So I was using Windows EFS the other day to encrypt some files. This is surprisingly easy to use and beats TrueCrypt and Mac’s disk encryption in the usability department:
cipher /E /S:MyFolder
AppData, which is a good thing to do since many applications leave its trace there. When I rebooted and logged in, I got lsass 100% CPU and a black desktop.
TL;DR If you changed your password via MMC, you need to re-import your EFS key
The way that EFS works is by protecting your EFS certificate with your login password. That implies some work needs to be done when you change your password. MMC’s “Set Password” doesn’t do it (it warns specifically against this, but this is the first time I actually read what it says :P).
It turns out that EFS spends quite a lot of CPU cycles for the wrong password case. Because I encrypted
lsass would just spin itself with the obsolete password, trying in vain to decrypt the EFS cert.
So the way out was to remove the EFS key from certmgr.msc, and then reimport it. You may need to refresh the credential cache by
If it worked, you should be able to display some encrypted text files transparently:
Tip: Use another account to runas
/user:Victim cmd to do the above.
It’s been reported that the 100% CPU usage be related to the large number of SID files in AppData\Microsoft\Protect. I suspect it’s another consequence of this cause.
(The correct way to change password is to select Change Password in Ctrl+Alt+Del. I don’t know of a command line way to do it :/ Feel free to post in the comments)