Access Denied: Recovering Files Encrypted with EFS
Learn how to recover files encrypted with Encrypting File System (EFS).
September 30, 2001
After moving my laptop drive to a new laptop, I can't recover files I encrypted with Encrypting File System (EFS). I installed Windows 2000 Professional as a member of a Windows NT domain on my laptop. Because of a hardware problem, I moved my original laptop drive to a new laptop. When I tried to use the new laptop, the hard disk wouldn't boot—although I could boot successfully from a Win2K 3.5" disk.
I executed a Win2K Repair Installation from the original Win2K install media to try to fix the boot problem on my new laptop running Win2K Service Pack 2 (SP2). On completion, I tried to boot from the hard disk, but the problem still occurred. When I booted the new laptop from the 3.5" disk, I couldn't access my EFS files. When I ran Sysinternal's EFSDump utility, I received the file information that Figure 1 shows. (To obtain information about this freeware, go to http://www .sysinternals.com/ntw2k/source/misc .shtml#efsdump.)
I should be able to decrypt the file encryption key (FEK), then decrypt the file by using either the S4R/sck account or the BIKO/Administrator account. However, I keep getting an Access denied message. How can I recover the files and avoid this problem in the future? I've opened a ticket with Microsoft Product Support Services (PSS), but no one has solved the problem.
Without knowing which options you specified during the repair, saying exactly what Win2K did is difficult. However, your EFS private keys have apparently been corrupted. When you use EFS, one of the private key best practices to follow is to export the Administrator's recovery certificate, including its private key, to a 3.5" disk, then keep the disk in a safe, secure location. If you've exported and saved the Administrator's recovery certificate, log on as Administrator, import the recovery certificate, then try to decrypt your files. To import a certificate, run Microsoft Management Console (MMC) and add the Certificates snap-in. When prompted, select My user account. Navigate to the PersonalCertificates store, right-click the details pane, and select All tasks Import certificate. Then, point the wizard to your 3.5" disk. Be sure to read EFS Best Practices in your Win2K Help text. The best practices spell out important key and certificate maintenance procedures to make sure you prevent future data-recovery problems.
About the Author
You May Also Like