![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Actually, this is beginning to make a lot of sense now. The files you are having problems with have been encrypted with EFS. EFS is closely tied to the NTFS file system. As long as you move encrypted files around in the same Volume, this is not a problem because a move is a directory operation and directories themselves are not encrypted (only the files within them are). Any time you move an encrypted file from one volume to another, the file must be decrypted, transferred to the other volume, then re-encrypted at the destination. Thus, the destination volume must also be a NTFS file system to keep the files encrypted. If the destination is not a NTFS volume, then the copy would result in an unencrypted file existing at the destination and you should be prompted as to whether to allow the operation or not. In any case, a volume-to-volume copy requires decryption of the file and any operation that requires decryption is generating an access error to you -- that plus your inability to normally open a file indicates that you no longer control the certificate to decrypt the file.
Backups are another matter. If you use Microsoft's Backup utility (NTbackup), then it recognizes the encrypted file attribute and backs it up as-is without decrypting it. Other 3rd party backup programs may not recognize encrypted files and simply read them and write them to the backup medium. When this happens, the files are automatically decrypted upon reading (assuming archiving user has needed certificates) and written to backup as an unencrypted file. This would explain why you can retrieve an archive and it doesn't appear encrypted. DVD and optical tape do not use NTFS so a decryption of original file is required to back up to these media.
The private part of your EFS encryption certificate (needed to decrypt files) is stored itself encrypted on your computer. To decrypt it, Windows uses your SecureID, your password, and other things of which I'm unaware. If your password is not reset the normal way (ie by entering your current password and your new password) such as by an administrator, then your certificate is not re-encrypted to your new password and your lose access to it and with it, access to your EFS files. Other forms of corruption can cause you to lose your certificate but it appears as though at some point you have lost access to your certificate and thus cannot access files that were encrypted under that certificate.
New files that you write to a directory that has been enabled with EFS will notice that you don't have a valid certificate and then automatically generate a new certificate that will be used to encrypt files from that point forward. That is why new files that you add to this directory seem to work well. The only real mystery that I can't explain is why a system restore to a time when this wasn't a problem didn't allow you to regain access.
If you want some heavy reading, try this:
"Encrypting file System in Windows XP and Windows Server 2003"
< http://technet.microsoft.com/en-us/library/bb457065.aspx >
Personally, I'm not a fan of EFS because of issues just like this. I prefer the freewareTruecrypt which is just as secure but I myself manage the keys (in form of passphrase) instead of Windows. It also hides filenames and can be used securely over a networked connection and backups from the Windows volume are encrypted no matter how they're done. I haven't lost any encrypted data in over ten years.
HTH,
JW