1.    23 Aug 2016 #1
    Join Date : Aug 2016
    Posts : 25
    Xp, Vista, 7, 8.1, 10

    How to open EFS encrypted files on an HDD that came from Windows XP?

    I had my old Windows XP machine die. I am now setting up a new desktop that came with Windows 10 Pro. The old system had 2 hard drives: c: - system and d: - data. The main hard drive unexpected died, so I didn't have time to prepare for a migration.

    When I plug in the data HDD into my new Win10 machine, it can't open some files that were originally encrypted with NTFS own EFS (Encrypting File System) encryption. If you remember on XP it would show those files with green:

    Click image for larger version. 

Name:	crypto_efs_WindowsExplorer.png 
Views:	1 
Size:	73.5 KB 
ID:	97826

    So my question is how to decrypt or open those files on my new Windows 10 machine?
      My System SpecsSystem Spec

  2.    23 Aug 2016 #2
    Join Date : Aug 2014
    Forever West
    Posts : 2,158
    Win10 Home and Pro, Win7 Home, Linux Mint

    From Recover Encrypted Files From An Old Hard Drive | PCWorld
    If not, did you create and export the certificate needed to decrypt the files--and did you save the certificate to a safe place not on that hard drive? If you did, and if you can find the certificate, you can access the files--even from another computer (assuming the computer is running Windows).
    Read the whole page, doesn't look promising.
    More pages found:
    open EFS encrypted files from another computer at DuckDuckGo
      My System SpecsSystem Spec

  3.    23 Aug 2016 #3
    Join Date : Oct 2014
    Posts : 603
    Windows 7

    EFS encrypted files are accessible only by the account that encrypted them or the designated recovery agent, usually the system Administrator account. Neither of those exist anymore and neither can be recreated. Even an account with the same name and password on the same computer would be a completely different account with no access to the files.

    There are 2 accepted methods of recovering files in such a case but both require precautions while the previous OS was running.
    1. Export the encryption certificate from the previous OS and import it into the current OS.
    2. Recover the files from your backups. All files of any importance should have at least one backup copy, 2 or more backup copies if the files are of particular importance. Encrypted files are no exception, you just need to take precautions with the backup media.

    I will not talk about any other methods, if such exist.
      My System SpecsSystem Spec

  4.    23 Aug 2016 #4
    Join Date : Aug 2016
    Posts : 25
    Xp, Vista, 7, 8.1, 10

    Appreciate it, guys.

    Thanks to this post I was able to retrieve the certificate file from the old XP hard drive from this location w/o access to the OS itself:

    "C:\Documents and Settings\<username>\Application Data\Microsoft\SystemCertificates\My\Certificates"
    Click image for larger version. 

Name:	cert file.png 
Views:	8 
Size:	6.1 KB 
ID:	97854

    I then went to certmgr.msc and imported it into Certificates - Current User > Personal > Certificates.

    But when I try to open encrypted files it still gives me access denied error, and when I try to check EFS properties it gives me this message and no way to select any certificates from the list like it says:

    Click image for larger version. 

Name:	Capture5.PNG 
Views:	1 
Size:	50.2 KB 
ID:	97855

    Any idea what am I doing wrong here?
      My System SpecsSystem Spec

  5.    24 Aug 2016 #5
    Join Date : Aug 2016
    Posts : 25
    Xp, Vista, 7, 8.1, 10

    OK. I got it. I'm posting a solution here in case someone else gets into the same situation.

    The easiest solution was, of course, to export the EFS certificate from the source system if you have any EFS encrypted files. (Make sure to include the private key when exporting though.) And then save that exported certificate file in some safe location (not on the same computer, obviously.)

    But, like in my case, if system dies so that the old OS is unbootable, here's the steps to perform (look for accepted answer.) For consistency, I'll copy it below. I'll add also that I would do this in a virtual machine, if you have access to a Virtual Box or VMWare Workstation, as the following steps can seriously mess up your working system by changing the machine SID!!!


    access and backup following folders from the old HDD:

    c:\documents and settings\{username}\application data\microsoft\crypto\
    c:\documents and settings\{username}\application data\microsoft\protect\
    c:\documents and settings\{username}\application data\microsoft\systemcertificates\

    then i found this article with detailed instructions that helped me to decript my files: http://www.beginningtoseethelight.org/efsrecovery/
    the article is quite comprehensive, i will try to summarize the basics steps you need to do:

    1) get copy of the above 3 directories from the old machine
    2) identify SID of your old machine and user:
    Quote from original article:

    "you will need a user account of the same user and machine number as the orginal. check this orginal folder name: c:\documents and settings\%username%\application data\microsoft\crypto\rsa\s-1-5-21-1078081533-1606980848-854245398-1003

    machine is: 1078081533-1606980848-854245398
    useracc is (user-id): 1003"

