Broken EFS? - unable to decrypt files

[Piotr Strycharz]

Hi

While trying to decrypt files (encrypted by myself) I got error "Access
denied". The "cipher /d" command also outputs this error. The default
decryption agent (which is domain Administrator) does not help - the same
result (access denied). The computer itself (Windows 2000 Prof) is stable.
Protected from viruses and spyware. chkdsk does not provide any error.

Strange results occur when ciphering new files. No problem with decryption
until ... logout and login. After that - trying to decrypt files results in
cipher/explorer hang. Restart - helps (but only with recently ciphered
files, old - are undecryptable).

I don't have any ideas what to do next. Any help?

Regards.

 

[Roger Abell [MVP]]

So, all involved accounts are in domain (?, right), but do they
have roaming profiles ? And, is all storage of EFS files that is
involved in these test machine local storage, or on network share?

 

[Piotr Strycharz]

So, all involved accounts are in domain (?, right), but do they
have roaming profiles ? And, is all storage of EFS files that is
involved in these test machine local storage, or on network share?

After further reseach I found that only Windows 2000 allows to encrypt files
(with inability to decrypt by Administrator). However on newer computers
(XP, 2003) no user can encrypt files (Error: "Recovery policy for this
system contains invalid recovery certificate").
Why? Group policy shows that the EFS has expired certificate. This is why I
cannot encrypt file on XP and Win2K3. This also means that ability to
encrypt files on W2K is a bug, as no (valid) recovery certificate exists.
Now, I have to extend administrator's certificate expiry date. Any help how
to do that?

This, however, does not explain why I cannot decrypt my own files.

Piotr.

 

[Paul Adare]

microsoft.public.security.crypto news group, Piotr Strycharz

This also means that ability to
encrypt files on W2K is a bug, as no (valid) recovery certificate exists.

This is not a bug at all, but rather a design change between Windows
2000 and Windows XP.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

[Steven L Umbach]

Though I don't believe this will necessarily fix the problem be sure to run
Check Disk on the computer selecting the option to fix file errors
automatically. When trying to decrypt files the user trying to do such must
have proper NTFS permissions to the file which I believe needs to be
read/list/execute/write but to be safe make sure that user has full control.
When you tried the Recovery Agent make sure that the RS EFS private key is
also on the computer - not just the user certificate from a .cer file. An
EFS private key can be exported to and imported from a password protected
..pfx file. Also make sure that you are logged on with an account [either
user or RA] that has access to the proper EFS private key for the file. You
can compare thumbprints for both the user certificate associated with the
private key and what is shown for the file with the utility efsinfo or in
XP/W2003 checking the file properties/advanced/details. --- Steve

http://support.microsoft.com/kb/243026 --- efsinfo

 

[Jan Peter Stotz]

Now, I have to extend administrator's certificate expiry date. Any help how
to do that?

You have to create a new recovery agent certificate and publish it via GPO.
The new certificate can be created on a XP/W2K3 machine via the cipher
command:

cipher /r:filename

Jan