Encrypted files will not open after reinstalling Windows XP

Hi Expert world,

I am about to crumble into a heap and cry...I have reinstalled windows XP, clean install.
After doing this the files that I had encrypted using MS encryption under properties of that file.

Now when i try to open them, even though they bare on a seperate drive, i get "access denied"

I have read a few things and it seems when i reinstalled XP the ceritifcate/keys were deleted. Makes me laugh, as no where does the encryption option advise to back up these files. Which if i had know MS encryption creates these keys and saves them somewhere i could ahve done at the time of creation. I assumed, wrongly, that if the file was to be opened on another machine i would just need the user that created the encrypted files Name and password to open the file on someone elses or a new system install.

Can anyone help as the encrypted file has about 4 years worth of data i desperately need.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It doesn't look hopeful.   Most of what I've read indicates that such a recovery is impossible.   This thread suggests a method where you have to reinstall the original operating system and use the EXACT SAME SETTINGS for computer name, username, password, etc etc etc:


I don't know.... seems extremely iffy.

If you didn't backup the encryption certificate and key, I don't think you can do this.  The files are encoded and there's no point of reference to decode it.

you could try this 3rd party product:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

By default encrypting filesystem (EFS) encrypts files using a certificate and a key created explicitely for this operation. This key / certificate is stored in the profile of the user account (see the link of quarky42) encrypting the files. The key itself is encrypted by the password of the user owning the files. (According to what I remember it is only encrypted by the password, nothing else, so in contrast to the link above I think you don't need to recover the SID of the user account and the computer to get access to the files). So if you have a backup of this profile you may want to try to setup a profile using the same account name and the same password (!) and I think chances are you will be able to decrypt the files.
In all / most situations in addition to the user's certificate there is a recovery agent certificate created as well which can be used to recover the encrypted files. This recovery agent by default is the local administrator in a workgroup environment or the domain administrator in a domain environment. So if your machine was member of a domain (usually companies use this) chances are good you will be able to decrypt the files -- ask your domain admins.
In a workgroup environment you may need to have a backup of the profile of the local administrator's account. This might be found in an image or backup of the old computer.

Anyway: If you only have the encrypted files but you don't have a backup of the necessary certificate data in your profile and you don't have a recovery agent available (because you're in a workgroup environment and the administrator's profile is gone, too) you probably won't be able to decrypt the files.
You can still query the recovery agents for the encrypted file's DDR(Data Decryption Field) & DDR(Data Recovery Field). It will show you domain\username that it was encrypted on. I just tested it with this tool. Old school trick, but it works none the less.

I don't have a live link for this tool as it was taken from sysinternals.com 8 years ago. You can google for the name "EFSDump.zip" if not then shoot me your email and I will send you a copy of this tool so you can see the information it stores. If you need more info after that I will see if I can code a extension for it to grab the encryption key directory that stores the actual recovery key for the profile as I don't remember as of right now.
TheAnalyst29Author Commented:
Hi Guys,

Many thanks for the prompt answers. Abbright and Russell Venable I thnk would be the best solutions.

Abbright - i dont have any of the keys (.pfx) to try even after creatign the old profile back up with same user name and password etc.

Russell - Good to know there are always additional things that can be done to find out the info required to create the old user name and passworded account. It already shows the user/pc it was created on and athumb print in the properties of the encrypted files "details".

However, i was searching through pen drives a couple of nights ago...and guess what...I made a back up (export) of the file required!!!! I nearly cried i was that happy.

4 years of online account user namd and passwords stored in the encrypted file!!
I have subsequently made three copies AND bought a WD 500GB back up drive which if i encrypt anything again will ve the keys exported. Also backing up both my HDD's this week to avoid a possible HDD crash which i know with all the "good" luck i had with the file etc, its probably about time my luck ran out!

Thanks again guys...
TheAnalyst29Author Commented:
I ahve accepted multiple answers as if i hadnt found the .pfx file.

PBOI - Tried that software, didnt work.

abbright - Thanks for advice on setting upo same account etc.

Russell_Venable - good to see a bit of reverse engineering to obtain details. But again this was not required.

So thanks for above info.

also there is another company that offer cracking, if anyone ever gets completely stuck in the future...not sure how good they are?

TheAnalyst29:   It seems like you ignored my answer and turned around and thanked abbright for giving the same answer that I gave.  Perhaps you didn't mean to do this, but it comes across as rude if you had done it intentionally.  

I don't care about getting any points for this issue, just wanted you to see that you could have tried my solution since you had indicated that you didn't have the necessary file and tried to rebuild the keys / encryption scheme using the same seed information as indicated in the thread.
TheAnalyst29Author Commented:
I did that as you gave alink as to how to do it, AND your comment states that you need to reinstall the OS. After further reading of my own found something similar to abbright that you could just recretae the user profile with the same name and password. So I thought that might work.

I'm not being rude, so not really sure what you are a on about? And additionally, his explanation was far more detailed than yours, so i awared abbright for detailed answer and Russell Venable for thinking outside the box with his answer.

Bottom line is your solution ended with "I don't know.... seems extremely iffy" So why would i want to award points or accept your soltuion if it seems a bif "iffy"
Points aren't the issue for me here.  I'm sure for a lot of people they are.   On the other hand I basically gave you the same answer and responded quickly.    

Everything I read said it wasn't possible.   Then I saw a 3rd party program and dismissed it right away as I had tried something similar to recover some encrypted data (not Windows Encryption, but similar situation otherwise) and it was a complete waste of time.

I finally found a suggestion that at least gave you a chance at recovering your data, but I admitted up front that it was still a slim chance.   Sure I could have rewrote what was already written but I chose to link to it and get you the answer as quick as I could.   Figured you could see where I got it from too.

Feel free to close this thread back up.  I don't want any more points.  I just wanted to point out.that one of the solutions you thought was good was the very first one that had been suggested.
Just one more comment from a technical point of view: After recreating the profile you probably won't find the certificates in a .pfx-file unless you had exported them at some time. What I expect (hope) is that you find them in the certificate store of the account. You can see the contents by running mmc, adding the certificates plugin for your user and checking the certificates.
TheAnalyst29Author Commented:
Are you serious?

No one was right as i have found the keys, whether you responded in 30 secs with the "right" answer or 3 days. I dont care, the solution you first gave which is the only one i can see from you, was a couple of lines with a link goinf to some help file. The reaosn as i ahve already ststed is that both the others gave detailed answers which i assumed was the point of EE? Not just to add links to other peoples websites?  

However i didnt really accept any solution if read my comments as i found the .pfx keys.

I dont know how to close/reopen this question anyway...If you have any other issues about this take it up with the administrators of this site!!
abbright, you are right in a sense. The ".pfx" key files are created when you use EFS for the first time on that account. Takes 3 items to create the file. Netbios Name/Domain name, Username, and Profile password. If you backup that key and import it back to your certificate store it can be used for EFS encryption/decryption again. Good note on mmc and certificate store. On that note also add that there should be 2 certificates made one that is public key file and the other that is a signer certificate. So if your recreate the account you will find a ".cer" file and a ".pfx" file. You can also recreate these files using "cipher /r:file"

TheAnalyst29, Glad to hear you recovered your files. I personally would use something like "Ironkey" to store your certificates, passwords, and the like. It also cannot be infected by malware as it had it's own CPU chip and encryption engine built-in, along with write restrictions. Should help you feel safer and more secure.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.