De-crypt EFS Files
-
I have a customer that moved windows profile and we have no access to the old windows profile and she had folders that were encrypted using EFS. I can see the files are Green and when trying to open we get denied error, and trying to uncheck the EFS box for that file or folder says denied too. Has anyone had any luck with software trying to unlocked the EFS files ? We are willing to pay for software (within reason) if it will save us hours and hours of work.
The reason is we moved them to a new domain and of course it means a new windows login and the tech didn't know she had EFS files, and booting up the old domain and trying to login on her machine with the old login is not possible. Hence why we are looking for something to save our bacon.
-
Anyone used https://www.elcomsoft.com/aefsdr.html ?
-
So the issue is that they lost their password / key and now want to hack in? NEver tried that, in theory software like that will work but might take years or decades to get in.
-
@scottalanmiller said in De-crypt EFS Files:
So the issue is that they lost their password / key and now want to hack in? NEver tried that, in theory software like that will work but might take years or decades to get in.
Something like that yeah.
I am building a Test VM to copy the data to and let the software run since I am sure the user might not like having it run for days killing the performance of her machine. -
There isn't an admin EFS file recovery key on the Domain set up?
-
-
@texkonc said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
So the issue is that they lost their password / key and now want to hack in? NEver tried that, in theory software like that will work but might take years or decades to get in.
Something like that yeah.
I am building a Test VM to copy the data to and let the software run since I am sure the user might not like having it run for days killing the performance of her machine.Days? I'm guessing years.
-
-
@texkonc said in De-crypt EFS Files:
@tim_g said in De-crypt EFS Files:
if we had access to the old profile, sure.
If anyone in the domain encrypts something, and loses their key, the Domain Admin account can decrypt it. That's what I'm talking about. Or anyone if they install the cert.
It's saved users here a few times.
-
@tim_g said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
@tim_g said in De-crypt EFS Files:
if we had access to the old profile, sure.
If anyone in the domain encrypts something, and loses their key, the Domain Admin account can decrypt it. That's what I'm talking about. Or anyone if they install the cert.
It's saved users here a few times.
Different domain name, machine is joined to the new domain name, logged in as the new domain name, old DC is offline.
If I power up the old DC, hopefully I would be able to copy the files to the DC to decrypt them? -
@texkonc said in De-crypt EFS Files:
@tim_g said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
@tim_g said in De-crypt EFS Files:
if we had access to the old profile, sure.
If anyone in the domain encrypts something, and loses their key, the Domain Admin account can decrypt it. That's what I'm talking about. Or anyone if they install the cert.
It's saved users here a few times.
Different domain name, machine is joined to the new domain name, logged in as the new domain name, old DC is offline.
If I power up the old DC, hopefully I would be able to copy the files to the DC to decrypt them?No if it was something that was set up you would know it. When a file is encrypted by a user, it can be decrypted by that user and also the designated recovery agent. As long as you have that recovery agent key, you can install it on any machine and use it to decrypt the data... no matter what the circumstance... new domain, different user, new computer, etc. You just need the certificate to decrypt it.
The catch is that the data must have been encrypted after the below is set up.
You set it up in group policy here:
You right-click and either add or create a data recovery agent.
-
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.
-
Fail
-
@texkonc Not good, I tried helping by SW but obviously the failure to have the private key will be limiting..., can you join the computer back to the old domain for the time being?
-
@texkonc said in De-crypt EFS Files:
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.I would expect this to fail. From your description, the user setup encryption on their own system. They then placed those encrypted files onto the server share. The server knows nothing about the encryption, and wouldn't have a reason to have the key since the user did it completely locally, not at a domain level.
-
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.I would expect this to fail. From your description, the user setup encryption on their own system. They then placed those encrypted files onto the server share. The server knows nothing about the encryption, and wouldn't have a reason to have the key since the user did it completely locally, not at a domain level.
I agree. Thisi s a system whose sole purpose is to prevent recovery in this situation. If you CAN recover, it will have made the encryption totally pointless from the get go.
-
That's why, in a Windows domain environment, the System Administrator should have properly set up an EFS recovery certificate.
This way, any domain user who encrypts something, can get it decrypted with that EFS recovery certificate (which should be stored in a locked place for when needed).
It can be very useful in cases where a user encrypts something and has no idea how it works and never backs up their key, or the IT department doesn't know about the encrypted files and re-images or trashes the computer before backing up the users key.
Everyone with a Windows domain should have some type of EFS recovery certificate set up if their policy allows it to be done, and that recovery key should be carefully managed.
-
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
-
I really think that this is a lost cause. If there was any path to recovery, Microsoft's EFS would be all in the news for having been completely broken.
-
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
