You are currently offline, waiting for your internet to reconnect

Encrypting File System (EFS) files appear corrupted when you open them

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q329741
SYMPTOMS
If you view Encrypting File System (EFS) files on a computer that is running Windows Server 2003, Windows XP, or Windows 2000, the encrypted files may appear to be corrupted or filled with random characters.
CAUSE
This behavior occurs if these files were encrypted on a computer that was running Windows XP Service Pack 1 (SP1) or later or Windows Server 2003. By default, Windows XP SP1 (or later) and Windows Server 2003 use the Advanced Encryption Standard (AES) algorithm for encrypting files with EFS. Windows 2000 and Windows XP do not support the AES algorithm and cannot access these files.
RESOLUTION
To resolve this behavior, access the encrypted files by using Windows XP SP1 (or later) or Windows Server 2003.
WORKAROUND
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To work around this behavior, configure the Windows XP SP1-based computer to encrypt files by using an algorithm that is supported by the other operating systems that access the files. To do so:
  1. Decrypt all the EFS encrypted files in Windows XP SP1.
  2. On the Windows XP SP1-based workstation, start Registry Editor.
  3. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
  4. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: AlgorithmID
    Data type: REG_DWORD
    Radix: Hexadecimal
    Value data: Use any of the values from the following list:
    • 3DES: 0x6603 (This value is compatible with Windows XP and later.)
    • DESX: 0x6604 (This value is compatible with all versions of Windows 2000 and Windows XP.)
    • AES_256: 0x6610 (This is the default value. It is compatible with only Windows XP SP1 and later.)
  5. Quit Registry Editor.
  6. Restart the Windows XP SP1-based workstation.
  7. Encrypt the files again using either operating system.
Important The same certificate and the associated private key must be available in the context of the user on all operating systems that will be accessing the files.
STATUS
This behavior is by design.
MORE INFORMATION
EFS generates a new symmetric key called a File Encryption Key (FEK) for each file it encrypts. EFS uses this symmetric key to encrypt and decrypt the contents of the file. This FEK is then encrypted using the public keys in the certificates of the following users:
  • The user encrypting the files.
  • Any other users who are configured to use the file.
  • Any configured recovery agents.
The original (unencrypted) FEK is not saved. The algorithm that is described in this article refers to the symmetric encryption with the FEK, and not the public key operations with the users' private key on the FEK.

Notes:
  • Windows 2000 can only use the expanded Data Encryption Standard (DESX) algorithm for EFS encryption and decryption.
  • Versions of Windows XP earlier than SP1 can only use the expanded DESX or the Triple-DES (3DES) algorithm for EFS encryption and decryption.
  • Windows XP with SP1 or later can encrypt or decrypt files using DESX, 3DES, or AES.
For more information about 3DES and DESX, view the "Encrypting and Decrypting Data with Encrypting File System" topic in the Windows XP Help file.

For more information about the AES Cryptographic Provider in Windows, visit the following Microsoft Web sites: For more information about EFS, view the Encrypting File System in Windows XP and Windows Server 2003 white paper. To view this white paper, visit the following Microsoft Web site:
garbage mangled corrupt unreadable unusable lost random character characters can't open use read data loss
Properties

Article ID: 329741 - Last Review: 09/14/2007 09:39:01 - Revision: 10.9

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003 Premium Edition, Microsoft Windows Small Business Server 2003 Standard Edition, Microsoft Windows XP Professional SP1, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Server SP1, Microsoft Windows 2000 Server SP2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Advanced Server SP1, Microsoft Windows 2000 Advanced Server SP2, Microsoft Windows 2000 Advanced Server SP3

  • kbprb KB329741
Feedback