Accessing EFS-encrypted files after resetting Windows password

12

2

I have some EFS-encrypted files in Windows. The owning user account is protected by a password, which can be easily bypassed (i.e. reset) by many tools and methods.

So what will happen to these encrypted files if that happens? Will they be accessible to the attacker? Or will they still be protected and require the encryption key to access them?

ICTAddict

Posted 2014-06-11T06:02:11.897

Reputation: 388

2I've edited your question to make it a little bit clearer that you're using EFS. If that's not right, you can roll back the edit. Nice question! – Ben N – 2016-01-31T21:51:20.690

Answers

9

The existing answer is correct in that the EFS private key is protected by the user's password. However, it is possible to configure EFS Data Recovery Agents that can decrypt any EFS-encrypted file on a system. DRA certificates are set via Group Policy, or Local Security Policy if you don't have a domain.

DRAs have such access because when a system receives the public key of the DRAs, it encrypts the symmetric key of each encrypted file with each DRA's public key in addition to the user's public key. Thus, DRAs can only recover encrypted files if they were created or opened after their certificate was registered.

So, depending on your configuration, it could be possible to recover the data even after resetting the owner's password. DRA keys are also protected by the DRA's password, but a crafty attacker would install a DRA certificate for a new user, wait for you to touch the target files, then take advantage of the certificate to decrypt them.

Note that this recovery option does not apply to DPAPI-protected data, as the DPAPI does not respect EFS DRAs. You're in for some pain if you need to recover such data.

Ben N

Posted 2014-06-11T06:02:11.897

Reputation: 32 973

7

The user's EFS private key, as well as various other private data kept by Windows, is encrypted using the user's password. If the password is changed, it is impossible to decrypt the private keys, and without that, it is impossible to access the encrypted files.

user1686

Posted 2014-06-11T06:02:11.897

Reputation: 283 655

2That is correct. The EFS private key is encrypted via the "Data protection API", CryptProtectData and CryptUnprotectData. Exactly how this API works is well-explained at MSDN; what I can fit in a comment here is this: the password supplied at login is part of the input to the key generation. If you change your pw, then all secrets you previously encrypted with this API are re-keyed with the new password. But if third party software (or the admin for that matter) changes your pw, this can't be done, and you lose access to previously-encrypted secrets. See also "EFS recovery agent". – Jamie Hanrahan – 2014-07-22T17:30:27.627

3@JamieHanrahan - This might warrant a separate question but it is only a slight expansion to the original question above: If after the password was reset by 3rd party tools as above, the original password was found (remembered), would logging in (using the "reset" password) and changing the password back to the original password allow access to the EFS-encrypted files? – Kevin Fegan – 2016-02-02T14:34:44.027

1I'm not sure I fully understand this, do you mean that once the password is reset by third party software, the encrypted data is gone forever? – ICTAddict – 2014-06-11T08:48:54.643