Windows – Decrypt encrypted file when user account is destroyed


I have a Virtual Machine running on my Windows Server 2008 computer that originally was received by me encryped, as the builder of the VM did it on a MAC, which decrypts files by default.

I never thought to decrypt these files, as they automatically 'decrypt' when you have permission over them, so the VM has been running for over a year despite the encryption.

I just upgraded my computer to Domain Controller (dcpromo.exe).

Now when I try to access/run the VM, I can't because I don't have permission to decrypt the files as that was on another logon (local administrator) and now I am the domain administrator.

Apparently the local admin is totally nuked when you upgrade to domain controller.

I have tried EVERYTHING –

  • taking ownership of the files, which works. Doesn't do anything for me.
  • Adding full control to everyone on the files.
  • I go to File Properties > Advanced > Details (under encryption) > Users who can access this file. The only user is administrator@localcomputername, and there is a cert number. I try adding a new cert, I don't have permission.

I don't have permission to:

  • Decrypt the file (access is denied).
  • Copy the file (to another computer) – access denied.

I am totally stumped and this VM is a production machine and needs to get up right now.

Does anyone have any ideas?

Best Answer

On Windows systems using EFS encryption, files are encrypted using a symmetric random passwords. Those passwords are encrypted using a local user certificate. In order to access those certificates you need the local user password. Generally speaking, the user accounts are not deleted but renamed so if you're able to export the encryption certificate from the original account and import that into the new one you should be able to access the encrypted files. Most of the technical info that you need is here: encrypted file system recovery. Other way is by using a commercial product, but again it won't work without the certificates so be sure you have them before buying!. I've used Advanced EFS Recovery a long time ago and it searched for the certificates on the disk and decrypted the files. EFS Recovery

Hope that helps!