    3) download NewSID (NewSID - Download - CHIP), download from microsoft is no longer available -- I'll also attach that file to this post, so you can download NewSID itself from here & don't have to deal with their installer.
    4) run NewSID and set your machine SID to the old one, reboot
    5) Make sure that your user-id, name and password are identical to the old one
    Quote from original article:
    "encrypt a test file, then browse to c:\documents and settings\%username%\application data\microsoft\crypto\rsa\ - is the number on the end of the sid eg 1003 the same as the previous number?"
    if it is the same, skip to 6) otherwise see article
    6) copy above 3 folders into your current profile, overwrite everything
    7) reboot
    8) now you should be able to access encrypted files.


    That post refers to this fuller description with more technical steps.

    In my case after running NewSID to set the machine's SID, I had to adjust its RID (or last number.) For instance, my needed full SID was S-1-5-21-1078081533-1606980848-854245398-1003 but after I changed the machine SID and created new user account its SID became S-1-5-21-1078081533-1606980848-854245398-1007 which was not OK, as the RID was 1007 and not 1003. So I followed steps from the full description to tweak the next RID of a user account before creating it. I'll copy it here as well:


    encrypt a test file, then browse to c:\documents and settings\%username%\application data\microsoft\crypto\rsa\ - is the number on the end of the sid eg 1003 the same as the previous number? if it is the same, skip this next part.

    if not, check the other accounts on the computer else you either need to create a user that does have the same user or modify your existing user to have the orginal number - probably easier if you create new user. user numbers increment, since they are linked with security, no two users must ever have the same number, if the orginal usernumber is higher than the current one, create some new accounts, logon, encrypt a test file and check the number untill you have a correct user number. if orginal number is lower than the current one you will need to reset the usernumber counter, run regedit -> default registry permissions deny access to hklm\sam\sam\... select the hkey_local_machine\security\ key and right-click(if xp/2003srv) or use regedt32 and do security -> permissions(if 2k) check the allow full control while selecting the admistrators group -> advanced -> check reset permissions on all child objects and enable propagation of inhertitable permissions -> ok/yes/ok. since the sam hive is setup as a link folder with sam, you should now be able to access hklm\sam\sam\domains\account\ - double click the f value, at offset 0048 there is 4 bytes that state the next created usernumber, make a note of this, so you can restore later. you need to convert the orginal usernumber into hex. run calc -> view: scientific -> type in the user number eg, 1003 and then change the base (top left) from dec to hex. the number should now read 3eb, now what is really means is 00,00,03,eb reverse these byte so it reads: eb,03,00,00 this is the new value to enter in at offset 48. after editing you will need to restart the machine. now when you create a new user it should have the correct number. remember to reset the counter back to what it was before.


    After I did that and created a new test user account with the same name & password and account type as my original account, I also made sure that its SID & RID matched, by running this from command line:

    wmic useraccount get name,sid
    That showed that I had the correct SID.

    After that I was able to run
    certmgr.msc and export the private key from Certificates - Current User > Personal > Certificates > username and then imported it into a new computer.

    Then I was able to copy files and un-encrypt them! Wow! I wish Windows XP showed some warning to backup the cert before using that EFS encryption!

    How to open EFS encrypted files on an HDD that came from Windows XP? Attached Files
      My System SpecsSystem Spec


Similar Threads
Thread Forum
Index Encrypted Files - Turn On or Off in Windows 10
How to Turn On or Off to Index Encrypted Files in Windows 10 By default, Windows will use the index when searching to give you faster search results. The search index only includes your selected locations. These locations can be filtered for what...
Forza files encrypted
Hello guys, i just moved to Windows 10 few days ago in my two PCs. First i installed Forza to my main computer and some days after tried to copy/paste the folder from PC1 to PC2 instead of redownloading whole thing. There i encountered my first...
Solved Got all my files encrypted by RSA2048/AES-128 NASTY!
Hi! I am new here and here is what happened. I opened an email which had an attachment. It was an electricity bill. I know I should not have opened the attachment but I did! wrong move! Found an overlay message in large red letters on my...
AntiVirus, Firewalls and System Security
windows 10 cant open files
i installed windows 10 around 1 hour ago and installed nothing but chrome,dropbox,avg antivirus, jre jdk and netbeans. all are certified (nothing is pirated). and for some reason i cant open any file or driver, other programs work well including...
General Support
Recover encrypted files by virus
Hello people. A friend of mine brought his computer to me to see if I am able to clear an encrypted mess done by a virus. Is it possible to recover that encrypted data? I know it may be almost impossible due to the lack of private key but I have...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 02:08.
Find Us
Twitter Facebook Google+

Windows 10 Forums