Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Decrypt EFS Encrypted Files on Windows

            Modified on Wed, 22 Oct at 1:55 PM

            After moving a working hard drive, with unbootable Windows to a new computer, you may not be able to access EFS encrypted files.


            From https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html




            0. Copy necessary files

            From the offline system, copy these folders and paste them into the directory containing mimikatz.exe on a running system:

            • %USERPROFILE%\AppData\Roaming\Microsoft\
              • SystemCertificates\
              • Crypto\
              • Protect\

            If the password is unknown, copy these two files as well:

            • %WINDIR%\system32\config\
              • SAM
              • SYSTEM

            1. Retrieve certificate thumbprint from one of the encrypted files

            cipher /c "D:\Users\foo\Pictures\secret.jpg"
...    Certificate thumbprint: 096B A4D0 21B5 0F5E 78F2 B985 4A74 6167 8EDA A006
  No recovery certificate found.   Key information cannot be retrieved. 
The specified file could not be decrypted.

            2. Export certificate and its public key to DER

            mimikatz # crypto::system /file:"SystemCertificates\My\Certificates\096BA4D021B50F5E78F2B9854A7461678EDAA006" /export
...        Key Container  : d209e940-6952-4c9d-b906-372d5a3dbd50        Provider       : Microsoft Enhanced Cryptographic Provider v1.0 ...  Saved to file: 096BA4D021B50F5E78F2B9854A7461678EDAA006.der

            3. Find the master key

            Check files within Crypto\RSA\SID\ to find the one containing a pUniqueName which matches the key container found in step 2, e.g.,

            mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-3425643682-3879794161-2639006588-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd"
...  pUniqueName        : d209e940-6952-4c9d-b906-372d5a3dbd50
...  guidMasterKey      : {92f17fce-aae6-488b-9fd8-7774c6c3eb16}

            4. Recover NTLM hash if necessary

            If the password is unknown, recover the NTLM hash:

            mimikatz # lsadump::sam /system:SYSTEM /SAM:SAM
... RID  : 000003e8 (1000) User : foo  Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0

            For domain accounts, you'll only need the NTLM hash (/hash:xx); for local accounts, you'll need either the corresponding password (/password:xx) or its SHA1 hash (/hash:xx), which means knowing, cracking, or looking it up:1

            5. Decrypt the master key

            In this example, we have a local account with an NTLM hash of 31d6cfe0d16ae931b73c59d7e0c089c0, which corresponds toblank password and a SHA1 hash of da39a3ee5e6b4b0d3255bfef95601890afd80709:

            mimikatz # dpapi::masterkey /in:"Protect\S-1-5-21-3425643682-3879794161-2639006588-1000\92f17fce-aae6-488b-9fd8-7774c6c3eb16" /hash:da39a3ee5e6b4b0d3255bfef95601890afd80709
... [masterkey] with hash: da39a3ee5e6b4b0d3255bfef95601890afd80709 (sha1 type)  key : 6e24723a56a885fc957f25d4872cbbf10589b1f08033d32174ef3618a192f0e101e41196ca76d689057737429af000af2d7e19497ef2151344dfdfdfb9a6bfd0  sha1: 4505118da94b7df471bbbcf6d2c6c744a612e62b

            6. Decrypt the private key

            mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-3425643682-3879794161-2639006588-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd" /masterkey:4505118da94b7df471bbbcf6d2c6c744a612e62b
...        Private export : OK - 'raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk'

            7. Build PFX certificate

            with OpenSSL:2

            openssl.exe x509 -inform DER -outform PEM -in 096BA4D021B50F5E78F2B9854A7461678EDAA006.der -out public.pem 
openssl.exe rsa -inform PVK -outform PEM -in raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk -out private.pem
writing RSA key

openssl.exe pkcs12 -in public.pem -inkey private.pem -password pass:bar -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

            8. Install PFX certificate

            certutil -user -p bar -importpfx cert.pfx NoChain,NoRoot
Certificate "user" added to store. CertUtil: -importPFX command completed successfully.

            9. Access your files!

            Your files should now be accessible, but you may want to take this opportunity to decrypt them:

            cipher /d "D:\Users\foo\Pictures\secret.jpg" 
cipher /d /s:"D:\Users\foo\Pictures\"

            (or right click → Advanced → uncheck "Encrypt contents to secure data" → OK).

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0