Can't access encrypted files after reboot on Windows 10

I’ve got unexpected problem today on my Windows 10 notebook

  1. At some moment system became unresponsive – high CPU usage (cooler fan got noisy) + mouse cursor moves, but can't click anything and keyboard is completely dead (Ctrl+Alt+DEL does not work)
  2. After waiting for around 10-20 seconds I turned notebook off via power button
  3. After restart – can’t open any encrypted file (some subfolders are encrypted)

I’m looking if there is a way to restore access. I did not create a backup of the encryption key (note: system was prompting me to do this last weeks).

So far I looked into the properties of the encrypted files and see strange thing:

  1. File properties -> Advanced -> Encrypt … Detals: I can see ‘myself’ in the list of ‘users who can access this file’. But when I click "Back up keys…" it says "Certificate or key is not available for export on this machine. Error code: 1f"
  2. There, when I click “Add” user – I see 3 “My” users in “More choices”, each with different certificate and one of them has same thumbprint as the already added user (issued 21.08.2021 - approximatelly the time I've set up the system, two others issued 14.12.2021 and 16.12.2021). However adding any user fails with error “To add users to this file, you must have access to the file and Write and Modify permission for it” (I’m administrator on machine and the owner of that file – therefore I definitely have that permission)
  3. I tried exporting certificated seen in step 2 (issued 21.08.2021) – but option to “export with private key” is disabled, however ‘certificate properties’ displayed there mention ‘you have a private key that corresponds to this certificate’
  4. I tried looking for certificates in “Manage User Certificates” -> Personal. There I found only certificate issued 4 days ago (16.12.2021).

I suspect access will be restored if I somehow add mentioned certificate issued 21.08.2021 into current Personal store, but I can’t find how can I export it with the private key (which is mentioned as “i have”).

Any ideas about what has happened and how it can be fixed are welcome.


Solution 1:

I “mostly” managed to fix this. “mostly” – because solution worked for major subset of files and failed for few fresh files.

OK, here is the stuff I’ve identified:

  1. Certificates, which system supposes for usage in encryption, reside in certmgr.msc -> Trusted People > Certificates

(Registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates)

  1. Valid certificates, when right clicked -> All Tasks -> Export, provide option “Yes, export private key”.

  2. Invalid certificates have option “Yes, export private key” grayed out, even when showing “You have a private key that corresponds to this certificate” in certificate properties

  3. It looks like private keys are stored in C:\Users\[user]\AppData\Roaming\Microsoft\Crypto\RSA\[user-sid]\*

  4. Thins go wrong when private key is missing (or inaccessible due to permissions)

In my case – file with private key was missing. This was identified with the help of ProcessMonitor from SysInternals - when trying to start export of certificate, look for NO SUCH FILE in captured events.

And … the potential root cause - lately I was using some portable app which, I suppose, was created with the help of VMWare Thin App. Missing private key was found in its own backup folder of RSA keys. I have no idea about why it does so, but 2 new encryption certificates where created last week and I suppose system silently did this because existing encryption key became corrupted and most probably that happened because of some wrong actions by VMWare Thin App.

Access to encypred files immediatelly restored when I copied missing private key from backup into metnioned Crypto\RSA\[user-sid]\ folder.

I suspect system prompted to backup an encryption key each time it created new one, without mantioning that previous one is corrupted.

I could not find private key for one of the lately created encryption keys … therefore I’ve lost access to few newly create files in encrypted folders, the ones which were create with new encryption keys.