Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


helloo guys...i need yur help..how do i recover some crypt files on my computer

  • Please log in to reply
3 replies to this topic

#1 D-eL-uK-9_-


  • Members
  • 1 posts

Posted 16 May 2016 - 05:20 PM

To recover the files encrypted with EFS you need:

- data from $EFS and $DATA streams for each encrypted file;

- some of user' profiles directories %APPDATA% stays for the application data directory of the user, who has encrypted the files (usually something like c:\users\mark\appdata\roaming):

 %APPDATA%\Microsoft\Crypto (contains the RSA private keys)

 %APPDATA%\Microsoft\SystemCertificates (contains the certificate files used to create the FEK for EFS)

 %APPDATA%\Microsoft\Protect (contains DPAPI master keys)

- the password (or at least the SHA1 hash of the password) of the user

and some luck :)


Unfortunately I don't have a full solution that can be used by anyone to recover the keys, but made some research that could help. If it's ok for you to send me some of the data I mentioned above, I hope I could help you.

First we need the contents of the %APPDATA% for that user and the contents of the $EFS alternate data stream of one of the encrypted files. Could you provide the data?




BC AdBot (Login to Remove)



#2 RolandJS


  • Members
  • 4,448 posts
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:06:17 AM

Posted 09 July 2016 - 09:55 AM

Davistar531, you might get better response if you open your own thread.  And, when you do, specify make and model of your computer, specify exactly where you got this quicklock from, and if you have any OS and data backups -- in your own thread   :)

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.


Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

"I heard Spock finally got colander!"  "I believe the word is Kolinahr."  "Oh."

#3 snehacapoor


  • Members
  • 16 posts
  • Gender:Male
  • Local time:04:47 PM

Posted 13 July 2016 - 07:11 AM

This could have caused because of a Ransomware. These days Ransomware is getting very common. It encrypts all the files in your computer and the you are asked to pay ransom to get decryption key to unlock you files.

#4 Davistar531


  • Members
  • 8 posts

Posted 15 July 2016 - 03:41 AM

i tried to edit it using control panel by going to control panel>personalize and view>hidden fils and folder>then i untick to view system file..now am seing the files as batch files code 2B4:[...................4c7]

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users