How to backup EFS encrypted files with SYSTEM account

Following guide provides steps to backup EFS encrypted files using Local System account


User wants to backup files been encrypted using EFS with Local System account. SYSTEM account can use EFS, but it doesn't have an EFS certificate by default.


Allowing SYSTEM to access encrypted file could be dangerous, anyone with physical access to this machine would be able to decrypt crucial data.

In case you want to give SYSTEM access to already-encrypted files please go through following steps:

  1. Create scratch file, type echo. > scratch.txt in the SYSTEM prompt (to run CMD prompt as a SYSTEM you should: download PSEXEC, unzip it in any directory, open an elevated CMD prompt as an administrator, navigate to the folder where you unzipped PSEXEC.EXE, run PSEXEC -i -s -d CMD).

  1. Encrypt that file with cipher /e scratch.txt (You can torch that extra file if you want, the certificate is all ready.)

  2. EFS certificates can be managed in the Certificates MMC snap-in; you'll need to open the snap-in for the computer (not the user), or just run certlm.msc (You will find the certificates of interest under Trusted People)

  1. Open a command prompt as an owner of the file

  2. Run cipher /adduser /certhash: with the target user's EFS thumbprint smushed against the colon without spaces (Double-click an entry in the Certificates MMC window and switch to the Details tab to see the thumbprint.)

The target filename is an additional parameter, and /s:<dir> still works if you're applying this to a folder