Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft EFS
From: Thomas Springer <tuevsec () gmx net>
Date: Wed, 12 Oct 2005 23:03:48 +0200

EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)

EFS-Files are crypted for the actual logged-in user (be it a domain-user
or a local user).
By default, EFS crypts also to the key of a "default recovery agent",
which is the local administrator or, if you are a domain-user, the

ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a
domain-account, the only way to get the data back is cracking the domain-pw.

I did a little q&a months ago for our internal stuff, maybe this helps to make things clearer. and remember: the following matters for xp/2003. EFS on win2k is different (and insecure).

How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610

Where is the key hanging around physically?
The encrypted keys are living on
 \\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...

Can I backup/export the key?
Yes. Start a cmd.exe and say  cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.

How can I check who can access an efs-crypted file (e.g. who's the recovery-agent for a specific file)?
Start a cmd.exe and say   efsinfo.exe /c /r /u

Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your
user-password. Windows changes this random key-part every 60 days. Your
backup would be useless then. If you change your windows- (or
domain-)password, the key gets also updated automagically.

What happens, if a windows-administrator (or linux-user with a
bootdisk) is resetting my password (be it on the domain-controller or locally)?
You have no longer access to your EFS-encrypted files, because your keys
in the above mentioned directorys are garbled with your OLD
user-password. If you (or somebody else) reset your account-password
remotely, the key-files on your machine won't get reencrypted and are therefore useless afterwards. Hey man, after all you wouldn't want a simple domain-admin to read your encrypted data, would you?
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise
you'll have to consult your recovery-agent!

Depending on your os and sp, ciper.exe and efsinfo.exe might not be
installed on your machine - but you can get these tools and other
valuable infos from microsoft.

If you have anything to do with EFS, I'll definitely recommend reading and understanding http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EIAA before you start doing anything! This is ESSENTIAL information and contains links to the newest cipher.exe, efsinfo.exe and other tools!

Hope this helps

Thomas Springer

Do you know how his will work for a machine that is part of a Domain?
Where there are no Local Users and the Default Recovery Agent is the "Domain Admin"

I know tht one can always hack the local admin PW, then unjoin the domain, but where does that leave the machine.
Is there any way to hack the "nounce" PW?




Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]