Decrypting files using the local Administrator account
In Windows XP and later, there is no default local Data Recovery Agent and no requirement to have one. Setting SYSKEY
to mode 2 or 3 (syskey typed in during bootup or stored on a floppy disk) will mitigate the risk of unauthorized decryption through the local Administrator account. This is because the local user's password hashes, stored in the SAM
file, are encrypted with the Syskey, and the Syskey value is not available to an offline attacker who does not possess the Syskey passphrase/floppy.
Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously-used public key(s). The stored copy of the user's private key is ultimately protected by the user's logon password. Accessing encrypted files from outside Windows with other operating systems (Linux
, for example, or even another instance of Windows) is not possible...Further, using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files.