Recover encrypted files in Windows Server 2003

Find out how to recover encrypted files with advice from Windows hardening expert Jonathan Hassell.

Question: When I try to open a certain file, I get an error message that says "access denied." I was able to open the same file two days before. I checked the permission and I have full control over it. When I tried to use the EFSINFO utility to check the encryption details, I found my name under the user who can open the file, but there is no name under the recovery agent's column. I cannot decrypt the file. I did not rebuild my machine, and all of the configurations are the same without any changes. What is happening here?
- Posed by a SearchWindowsSecurity.com reader.

Jonathan Hassell offered his response:

It can be somewhat disconcerting that, in emergency or recovery situations, encrypted files can be decrypted by a user other than the user who encrypted the file originally. This is actually a feature, and it is quite secure. Designated user accounts, called recovery agent accounts, are issued recovery agent certificates with public keys and private keys upon their creation. Those, then, are used for EFS data recovery operations.

    Requires Free Membership to View

Encryption extras
TrueCrypt: Free encryption utility

Know your wireless encryption options

To view the recovery agents for an object, log in as the owner of the encrypted object. Then, right-click the object and select Properties. Click the Advanced button, which opens the Advanced Attributes dialog box. Click the Details button to bring up the Encryption Details box. The recovery agents for the specified object are listed in the bottom box.

The top box of the Encryption Details dialog is a new feature in Windows Server 2003 that makes it quite a bit easier to enable other users to decrypt a file without them being recovery agents. By designating their user accounts in the top list, the users can access and use the file transparently. This may help you. Simply click Add and select your user account, and then try to decrypt the file.

Ask Jonathan Hassell a Windows security question of your own.

About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at jhassell@gmail.com.

This was first published in May 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.