<h1 id="howtobackupefsencryptedfileswithsystemaccount">How to backup EFS encrypted files with SYSTEM account</h1> <p>Following guide provides steps to backup EFS encrypted files using Local System account</p> <hr /> <h2 id="problem">Problem</h2> <p>User wants to backup files been encrypted using EFS with Local System account. SYSTEM account can use EFS, but it doesn't have an EFS certificate by default.</p> <hr /> <h2 id="solution">Solution</h2> <div class="hint hint-warning"><i class="el-icon-warning"></i> <p>Allowing SYSTEM to access encrypted file could be dangerous, anyone with physical access to this machine would be able to decrypt crucial data. </p></div> <p>In case you want to give SYSTEM access to already-encrypted files please go through following steps:</p> <ol> <li>Create scratch file, type <strong>echo. > scratch.txt</strong> in the SYSTEM prompt (to run CMD prompt as a SYSTEM you should: download <a href="http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx">PSEXEC</a>, unzip it in any directory, open an elevated CMD prompt as an administrator, navigate to the folder where you unzipped <strong>PSEXEC.EXE</strong>, run PSEXEC -i -s -d CMD).</li> </ol> <p><img src="/content/images/b20d0485-5191-467f-8d38-9c205b553e1b.png" alt="" /></p> <p><img src="/content/images/b133a548-a4cc-424b-bdd6-9ffd43b2d25b.png" alt="" /></p> <ol start="2"> <li><p>Encrypt that file with <strong>cipher /e scratch.txt</strong> <em>(You can torch that extra file if you want, the certificate is all ready.)</em></p></li> <li><p>EFS certificates can be managed in the Certificates MMC snap-in; you'll need to open the snap-in for the computer (not the user), or just run <strong>certlm.msc</strong> <em>(You will find the certificates of interest under Trusted People)</em></p></li> </ol> <p><img src="/content/images/0afdae2e-cc87-4292-adee-72a85179c8b7.png" alt="" /></p> <p><img src="/content/images/9a378260-2e1f-4b3e-ba02-89db06a907fd.png" alt="" /></p> <p><img src="/content/images/c8fbf18b-42ea-42b8-ac84-728e9ca4984c.png" alt="" /></p> <ol start="4"> <li><p>Open a command prompt as an owner of the file</p></li> <li><p>Run <strong>cipher /adduser /certhash:</strong> with the target user's EFS thumbprint smushed against the colon without spaces <em>(Double-click an entry in the Certificates MMC window and switch to the Details tab to see the thumbprint.)</em></p></li> </ol> <p><img src="/content/images/5460e094-3fcd-44b6-aaaa-3e53e2d2401f.png" alt="" /></p> <p>The target filename is an additional parameter, and <code>/s:&lt;dir&gt;</code> still works if you're applying this to a folder</p>