This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 26%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
So a couple of months back, I encrypted some of my files and folder through a simple encryption GUI method. Click on file > Properties > Advanced.. >Compress and Encrypt attributes > Check mark on **Encrypt contents to secure data.
**
After some time, when I tried to decrypt it, it gave me "The specified file could not be decrypted." I checked the thumbprint in Compress and Encrypt attribute > Details with the user certificate, which matches.
Then I tried running it "certutil -user -store my <thumbprint>" and it gave "Missing stored keyset"
Then I tried running this:
certutil -repairstore my **<thumbprint>
**
It gives me this:
my "Personal"
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND)
CertUtil: Object was not found.
In the cert store, I see another certificate with the same user name but with a different thumbprint. Is there a possibility of a certificate issue during Windows update and it created a new user certificate?
Now I'm unable to decrypt any of my files.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
The issue you're facing is related to missing private keys, which are essential for decrypting files encrypted using the Windows Encrypting File System. When files are encrypted with EFS, a public/private key pair is used, and the private key must be available to decrypt the files. If the private key is missing, the decryption will fail.
Here is what you can try:
1. Confirm the Certificate Exists: Run the following command to list all EFS certificates:
certutil -user -store my
2. Check for Backups of the Private Key:
If you previously exported the private key, search for .pfx files on your system or backups. This file is essential for restoring access. If you manage to find it, import it by running:
certutil -f -user -importpfx <path_to_pfx_file>
3. Look for a Data Recovery Agent (DRA):
cipher /r
4. Attempt to Repair the Keyset:
The error NTE_NOT_FOUND indicates that the private key is missing or corrupted. To attempt recovery:
certutil to verify the private key exists:
certutil -user -verifykeys
5. Restore a Backup of Your System: If no private key or recovery agent is available, restoring from a system backup that includes the private key is your best option. Check for:
C:\Users\<YourUser>\AppData\Roaming\Microsoft\Crypto.Going forward, make sure to export and securely store the private key when using EFS encryption. You can do this by:
certmgr.msc..pfx file.In addition, you might want to consider using BitLocker for full disk encryption instead of EFS for individual files, as it's easier to manage and recover.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
Updated the second comment below
Thanks
Syed Waleed Aftab
When I run this:
certutil -user -store my
I can see my user certificate and the same thumbprint as this:
================ Certificate 5 ================
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=Waleed
NotBefore: 05/08/2024 1:27 pm
NotAfter: 12/07/2124 1:27 pm
Subject: CN=Waleed
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Container = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
CertUtil: -store command completed successfully.
and when I run this:
certutil -user -verifykeys
I get this:
CertUtil: The system cannot find the file specified.
I don't have any backup or DRA as this is a personal computer.
I can see some files in C:\Users\Waleed\AppData\Roaming\Microsoft\Crypto, but it doesn't contain my thumbprint's Key Container.
Same for C:\Users\Waleed\AppData\Roaming\Microsoft\RSA
Based on the details you provided, it appears that the private key necessary to decrypt the EFS-encrypted files is missing. Unfortunately, without the private key, decrypting EFS-encrypted files is not feasible. The encryption is designed to be secure and relies entirely on the private key to prevent unauthorized access. If the private key is missing and no backups exist, the encrypted files cannot be recovered.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
Then I don't know why it says "You have a private key" when I open the same certificate through the GUI. It has the same thumbprint as the one mentioned above.
Apologies - I should've been more clear in my response.
From the information provided, the CLI tools indicating a "Missing stored keyset" suggests a mismatch between the metadata and the actual state of the private key on the system.
In other words, the certificate store may retain metadata indicating the presence of a private key, even if the key itself has been deleted or corrupted. This can occur due to: - Incomplete certificate export/import processes. - Corruption of the private key in the key container. - Issues during system updates or migrations.
The GUI often relies on certificate metadata to determine whether a private key is associated with a certificate. However, this doesn't guarantee the private key is intact or usable. CLI tools like certutil provide a more direct check of the key container. If these tools report "Missing stored keyset," it typically means the private key file required for decryption is no longer available.
To verify this, you'd typically check the default locations for user private keys:
- CSP-based keys:
C:\Users\<YourUser>\AppData\Roaming\Microsoft\Crypto\RSA\<SID>
- KSP-based keys:
C:\Users\<YourUser>\AppData\Roaming\Microsoft\Crypto\Keys
You'd look for a file corresponding to the Key Container value listed in certutil -user -store my.
In addition, if certutil -user -verifykeys fails with "The system cannot find the file specified," the private key is indeed missing or inaccessible.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin