EFS (Encrypting File System) is a practical function unique to Windows 2000/XP. For files and data on NTFS volumes, it can be directly saved by the operating system. Greatly improved the security of the data. EFS encryption is based on a public key policy. The encrypted file will then be created using FEK and Data Extension Standard X algorithms. If you are logged into a domain environment, the key generation depends on the domain controller, otherwise it depends on the local machine. The following system home small series with examples to introduce how to crack EFS encrypted files. The company has recently recruited a lot of new employees, but because the company's computer equipment is limited, only a few new employees can share a single computer. For the convenience of use, each user has created their own accounts without interfering with each other. In order to prevent others from peeking at the files, Xiao Wang stores all the important files in the folder of the D disk in the file folder of the D disk, and then clicks “ in the "General" panel in the properties window of the folder. ” button, in the open window, check the "Encrypt content to protect data" item, use the EFS encryption technology that comes with Windows to encrypt the folder. In this way, except for Xiao Wang himself, others cannot access the documents in it. The bad thing is that Xiao Wang left the company in a few days. When the boss asked Xiao Sun to find an important document in Xiao Wang, Xiao Sun was dumbfounded. In the face of Xiao Sun’s embarrassment, thanks to his colleague Xiao Li’s help, he broke through the encryption barriers and easily retrieved Xiao Wang’s important documents. Xiao Li can't do it? And look at the following slowly. We know that EFS (Encrypting File System) is a utility function built into Windows XP that encrypts files and data on NTFS partitions, greatly improving data security. The reason why Xiao Li can break the protection of EFS encryption algorithm is to use the “Proxy Agent” method provided by the system, which allows specific users to read all encrypted files. Of course, this approach is for a multi-account environment. Because there are multiple accounts with administrator privileges on the public computer. Xiao Wang uses the “Administrator” account, and another colleague uses the account name on the machine “ quo.hongyun”, the account also has administrator privileges. Xiao Li used the “hongyun” account to easily break through the shackles of encryption. Xiao Li first logs in to the system with the account “ hongyun”, and then executes the “cmd.exe” program in the “Start & rdquo;→“Run” program. In the CMD window, first switch to the root directory of the C drive, and then execute the command. “cipher /r:mykey”, note that "mykey" is the name of the exported key file. Then the system prompts for a password (as shown in Figure 1). The password entered by Xiao Li is “key123456789”. Of course, the password can be set at will. In this way, two files are generated in the root directory of the C drive, with the extensions being “cer” and “pfx”. The files generated in this example are “mykey.cer” and “mykey.pfk”, where “mykey.cer” is the public key certificate file, “mykey.pfk” is the agent's private key certificate file. Open the Group Policy Editor window by running the “gpedit.msc” command in "Start”→“Run". In the list on the left side of the window, expand “Computer Configuration”→“Windows Settings”→“Security Settings”→“Public Key Policy”→“Encrypting File System” Branch, click on the "Add Number Recovery Agent" item on its right-click menu, and the operation wizard interface pops up (Figure 2). In the "Select Recovery Agent" window, click the "Browse Folder" button, import the previously created "mykey.cer" file in the file selection window, and then click the "Next" button. Complete the operation. In the Explorer, go to the “Xiaowang's File” folder in the D drive, open the “General” panel in the properties window of any file, click the “Advanced” button in the Advanced Properties window. Click the “details” button to see the recovery agent project you just created in the info window (Figure 3). Double-click the generated file “mykey.pfk” to pop up the certificate import wizard interface (Figure 4), click the “Next” button, and enter the default password <key123456789” in the "Password" window to complete The import operation of the certificate. When the above operation is completed. In the Explorer's D drive, click the "Xiaowang's File" folder and double-click on the encrypted file to access its contents. In this way, Xiao Li almost did not spend any effort, he successfully recovered Xiao Wang's encrypted file. Tip: Although the above method can retrieve the EFS encrypted file, it does not indicate that there is a hidden danger in the EFS encryption method of Windows. The premise of using this method is that it must be a multi-account environment, and there are multiple accounts with administrator rights. Use the Windows default encryption configuration. How to eliminate the above security risks? The countermeasure is to prohibit other users from illegally accessing the EFS encrypted file by setting the permission. Open the "Security" panel in the properties window of the EFS encrypted file or folder, click the "Advanced" button, and in the Advanced Security Settings window, open the "General" panel, uncheck the "Allow the parent" The item's inherited permissions are propagated to the object and all child objects. Click the “delete” button to delete all other accounts in the “permissions list'; only keep your own account. After such permission settings, the security of the EFS encrypted file can be guaranteed. EFS encryption introduction: 1. Why do I need to enter a password when opening an encrypted file? This is a feature of EFS encryption and the best proof of the tight integration of EFS encryption and operating systems. Because unlike the general encryption software, EFS encryption does not rely on double-clicking the file, then pops up a dialog box, and then enters the correct password to confirm the user's; EFS encrypted user confirmation work has been done when logging in to Windows. Once you log in with the appropriate account, you can open any encrypted file and do not need to provide any additional passwords. 2. My encrypted file can't be opened. Can I convert the NTFS partition to a FAT32 partition to save my files? This is of course impossible. Many people have tried various methods, such as converting NTFS partitions into FAT32 partitions; using software such as NTFSDOS to DOS to copy files to FAT32 partitions, etc., but these attempts have failed. After all, EFS is an encryption, not a general privilege, and these methods do nothing to deal with EFS encryption. And if your key is lost or not backed up, then all encrypted data will be saved in the event of an accident. 3. I reinstalled the operating system after encrypting the data, and now the encrypted data cannot be opened. If I use the same username and password as the previous system, I should be fine. This is of course not acceptable. As we have seen earlier, the keys closely related to the EFS encryption system are derived from each user's SID. Although you used the same username and password in the new system, the user's SID has changed. This can be understood as two people with the same name and the same name. Although their names are the same, but the fingerprints can never be the same, then this idea is of course ineffective for EFS encryption systems that only recognize fingerprints and do not recognize names. 4. Is the data encrypted by EFS absolutely safe? Of course not, security is always relative. Take the file encrypted by EFS as an example. If there is no suitable key, although the encrypted file cannot be opened, it can still be deleted (some small people really think this way: you dare to encrypt it and let me see it! Well, I Just delete it, don't look at it). So for important files, the best practice is to use NTFS permissions and EFS encryption. This way, if an illegal user does not have the appropriate permissions, they will not be able to access protected files and folders; even if they have permissions (for example, to reinstall the operating system in order to illegally obtain important data, and assign permissions to themselves as a new administrator) No key can still be unlocked without encryption. 5. I just used Ghost to restore the system. The user account and the corresponding SID have not changed. How can the previous encrypted files not be opened? This is also normal, because the keys used for EFS encryption are not generated when the user is created, but when you first encrypt the file with EFS. If you haven't encrypted any files before creating a system image with Ghost, then there is no key in your system, and the image created by such a system certainly does not include a key. Once you have encrypted the file and used Ghost to restore the system to the state of creating the image, the key used to decrypt the file is lost. Therefore, this problem must be noted! This article comes from [System Home] www.xp85.com