Windows EFS locking me out of my files. What to do?
June 9, 2011 1:48 AM   Subscribe

Windows XP is denying access to EFS encrypted files for seemingly no reason. Please help.

Today after booting up my computer and logging in to my user account as always, Windows XP SP3 began to forbid access to files previously encrypted with EFS by my user account. I did not change any password, install any new program, or update Windows yesterday. I try to decrypt them with administrator privileges but it doesn't work (which is how it is supposed to work, I reckon).

The only odd things I noticed were:

1. Late yesterday I got a prompt from Windows firewall saying explorer.exe was requesting access to the network (I did not allow it), and again today as soon as Windows started the first time (but not after subsequent restarts).

2. According to Spybot, I had a new registry startup entry for "wewyy.exe" on Docs.../[Username]/Appdata/Agtab. I deleted both file and startup entry and on restart they're not there anymore. I did a flash scan with Malwarebytes and it detected nothing.

3. I did a scan with RootkitRevealer from Sysinternals and it noticed a mismatch between API and raw hive data form the Cryptography\RNG\Seed but Google tells me that's supposed to be normal.

I should probably also note that, along with Windows firewall, I use a hardware firewall in my modem, and SuRun for always working as a limited account.

Any ideas what to do? Please ask for more details if needed.
posted by Bangaioh to Computers & Internet (13 answers total) 1 user marked this as a favorite
 
I try to decrypt them with administrator privileges but it doesn't work (which is how it is supposed to work, I reckon).

No. No it doesn't. Unless the administrator is also the data recovery agent, he can't decrypt the files.

Have you tried this?
posted by I_pity_the_fool at 2:04 AM on June 9, 2011


Response by poster: Unless the administrator is also the data recovery agent, he can't decrypt the files

Yes, that's what I meant, the admin is NOT supposed to access the files.

Unless I misunderstood your linked article, I should have created the recovery agent before this happened, which I didn't ("No policy defined").
posted by Bangaioh at 2:27 AM on June 9, 2011


Response by poster: I should have stated this in the OP: while I would welcome the ability to regain access to the files, my main concern is knowing what caused this so it doesn't happen again. I've used EFS for 2+ years with no problems, and all of a sudden it decides to misbehave.

I have everything backed up so if I had to delete everything and re-encrypt with EFS it wouldn't be too much of a hassle, but I'm wary of doing so since there may be something more serious (malware?) behind this and that possibility is making me uneasy.
posted by Bangaioh at 3:10 AM on June 9, 2011


That startup item is definitely a good place to begin troubleshooting. Disable it with msconfig, submit the exe to Virustotal. If it is malware (based on its name and location its likely) the damage might be reversable. But it does no good having it in memory if its running...and you'll want to find out exactly what it is to know whether any personal data has been compromised.
posted by samsara at 4:05 AM on June 9, 2011


Also run GMER to see if any additional rootkit activity is picked up on. Malwarebytes might also be useful...but like spybot, if it is a zero day piece of malware, it might take a few days before many AV/AM programs pick up on it. Immunet might be a good AV solution to run next to your existing one, as it may get updates on threats from the cloud quicker than an updated DAT.

Also, this recent mefi post may come in handy for securing your XP environment from future infections. It might be best to start looking into Windows 7 hower as xp support ended in 2009, with extended support on critical updates ending in 2013.
posted by samsara at 4:16 AM on June 9, 2011


Response by poster: Bummer. I deleted the suspicious file and startup entry and using Recuva I can now only find WEWYY.EXE-36EDBB3F.pf from C:/WINDOWS/Prefetch. I submitted that to VirusTotal and it is currently unknown. It was not running when I deleted it, at least according to Process Explorer.

I did a full scan with the paid version of Malwarebytes and it found 0 problems. I'm now scanning with GMER and it sure is verbose... I hope it highlights any unusual entries in red or something like that because I can't make heads nor tails of this.
posted by Bangaioh at 4:56 AM on June 9, 2011


Response by poster: samsara, I read your comment from that earlier AskMe and I'll add that in addition to using SuRun as previously stated, I also use dropmyrights in my browsers (although I do use Privoxy as well and can't get dropmyrights to work with it). I'll now try MSE.
posted by Bangaioh at 5:05 AM on June 9, 2011


Hrmm, you could try PC Inspector to try recovering that deleted file. Even though it is deleted, it might still be intact on the disk.

Dropmyrights is a good thing to use if you have to be a local admin, not quite as good as running as a user. Reason being, you reboot your PC any profile based startup items suddenly gain admin rights when your account is a local admin. Some malware out there is written to make use of EFS to hide itself, so you might have a case of a bad or corrupted certificate. You might want to check your event logs and services to make sure your cryptography engine is running correctly (right-click My Computer, manage...).

It's hard to tell so far what's going on without more detail, but you could try some common workaround to see if they address similar issues. For XP, Dial-a-Fix still does a decent job. You could run the cryptography fix within it just to make sure that component isn't damaged (there's also a security fix under the hammer icon which will reset your ACLs to normal). If you have backups of your certificates used for EFS, you could try re-importing.
posted by samsara at 5:16 AM on June 9, 2011


Response by poster: I have no backups of the certificates. I will try DAF after trying MSE after GMER finishes whatever it's doing. The event logs showed nothing out of the ordinary in the past few days but I deleted them earlier today after examining them.

I shredded the file as soon as I saw the startup entry, so I'm pretty sure it's unrecoverable now.

Oh, GMER just finished and apparently didn't find anything. Many thanks for helping, I will try the others now.
posted by Bangaioh at 5:33 AM on June 9, 2011


Don't just run Spybot. Run malwarebytes, run Kaspersky utilities (the tdss one first). See what they find.
posted by I-baLL at 5:49 AM on June 9, 2011


Oh one more thing, I always forget this step. If you have System Restore active, try restoring your system state to a point before the problems began. Between that and resetting permissions, I think the next best thing to do would be a full redo on the system with a restore from backup, then implementing some additional malware prevention techniques. I don't think I'd trust the stability of your current system state for handling EFS. It might also be a good idea to make a backup of the EFS keys to a thumbdrive, stored in a home safe or safety deposit box...just in case, for recovery purposes.
posted by samsara at 7:06 AM on June 9, 2011


Response by poster: OK, so MSE detected nothing but TrojanClicker:Win32/Yabector.A, TrojanClicker:Win32/Yabector.gen and Adware:Win32/OpenCandy.

I don't think they were the cause of the problem because they have been present in my system for literally months, since they were bundled with EAC, Unlocker, and MediaInfo; perhaps they're even false positives, since Malwarebytes (I have the full version) never complained about any of them. I removed them all anyway.

I don't have System Restore active, and have no OS backups to restore from (my important data is all safely backed up though). I'll now try DAF.
posted by Bangaioh at 2:56 PM on June 9, 2011


Response by poster: Ran the Kaspersky utilities and they found nothing as well. Tried DAF, didn't work. I can create and open new EFS-encrypted files with no problems, but the old ones remain unreadable despite the owner still being my user account as expected. I checked the user accounts on Computer Management and everything appears OK.

I'd appreciate any other suggestions, but unfortunately it seems that the upgrade to 7 will need to happen sooner than I anticipated.

Anyhow, thank you all for your help.
posted by Bangaioh at 4:39 PM on June 9, 2011


« Older Project Gutenberg nightmare, help!   |   Translate an Amish insult? Newer »
This thread is closed to new comments.