If you view Encrypting File System (EFS) files on a computer that is running Windows Server 2003, Windows XP, or Windows 2000, the encrypted files may appear to be corrupted or filled with random characters.

Back to the top

This behavior occurs if these files were encrypted on a computer that was running Windows XP Service Pack 1 (SP1) or later or Windows Server 2003. By default, Windows XP SP1 (or later) and Windows Server 2003 use the Advanced Encryption Standard (AES) algorithm for encrypting files with EFS. Windows 2000 and Windows XP do not support the AES algorithm and cannot access these files.

Back to the top

To resolve this behavior, access the encrypted files by using Windows XP SP1 (or later) or Windows Server 2003.

Back to the top

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To work around this behavior, configure the Windows XP SP1-based computer to encrypt files by using an algorithm that is supported by the other operating systems that access the files. To do so:

1.	Decrypt all the EFS encrypted files in Windows XP SP1.
2.	On the Windows XP SP1-based workstation, start Registry Editor.
3.	Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
4.	On the Edit menu, click Add Value, and then add the following registry value: Value name: AlgorithmID Data type: REG_DWORD Radix: Hexadecimal Value data: Use any of the values from the following list: • 3DES: 0x6603 (This value is compatible with Windows XP and later.) • DESX: 0x6604 (This value is compatible with all versions of Windows 2000 and Windows XP.) • AES_256: 0x6610 (This is the default value. It is compatible with only Windows XP SP1 and later.)
5.	Quit Registry Editor.
6.	Restart the Windows XP SP1-based workstation.
7.	Encrypt the files again using either operating system.

Important The same certificate and the associated private key must be available in the context of the user on all operating systems that will be accessing the files.

Back to the top

This behavior is by design.

Back to the top

EFS generates a new symmetric key called a File Encryption Key (FEK) for each file it encrypts. EFS uses this symmetric key to encrypt and decrypt the contents of the file. This FEK is then encrypted using the public keys in the certificates of the following users:

•	The user encrypting the files.
•	Any other users who are configured to use the file.
•	Any configured recovery agents.

The original (unencrypted) FEK is not saved. The algorithm that is described in this article refers to the symmetric encryption with the FEK, and not the public key operations with the users' private key on the FEK.

Notes:

•	Windows 2000 can only use the expanded Data Encryption Standard (DESX) algorithm for EFS encryption and decryption.
•	Versions of Windows XP earlier than SP1 can only use the expanded DESX or the Triple-DES (3DES) algorithm for EFS encryption and decryption.
•	Windows XP with SP1 or later can encrypt or decrypt files using DESX, 3DES, or AES.

For more information about 3DES and DESX, view the "Encrypting and Decrypting Data with Encrypting File System" topic in the Windows XP Help file.

For more information about the AES Cryptographic Provider in Windows, visit the following Microsoft Web sites: For more information about EFS, view the Encrypting File System in Windows XP and Windows Server 2003 white paper. To view this white paper, visit the following Microsoft Web site:

Back to the top