1

I have an encrypted folder in Windows. Presumably there must be a key stored somewhere to access the data. Where exactly is the key stored? If in the registry, where in the registry?

I have an encrypted folder in Windows that I need access to, but the OS is not bootable. I have access to the registry file that I can load to another machine. Of course the next step is convincing Windows/NTFS to use that key on that folder to allow access.

Robert
  • 7,858
J Collins
  • 678
  • How did you encrypt the data? Do you have a recovery key? – harrymc Jan 22 '24 at 15:19
  • The method was simply ticking the encryption box on the folder in Windows 10. Everything else was behind the scenes. – J Collins Jan 22 '24 at 15:24
  • Wow okay, somehow when accessed by a new machine, you just brute force 'take ownership' of it, and the files become accessible. Unbelievable. – J Collins Jan 22 '24 at 15:28
  • 1
    I guess that you have used the same user name & password on the old and new computers? That would explain it. – harrymc Jan 22 '24 at 15:31
  • Hm, celebrations are shortlived. The files appear accessible and even have nonzero filesizes, but seem to be illusions. – J Collins Jan 22 '24 at 15:37
  • Yes, I was going to ask you if the contents of the files are readable, but evidently they aren't. EFS is like that, so you need absolutely to have the certificate from the old computer. The best solution if you have not saved the certificates would be to make the old disk bootable, even if barely, and decrypt the data. – harrymc Jan 22 '24 at 15:46
  • I can get to the recovery environment logged in, but still the files are inaccessible. I don't know where the certificates are stored to recover and use them. – J Collins Jan 22 '24 at 15:52
  • 1
    If you can boot to the Command Prompt or Safe mode, try the command cipher /d "the full path to your folder". To also do sub-folders: cipher /d /s:"the full path to your folder". – harrymc Jan 22 '24 at 15:57
  • 1
    @JCollins - The certificates were stored in the user's Certificate Store, and if you created a backup, in that location. If you did not export the certificate or backup the certificate, before you lost access to that user, then the files are permanently encrypted. When you enabled EFS on these files, you were prompted to create a certificate (otherwise the files would not be encrypted), so it wasn't entirely as simply as just clicking a checkbox. – Ramhound Jan 22 '24 at 21:09
  • Where is the 'Certificate Store' stored? – J Collins Jan 23 '24 at 10:27
  • 2
    @JCollins As the EFS certificate (and the key) are user specific so they are stored in your user folder. The exact path is documented here: https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval %APPDATA%\Microsoft\Crypto\RSA\User SID and
    %APPDATA%\Microsoft\Crypto\DSS\User SID     – Robert Jan 24 '24 at 15:34

0 Answers0