Windows 10 EFS files are inaccessible after reboot for several minutes

Artem Kuroptev 1 Reputation point
2021-01-05T20:20:33.547+00:00

On a Windows 10 Pro machine (10.0.19042.685), local EFS-ecnrypted files are inaccessible (ERR_ACCESS_DENIED) for several minutes after reboot or logout/login. Files are local to the machine, but the machine itself is accessed via RDP.

It seems like the private key of a user is not accessible to the system for some reason (access denied in PID 0). Because if I open the MMC certmger snap-in, it says that I have the private key for my EFS cert, but if I try to export the cert, the option to export with private key is grayed out.

After several minutes, file access restores by itself and private key become exportable in the MMC certmger snap-in.

Issuing of a new cert, making it default and update all encrypted files to the new cert did not help.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,627 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,761 Reputation points Microsoft Vendor
    2021-01-06T03:51:30.957+00:00

    Hi,

    From my knowledge, there's a process named lsass.exe that's responsible for the security part (auth., logon, encryption, etc...).

    During the several minutes that EFS files are inaccessible after reboot, please check if Isass.exe is running in task manager. It might take some time to start this process after reboot.

    Thanks,

    Eleven

    If the answer is helpful, please click "Accept Answer" and up-vote it.

    0 comments No comments

  2. Artem Kuroptev 1 Reputation point
    2021-01-06T08:39:49.737+00:00

    It is running and the problem is more complex than that.

    For each failed access, there is a message in the event log:

    53906-image.png

    But then after some time there is a series of Logon/Special logon events which lead to access success. But there are no events about successful key read.

    0 comments No comments

  3. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,761 Reputation points Microsoft Vendor
    2021-01-08T07:13:07.32+00:00

    Hi,

    A failure audit event is triggered when a defined action is not completed successfully. So the failure events may simply mean the failed access but does not necessarily mean that something is wrong with your system.

    But I did some research and found below possible causes.

    1. Have NVidia based graphics card on your computer: https://answers.microsoft.com/en-us/windows/forum/windows_10-security-winpc/security-audit-failure-event-5061-in-windows-10/6de3cdd6-cb0a-478b-aca6-2f36e2eb85f6
    2. Related to hyperV: https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/event-log-security-audit-failure/dde5c76f-1bb0-46cb-bc33-90a958b13de2
    3. Expired certificate exists under Certificates > Trusted Root Certification Authorities > Certificates: https://social.technet.microsoft.com/Forums/en-US/3e88df37-d718-4b1f-ac90-e06b597c0359/event-5061-audit-failures-every-reboot-cryptography-win-10-pro-64bit?forum=win10itprogeneral

    I am not sure if your issue has above situations. In order to figure out the exact cause, you might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
     
    You may find phone number for your region accordingly from the link below:
    Global Customer Service phone numbers
    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thanks,

    Eleven

    If the answer is helpful, please click "Accept Answer" and up-vote it.

    0 comments No comments

  4. Artem Kuroptev 1 Reputation point
    2021-01-28T19:49:21.913+00:00

    This does not help.

    My "certutil -store My" output is:

    My "Personal"                                                                                                                     
    CertUtil: -store command completed successfully. 
    

    I don't have Nvidia hardware. I do have Hyper-V (most likely because of Windows Sandbox enabled), but I have it for a long time and it was not a problem.

    cipher /c for an encrypted file says "The specified file could not be decrypted." And after about 10 minutes after reboot, cipher /c for an encrypted file says "Key Information: [...]"

    0 comments No comments

  5. Artem Kuroptev 1 Reputation point
    2021-01-28T21:01:25.193+00:00

    Crypto-DPAPI Event:

    DPAPI Unprotect failed .
    
            Status: 0x8009000B
            ReasonForFailure:   Could not get the master key
    

    Crypto-DPAPI Event:

    Master key access failed.
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.