Solved

EFS - Can't decrypt a file even though I have certificate with matching thumbprint

Posted on 2016-10-20
4
17 Views
Last Modified: 2016-11-08
We have a Server 2012R2 box hosting a single network share. Somehow, some files that got saved to this share got encrypted using what I can only describe as a "self-signed" EFS certificate. The cert was not issued by our CA, and does not have our usual recovery certificates attached. The matching certificate can be found in the user's personal cert store on the server. However, all attempts to decrypt the files have failed. See this screenshot:
screenshot1
Any ideas out there?
0
Comment
Question by:SWCBTechServices
  • 3
4 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41852317
I am suspecting at large either the (a) private key is missing or the (b) profile is corrupted.
- attempt to export the private key for that user self signed cert has the export option grayed out, then likely the private key is missing.
- identified self sign cert for that matching fingerprint should also have a corresponding copy as the certificate thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

The private key is stored within the certificate itself, but it is also protected by a password. If we cannot it out or use from past backup, it is not going to be decrypted. I am suspecting even administrator cannot access this folder, unless we have the self-signed EFS certificate of the original user e.g. export the certificate with private key of the user and import to the user whom you want to give them ability to access.

There is Elcomsoft software that attempt to scan for the available encryption keys, and decrypts the protected files. http://www.crackpassword.com/aefsdr.html
0
 

Author Comment

by:SWCBTechServices
ID: 41852345
We are logged on to the computer as the original user who encrypted the file. When I view the cert from the users personal cert store, it displays "You have a private key that corresponds to this certificate" (see attached picture).

We cannot export the cert with private, the option is grayed out, however it could be that private key export was disabled when the cert was created.

Yes, there is a corresponding copy of the cert/thumbprint in <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

Any suggestions? thanks,2016-10-20_9-44-45.jpg
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41852394
May can try the tool to scan if this key is available and if can be decrypted - See the "Decrypting files"
Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.
https://www.elcomsoft.com/help/en/aefsdr/index.html

There is another article - see "recovery with the orginal profile in the file system"
http://www.beginningtoseethelight.org/efsrecovery/index.htm
0
 
LVL 62

Expert Comment

by:btan
ID: 41878461
As suggested for key recovery.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question