EFS encrypted files
Printed From: ForensiT
Category: ForensiT Support
Forum Name: Move Computer
Forum Description: User Profile Transfer Wizard questions, suggestions, comments and bug reports
URL: https://forum.ForensiT.com/forum_posts.asp?TID=208
Printed Date: 27 Mar 2026 at 2:13am
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com
Topic: EFS encrypted files
Posted By: advantage
Subject: EFS encrypted files
Date Posted: 28 Oct 2009 at 11:06am
|
I used profwiz not realizing a client had a folder encrypted with EFS under his local logon. Of course the files are not accessible under his new domain logon, nor are they accessible after being copied back to his local profile. The folder does not even show as encrypted. Is there a way to recover the EFS certificate of the local logon and use it to decrypt the files? I tried the trial version of Elcomsoft's Advanced EFS Data Recovery, and no luck. Are the files unrecoverable? |
Replies:
Posted By: Support
Date Posted: 28 Oct 2009 at 12:06pm
|
Hi,
The following procedure has worked for other customers. As long as you copied the encrypted data to the other profile (and did not move it) the files should be recoverable. 1. Re-enable the original local user account (if you have not already done so.) 2. Logon with an administrator account and re-run User Profile Wizard. 3. Select the local machine name from the "Enter the domain" dropdown list on the "User Account Information" page. Enter the old local user account name. 4. Select the profile and migrate it back to the original local user account. Reboot. 5. Logon as the local user account. (The machine can still be on the new domain.) You should now have access to the data. 6. You will probably find that you are unable to remove encryption at the top folder level. However, by opening the folder and selecting all items, you should be able to remove encryption. 7. Once all the encryption has been removed you can run User Profile Wizard again and assign the profile to the new domain account. I hope this helps! |
Posted By: advantage
Date Posted: 28 Oct 2009 at 12:27pm
|
Thanks for the quick reply! I will give it a try. What do you mean by copy vs. move? I didn't see an option to do one or the other. The encrypted files show up under the profile for the domain user account now, along with everything else. |
Posted By: Support
Date Posted: 28 Oct 2009 at 2:57pm
| You mentioned the files being "copied back" to the user's local profile. I was concerned that if they had been moved from the original profile you might have problems. It doesn't sound like that's the case though. |
Posted By: advantage
Date Posted: 28 Oct 2009 at 3:15pm
 They are decrypted. Thank you! Re: previous confusion - OK, I thought you were referring to copying or moving the profile initially. I did in fact copy the encrypted files to the old profile; in fact I had to use ntbackup to get around some "access denied" issues. I also had to take the PC off the domain to get around password policy rules because the original password did not meet the policy requirements. But once all that was done, I was able to decrypt the files. I am now re-running Profwiz to put the PC back onto the domain and migrate the profile again. Thanks again! |
Posted By: macky.patio
Date Posted: 08 Jan 2012 at 5:24am
|
Hi sorry for bringing up this post, but i have the same problem. i am a little bit confused about what you have said "copy the encrypted data to the other profile (and did not move it)". Does it mean that i have to copy the encrypted files to the old profile? or i just need to migrate it back using ForensiT? if i do need to copy those encrypted files, how will i do that? TIA. |
Posted By: Support
Date Posted: 08 Jan 2012 at 6:11am
|
User Profile Wizard does not move copy or delete any files, so as long as you have not moved or copied anything the above procedure should work. |
Posted By: macky.patio
Date Posted: 09 Jan 2012 at 6:05am
| i believe User Profile Wizard just change the profile path of the local machine to the domain(by registry or something like that) cmiiw. Does it trigger the encryption of the files? |
Posted By: Support
Date Posted: 09 Jan 2012 at 6:21am
| No, User Profile Wizard does not trigger the encryption of files. This thread deals with files encrypted before a profile is migrated. |
Posted By: murga
Date Posted: 20 Oct 2021 at 12:37pm
|
Hi there, Profile migrated from domain without problem, but files remained encrypted without possibilities to decrypt them. Thanks in advance! |
Posted By: Support
Date Posted: 20 Oct 2021 at 4:59pm
|
It doesn't matter what Administrator account you use. The profile just needs to be re-migrated back to the original user account.
|