How would one read an encrypted file's (encrypted using windows' EFS) header? I would like to be able to read the header and extract FEK that was encrypted by either the public or private key of the file.

From reading up I understand the structure of the file header I'm just not sure how to go about reading the header. Also it would be a great help if you could point me in the direction of any apps that read a file header and display it on screen.

EDIT: By encrypted file I mean that it was encrypted using EFS on my previous system and backed up and put onto my current system so they aren't treated as encrypted files anymore but they are encrypted.


9 Years
Discussion Span
Last Post by grehe

First of all I am not familiar with the EFS structure.
Is the header encrypted or not?
If the header is not encrypted, then reading it is the same as reading normal files. Look up for code that reads a bitmap file and extracts the header and image contents. It should be similar.

If the header in encrypted too, then you should decrypt it before trying anything else.


No I don't think the header itself is encrypted because you need some of the content of the header to decrypt the file content in EFS. i have tried looking around but I can't find any kind of method to it, do any API's exist or is there a specific format for a header of a file, anything at all to get me started would be great, thanks.


you'd read them the same as any other, and then pull them through some decryption system...
It's just bits and bytes after all, same as any other part of any other file.


Yes, I've researched it quite a lot. I've read that MSDN page aswell as most google links that I think are relevant. My question is how I would read the file header, i.e. how I would be able to allocate memory and then read the file header into memory, for example, reading a .jpg file like a normal file does not give me the file header in any kind of format visible instead it comes out with a lot of random characters, i.e. the file is stored in some way which I don't yet understand, thats what I'm asking for, basically I want to read a file header into seperate variables and work with them from there..

An short simple example or a link to an example of say reading a JPG fileheader into seperate variables in memory would be ideal.


Well common file formats are listed here

Simply typing in say "jpg file format" into your favourite search engine would reveal as much.

Windows EFS on the other hand is proprietary for sure, deliberately kept secret (perhaps), and an altogether different prospect.
Perhaps this would help.

> My question is how I would read the file header
You allocate 'n' bytes.
You read 'n' bytes into the memory you allocated.
You examine each byte in turn, and using your knowledge of the file format, decide what that byte actually means.

Most file formats begin with some fixed sized header (this is your first 'n'). Within that header, there is usually something which tells you how big the variable sized data is going to be.


"reading a .jpg file like a normal file does not give me the file header in any kind of format visible instead it comes out with a lot of random characters"

Hardly random. There's a definite structure there which is well defined in the JPEG file format specification.
Same for all other file formats. Of course the specification may not be public.
And of course there may be more information scattered across the rest of the file determining its makeup and layout, again well defined in the file format specification.

Your task is to find that specification some way and write some software to read it.


I know this is an old thread, but for the record, EFS headers are kept on a separate hidden file. Specifically, it's kept on the MFT. Filename should be "mySecret.txt:$EFS" . There is no way to read the header unless you use a hex editor.

This article has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.