EFS or NTFS encryption can turn out to be your life’s worst nightmare in case you don’t fully read about it. I advice everyone not to use it unless you really know what you are doing and backup your certificates.
I had many folders of mine encrypted and I forgot about them completely as encryption is transparent to user who encrypted the file. It was a usual day. I was working on my computer when I wanted to access some files from ‘My Documents’ (yes, I encrypted whole My Documents folder, idiot me.) and was denied access. I thought it might be with just that file. I tried accessing other files, other folders but it gave same error. It dawned upon me. In an instant, I knew what was going on. I was shocked and confused at the same time. I didn’t know what was happening.
I remember opening a PDF file and I started getting spybot registry prompts. But PDF files were safe, weren’t they? Seems like that one wasn’t. It had a virus. I don’t know what it did, but this PDF created all the problems.
I wasn’t able to access my files only after the infection. Also, it took away my admin rights. I couldn’t use softwares like Nero.. they gave me messages that I needed admin rights to run it. I found a site to remove encryption using hex modifications of registry and some files. This is the site:
Its good and this guy was the first one to have found a way to recover. But the tutorial didn’t help much and I still didn’t have any way to get my files back. I downloaded Elcomsoft Advanced EFS recovery but it said that it needed admin rights. I tried Passware EFS key recovery and it gave “Error decrypting file”.
I couldn’t do anything. I couldn’t even format my computer. That’d have made the problem worse. My encryption certificates which might have been stored somewhere on computer would’ve gone forever rendering my encrypted files useless.
I tried running chkdsk and it found many errors. I scheduled it to run at startup as C drive was locked but it didn’t start. I was stuck from everywhere. Nothing was working. I ran Event Viewer to check any errors and wasn’t surprised to see Error 7 which said “Bad block on hard drive”. I assumed that the block on harddrive which had the SAM file and my certificates went bad. Also, virus made the matters worse by removing my rights. I was no longer known to computer as the same user. I was different user for my computer.
I didn’t know what to do. Fortunately, I had another computer and I downloaded Vista Recovery CD, burned into a DVD using another computer. I booted it on my laptop, and ran chkdsk. It found and repaired errors. I rebooted into Windows XP and checked but it didn’t solve any problems. I tried using chkdsk C: /B in recovery disk again but it was of no use too.
I had lost almost all hopes when I browsed to C:\Windows\system32\config and saw automated backups stored there. The latest one was of 24th may. I thought of giving it a shot. I booted into recovery disk again, and restored the backup and booted into Windows XP again and got my admin rights back. The problem wasn’t solved – I still couldn’t access my encrypted files. I quickly ran the Elcomsoft EFS recovery and it ran without any error. I was so happy. At least, I got some hope. I had my rights back. I ran the software and recovered a test file and it succeeded.
I was in bliss. I had recovered the encrypted file. I spent next 5-6 hours recovering all the files. This nightmare was not as bad as some people who forget about the encryption and format their drives only to discover it later. At least, I hadn’t formatted the computer. I had the certificates somewhere on my filesystem but I didn’t know where.
So, it was really a nightmare.
Moral of the story: Do not encrypt files unless you really know what you are doing and be prepared to face the consequences when the worst happens. Do not encrypt the files unless absolutely necessary. Always back up your keys/certificates.