Accessing EFS-encrypted files after resetting Windows password

I have some EFS-encrypted files in Windows. The owning user account is protected by a password, which can be easily bypassed (i.e. reset) by many tools and methods.

So what will happen to these encrypted files if that happens? Will they be accessible to the attacker? Or will they still be protected and require the encryption key to access them?


The user's EFS private key, as well as various other private data kept by Windows, is encrypted using the user's password. If the password is changed, it is impossible to decrypt the private keys, and without that, it is impossible to access the encrypted files.


The existing answer is correct in that the EFS private key is protected by the user's password. However, it is possible to configure EFS Data Recovery Agents that can decrypt any EFS-encrypted file on a system. DRA certificates are set via Group Policy, or Local Security Policy if you don't have a domain.

DRAs have such access because when a system receives the public key of the DRAs, it encrypts the symmetric key of each encrypted file with each DRA's public key in addition to the user's public key. Thus, DRAs can only recover encrypted files if they were created or opened after their certificate was registered.

So, depending on your configuration, it could be possible to recover the data even after resetting the owner's password. DRA keys are also protected by the DRA's password, but a crafty attacker would install a DRA certificate for a new user, wait for you to touch the target files, then take advantage of the certificate to decrypt them.

Note that this recovery option does not apply to DPAPI-protected data, as the DPAPI does not respect EFS DRAs. You're in for some pain if you need to recover such data.