Posted 12 April 2011 - 05:49 PM
Problem: I cannot open, view, modify, copy, or otherwise access in any way, my personal files that have been encrypted by the Windows EFS.
I need help from someone who understands the Windows Encrypting File System and is willing to help me understand and troubleshoot this problem. I know this is a little long, but please bear with me. I apologize for the length, but I wanted to give as much detail as possible up front and hopefully to help someone in the future should they come across this. I am a novice in general, and specifically to EFS, so it is difficult to understand the problem. I have been reading up about EFS, but I'm hoping for someone to put it into layman's terms so I can understand the problem better and so I can contribute better in finding the solution, i.e. finding keys/certificates locations, importing them back into the files so they can be accessed, etc. I don't even know if what I just said makes sense, but those are the concepts I need help on.
I've read on other forums of people not being able to access encrypted files, but they talk about having done a reinstall of Windows or a format of the hard drive and now they can't access their encrypted files. Therefore, the standard reply is that they're out of luck and the files are unrecoverable. In their case, that seems to be an acceptable answer.
In my case, however, I did not reinstall Windows or reformat. I do not know the cause of the problem, but I will provide a background of recent events on my computer.
On April 1, I suspected I got infected by something and sought help on another forum. I received help in removing the infection, which was apparently a trojan/password stealer as per the helper who viewed the ComboFix logs. The infection was supposedly removed, and my system appeared normal. Days later I noticed the encrypted files were inaccessible. Pictures are not viewable, documents cannot be opened (access denied), etc. The action of right click > Properties > Advanced > [UNCHECK] Encrypt contents so secure data > Apply yields the message "Error applying attributes to the file: [X] Access is denied".
(Again, I'm a novice, so what I'm saying might just be illogical speculation, but I bring it up so someone more knowledgeable can eliminate it as a possibility in order to find the cause and solution.)
Here are the possibilities I've come up with:
1. Despite the removal/cleaning of the infection, the trojan or whatever it was, messed with the encryption. By that, it a) deleted one or both of the encryption keys (master/personal); b.) deleted the certificate assigned to the encrypted files used to access/decrypt them at will; c) implemented its own encryption or encryption key or thumbprint over my existing encryption.
Reasons why I suspect this:
-All the encrypted files have roughly the same Accessed date and time, roughly April 2, 6:20am, only about 12 hours after I was infected on April 1.
-The encrypted files that were present on my system at the time of infection have an Encryption Thumbprint that is different from the Thumbprint of a newly created, encrypted file.
-I have read of an infection where a virus encrypts a user's files and holds them for ransom. One person replied that the virus only "pretended" to encrypt the files by making copies of existing files and then encrypting those files and hiding the originals. Reasons why I think this is not the case: the problem is limited to files encrypted by EFS, rather than every file on my system.
2. Result of running ComboFix? I have read recently on this forum that someone had a problem where ComboFix deleted user profiles, and as I understand it, user profiles are tied to EFS and certificates. Any modification to them will result in loss of certificates? Reasons why I think this is not the case: The files all have the same Accessed day and time (as mentioned above), and ComboFix was run a day after that day and time listed. Therefore, what would ComboFix have to do with it?
3. Result of a naturally occurring, non-viral Windows event, such as the expiration of EFS certificate and creation of new certificate with different keys? Again, I don't even really know what I'm saying or what that even means.
4. Something I haven't thought of.
Further background and possibilities to be considered/ruled out:
Prior to all these recent events, about 6 months ago, I did use the Windows XP disc's repair option because it was my only option to get the computer to boot due to an infection at that time. However, from that point on, the encrypted files were accessible in every way, so I don't think that had anything to do with it. Perhaps doing that repair caused the certificates to expire around this time, losing the key to the encryption, and that it was just coincidental to the infection. That's just my uneducated theory and I don't know if it has any bearing, but I mention it as a possibility for someone to eliminate.
Also, after the 6-months-ago-trojan was removed and everything was fine, I was still receiving "Windows File Protection" messages closing Windows Explorer for "my protection." Is that a system error, or does it indicate I'm still infected from the first trojan 6 months ago, perhaps? I even received that message just recently, even after this most recent infection's removal.
-I did not export or otherwise backup the certificates or keys, BUT, I also did not delete them by reformatting or reinstalling, so there is no reason for them to be missing.
In reference to the idea that the keys were deleted, modified, or otherwise gone, (by which of the means listed above, I don't know), I have found a program which claims to be able to decrypt files encrypted by EFS under basically any conditions, i.e. lost keys, deleted certificates, etc., etc. I have used the trial version of this program and it locates several varieties of keys, some of which are green (recovered, decrypted and good to go), others red (unrecoverable, can't be decrypted, and thus unable to be used to decrypting said files). With the keys it found, it then locates encrypted files and decrypts them. Unfortunately, the trial version only allows 512 bytes to be decrypted, so I can't check to see if the data is there. It did appear to successfully decrypt the file, but it is still unviewable, though I assume that is solely because it only decrypted 512 bytes.
If the problem can be solved by reinstating the certificates and/or keys, or using the XP disc's repair option, or the Windows Recovery Console, or whatever NORMAL process to get access to the files, then I can avoid having to pay for a program.
Thank you for reading.