How to decrypt files i the the EFS certificate for?

[Ian Boyd]

i have an encrypted file on my computer.
i have Full Control to the file.
Everyone has Full Control to the file.
i am the Owner of the file.

According to efsinfo, the file is ecrypted with the certificate who's
thumbprint is:
Certificate thumbprint: 1E01 673B B646 8FBA 21A6 122A 2D1F 0629 7229
914D

According to efsinfo, my current EFS certificate thumbprint is:
1E01 673B B646 8FBA 21A6 122A 2D1F 0629 7229 914D

According to CertMgr.msc, "You have a private key that corresponds to this
certificate"

So how do i decrypt files that i can decrypt?

[Ian Boyd]

C:\Program Files\Resource Kit>efsinfo /c c:\test\TheFile.bin

c:\test\

TheFile.bin: Encrypted
Users who can decrypt:
PHALANX\Ian (Ian)

Certificate thumbprint: 1E01 673B B646 8FBA 21A6 122A 2D1F 0629 7229
914D

C:\Program Files\Resource Kit>efsinfo /y

Your current EFS certificate thumbnail information on the PC named PHALANX

[Ian Boyd]

KittenCullen.psd
Everyone: Full Control
Attributes: AE
Owner: PHALANX\Ian
Computer: PHALANX (this computer)

KittenCullen.psd: Encrypted

Users who can decrypt:
PHALANX\Ian (Ian)

Certificate thumbprint: 1E01 673B B646 8FBA 21A6 122A 2D1F
0629 7229 914D

test.txt
Everyone: Full Control
Attributes: AE
Owner: Ian Boyd (PHALANX\Ian)
Owner: PHALANX\Ian
Computer: PHALANX (this computer)

test.txt: Encrypted

Users who can decrypt:
PHALANX\Ian (Ian)

Certificate thumbprint: 1E01 673B B646 8FBA 21A6 122A 2D1F
0629 7229 914D

Trying to copy the file from the command line:

KittenCullen.psd
Operation: CreateFile
Result: ACCESS DENIED
Desired Access: Generic Read
Disposition: Open
Options: Sequential Access, Synchronous IO Non-Alert, Non-directory file
Attributes: N
ShareMode: Read, Write

test.txt
Operation: CreateFile
Result: SUCCESS
Desired Access: Generic Read
Disposition: Open
Options: Sequential Access, Synchronous IO Non-Alert, Non-directory file
Attributes: N
ShareMode: Read, Write

The file's not in use:
C:\test>handle kittencullen.psd

Handle v3.31
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching handles found.

[Ian Boyd]

What are some other possible causes of AccessDenied messages?

"Ian Boyd" <m...@here.net> wrote in message
news:B35A8C5F-7AA6-4F7D...@microsoft.com...

[Ian Boyd]

i forgot to mention that

i cannot access: KittenCullen.psd
i can access: test.txt

"Ian Boyd" <m...@here.net> wrote in message

news:49C57081-D695-4633...@microsoft.com...

[Ian Boyd]

i can move the file around, i cannot copy it.

"Ian Boyd" <m...@here.net> wrote in message

news:B35A8C5F-7AA6-4F7D...@microsoft.com...

[Ian Boyd]

It seems to me that it must be corrupted EFS metadata. Everything is set
correctly, but it still denies access.

i checked the disk

C:\>chkdsk c:
The type of the file system is NTFS.
Volume label is DriveC.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
358592 file records processed.
File verification completed.
5434 large file records processed.
0 bad file records processed.
2 EA records processed.
90 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 3)...
436000 index entries processed.
Index verification completed.
0 unindexed files processed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
358592 security descriptors processed.
Security descriptor verification completed.
38705 data files processed.
CHKDSK is verifying Usn Journal...
35988640 USN bytes processed.
Usn Journal verification completed.
Windows has checked the file system and found no problems.

195359694 KB total disk space.
100793040 KB in 291889 files.
161240 KB in 38706 indexes.
4 KB in bad sectors.
523678 KB in use by the system.
65536 KB occupied by the log file.
93881732 KB available on disk.

4096 bytes in each allocation unit.
48839923 total allocation units on disk.
23470433 allocation units available on disk.

