

    DETAILED INSTRUCTIONS can be found around the net, there is a short copy of a relevant procedure at eHow, google  How to recover EFS files (windows xp) if the old operating system files are still intact
    ...and if you find the technet article I think that one is the more detailed original.

    4) Using a variation on the technique in #3 above I was able to successfully install a pfx key onto a different system without rebuilding a new one in an original state (i.e, the machine id was certainly different)... with mixed results...
      a) I installed a new user on a good system using the same username and password as on the dead system
      b) I copied over the files as in #2 above
      c) I edited the encoded machine id number in those filenames to match the existing machine, leaving the other portion of filenames intact
      d) I was then able to access some of the encrypted files while logged into this user account
    Not sure if this should even work, I could be misreoporting because there was so many things I did while trying to check out this option, but it may be worth investigating further.

    I wanted to do more investigation of viability on #4 by actually also importing the pfx key that I had the password to, but for some reason that I never figured out I was having issues with the pfx file accepting the password even though it was the correct one, but after doing some steps in the #4 process at one point my key was actually imported.

    I have no idea (yet) what happened, but since this can be so tough I figure its good to mention whatever I can in case it may lead to something solid later.

    I am posting here having found this while searching on information about pfx password issue where the password is not recognized.  I have been in file recovery hell for about 3 weeks now, and just beginning to restore a critical system.  I have gained access to more than half of the encrypted files, but I am still trying to decrypt one of the most critical ones, which may be hosed, I don't know yet.

    Good luck on your recovery process, and I hope you are still checking thsi and come back to let us know what your solution, if any, was.

    Cheers, TwoHawks
    LVL 8

    Expert Comment

    Thank you, Tolomir!

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now