But it didn't find anything.

It's very possible that ChkDsk cannot check EFS metadata, since it is held
inside the file, rather than part of the file system itself.

"Ian Boyd" <m...@here.net> wrote in message

news:3449007D-1335-420C...@microsoft.com...

[Ian Boyd]

i tried reboot, in case the emperical evidence (being able to move the
file), and SysInternal's Handle.exe were both incorrect.

Still cannot access the file.

"Ian Boyd" <m...@here.net> wrote in message
news:B35A8C5F-7AA6-4F7D...@microsoft.com...

[Ian Boyd]

The maddening thing is that i was able to open the file initially.

1. Found file in folder on my desktop
2. Double-click to open in Photoshop
3. Photoshop opens the file and shows content.
4. Close Photoshop
5. Copy file to Pictures - access denied.
6. Move file to Pictures - success
7. Double-click to open in Photoshop - access denied
8. Move file back to folder on my desktop
9. Double-click to open in Photoshop - access denied
10. Ensure i have Full Control
11. Ensure i am Owner
12. Try to remove ecryption - access denied
13. Move file to known non-virtualized folder
14. Try to remove encryption - access denied.

i was able to view the file once.

And Vista continues to be able to show me the thumbnail.

"Ian Boyd" <m...@here.net> wrote in message
news:B35A8C5F-7AA6-4F7D...@microsoft.com...

[Ian Boyd]

i see Windows Vista includes efsinfo.exe as cipher.exe

Here's the same output from cipher:

C:\test>cipher /c

Listing C:\test\
New files added to this directory will not be encrypted.

E KittenCullen.psd
Users who can decrypt:
PHALANX\Ian [Ian]

Certificate thumbprint: 1E01 673B B646 8FBA 21A6 122A 2D1F 0629 7229
914D

No recovery agent found.

Key Information:
Algorithm: AES
Key Length: 256
Key Entropy: 256

C:\test>cipher /y

EFS certificate thumbprint for computer PHALANX:

1E01 673B B646 8FBA 21A6 122A 2D1F 0629 7229 914D

How do i decrypt files that i can decrypt?

[Monitor]

"Ian Boyd" <m...@here.net> wrote in message
news:B35A8C5F-7AA6-4F7D...@microsoft.com...

Ten posts on the same subject in 90 minutes. Any further updates? Best to do
your homework first, then ask for assistance.

[Ian Boyd]

> Ten posts on the same subject in 90 minutes.

i posted them all under the same thread. If you didn't know the answer after
reading the first OP, don't expand the tree.

> Any further updates?
No further updates since i asked the question 11 months ago
http://groups.google.com/group/microsoft.public.windows.file_system/browse_thread/thread/f94c159e01721802

nor since Lee Meyrick asked the same question 11 years ago:
http://groups.google.com/group/microsoft.public.windowsxp.security_admin/browse_thread/thread/e84a7c188a670c92

> Best to do your homework first, then ask for assistance.

OP was the homework. Rest was just trying random stuff.

[James Watkins]

"Ian Boyd" <m...@here.net> wrote in message

news:B70BD07D-A402-4AEE...@microsoft.com...

You appear to miss Monitor's point. Imagine that you're writing a problem
report for your boss. First you give him the main theme, then you give him
an afterthought, then another afterthought, then another, one every ten
minutes. You're basically putting your thoughts on paper as they occur to
you. Your boss would probably kick you out of his office after the third
afterthought and tell you that he pays YOU to do the thinking, to compile a
concise report with ALL the relevant facts, instead of running in and out of
his office each time you have a brain flash.

You might say that your thread is not a report to the boss. Correct, it
isn't - it's much worse. Your boss is paid to read your reports. The
respondents in this newsgroup are not paid - they are donating some of their
time voluntarily to help you resolve your problem. You're taxing their
patience and generosity severely with your piece-meal approach to problem
solving. If I knew anything about encryption (which I don't) then I would
lose my patience halfway through your musings.

As Monitor said: Do your homework first, then post. And have a look here for
more info on how to write a good post: http://66.39.69.143/goodpost.htm.

Just my two bob's worth.