FINAL EDIT:
All came down to EFS encryption, I had no certificates, private keys or anything, thankfully, windows.old had the AppData folder, where I could get the files needed to follow the guide on the accepted answer. This is what worked for me.
Also I didn't have a password, but computer user didn't use a password, so blank password hash mentioned in the guide worked for me. More detail on what other things I did for debuggin can be found in the chat.
EDIT: I tried both commands suggested by the answers question and they didn't work for me, they didn't fail, they ran, and ownership was changed, but I still get access denied to the files.
Good day everyone,
I have this issue which I haven't figured out how to even ask properly since it includes the windows "Documents" folder, which if you google, just throws so many results about any kind of document. Anyway, I'm going to explain my situation and see if anything can be done.
This person upgraded my dad's Windows computer from Windows 7 to Windows 10, I'm not exactly sure how he did it, but there is this Windows.old folder, and inside of it there is this folder which its files cannot be accessed and this is what my dad needs to access, this is years of works, that's why I'm asking here since I can't find a solution on the internet.
I will just put the user name, because I'm including screenshots, and at this point, I don't care much about security, I just want to be able to access the files. The folder is "C:\Windows.old\Usuarios\MARTIN CAMPOS\Documentos", this is Windows in Spanish.
I faced this issue before, many years ago, but I replaced my old hard drive with a new one, so I still had my previous windows version available in the old drive, and what I did was just boot the computer with the old drive, copy all documents inside of "Documentos" folder to an external drive, instead of copying "Documentos" folder, and that was it, very simple. In this case, the old windows installation is not available, this person just replaced Windows 7 with Windows 10 on the same hard drive.
Anyway, back to the problem, files anywhere inside "C:\Windows.old\Usuarios\MARTIN CAMPOS" can be accessed, only the files inside "C:\Windows.old\Usuarios\MARTIN CAMPOS\Documentos" and its subfolders cannot be accessed, they have a lock in the icon:
I tried the solution in this video: https://www.youtube.com/watch?v=sciON4DvGpY, which looked promising, but it didn't work.
I tried granting Total Control to the folder for the user, changing owner and whatever I could think of:
But I had no luck, I noticed that permissions don't look the same, the checkmark is grayed out:
Instead of like bold black:
Not sure if this has anything to do with it. And the error I get for the files is "Access Denied":
But yeah, this is the problem I'm having, is there anything that can be done? Any help would be very much appreciated.
EDITS
Output of icacls: (final lines, since it is the same for all files)
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\RFC YAMB010526S46-2.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\RFC YAMB010526S46.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\SAT.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\SATaclaracion.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\SATactualizaciondeoblig.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF YAMB\SATsuspensióndeactividadesYAMB.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF ZAPM\Acuse_renovacionZAPM.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF ZAPM\RFC ZAPM510126KW7 CAMBIO DE DOMICILIO.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF ZAPM\RFC ZAPM510126KW7.pdf
archivo procesado: C:\Windows.old\Users\MARTIN CAMPOS\Documents\XML Y PDF ZAPM\SAT RESICOzapm.pdf
Se procesaron correctamente 16334 archivos; error al procesar 0 archivos
Which translates to "16334 were processed correctly, error processing 0 files"
Error trying to copy file outside of folder, including the current user logged in windows:
Which translates to "You need permissions to do this action / Permissions are requiered from DESKTOP-AUKOJ78/Campos to do changes to this file."
What I got from running command icacls "C:\Windows.old\Users\MARTIN CAMPOS\Documents":
C:\Windows\system32>icacls "C:\Windows.old\Users\MARTIN CAMPOS\Documents"
C:\Windows.old\Users\MARTIN CAMPOS\Documents APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(F)
APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(OI)(CI)(F)
DESKTOP-AUKOJ78\Campos:(OI)(CI)(F)
Everyone:(OI)(CI)(RX)
BUILTIN\Administradores:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Se procesaron correctamente 1 archivos; error al procesar 0 archivos
EDIT MORE INFO
So I've run the suggestion, doing ChkDsk C: /OfflineScanAndFix and creating a new user with the same username originally in windows 7, but nothing seems to work, also I played with the permissions on just 1 file, trying to unblock it or something, but nothing seems to work. Nothing removes the yellow padlock.
Pretty much all I got left is trying to revert back to windows 7, also the Linux thing, but I can only try those when I get my hand on the physical CPU.
In the meanwhile, any more remote suggestions are very much welcome.
EDIT 3 UBUNTU SCREENSHOT
So, I noticed that I can only open files created or modified before a certain date, around February 3 2018 and before.
Here is the photo I took with my cellphone, showing the "Permission denied" error. And opening a file created on February 3 2018, which can be opened.
Best Answer
Shameful direct copy/paste of a decrypt EFS-encrypted files article:
Reviewing the chat (under question comments) it appears the top-right gold padlock in Windows indicates EFS files. w32sh posted a link to forum that suggested this article to fix & the OP advised it seems to be allowing them to decrypt their files!
cipher /c "D:\Users\foo\Pictures\secret.jpg" ... Certificate thumbprint: 096B A4D0 21B5 0F5E 78F2 B985 4A74 6167 8EDA A006
No recovery certificate found.
Key information cannot be retrieved.
The specified file could not be decrypted.
mimikatz # crypto::system /file:"SystemCertificates\My\Certificates\096BA4D021B50F5E78F2B9854A7461678EDAA006" /export ... Key Container : d209e940-6952-4c9d-b906-372d5a3dbd50 Provider : Microsoft Enhanced Cryptographic Provider v1.0 ... Saved to file: 096BA4D021B50F5E78F2B9854A7461678EDAA006.der
Check files within Crypto\RSA\SID\ to find the one containing a pUniqueName which matches the key container found in step 2, e.g.,
mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-3425643682-3879794161-2639006588-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd" ... pUniqueName : d209e940-6952-4c9d-b906-372d5a3dbd50 ... guidMasterKey : {92f17fce-aae6-488b-9fd8-7774c6c3eb16}
If the password is unknown, recover the NTLM hash:
mimikatz # lsadump::sam /system:SYSTEM /SAM:SAM ... RID : 000003e8 (1000) User : foo Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
For domain accounts, you'll only need the NTLM hash (/hash:xx); for local accounts, you'll need either the corresponding password (/password:xx) or its SHA1 hash (/hash:xx), which means knowing, cracking, or looking it up:1
In this example, we have a local account with an NTLM hash of 31d6cfe0d16ae931b73c59d7e0c089c0, which corresponds to a blank password and a SHA1 hash of da39a3ee5e6b4b0d3255bfef95601890afd80709:
mimikatz # dpapi::masterkey /in:"Protect\S-1-5-21-3425643682-3879794161-2639006588-1000\92f17fce-aae6-488b-9fd8-7774c6c3eb16" /hash:da39a3ee5e6b4b0d3255bfef95601890afd80709 ... [masterkey] with hash: da39a3ee5e6b4b0d3255bfef95601890afd80709 (sha1 type) key : 6e24723a56a885fc957f25d4872cbbf10589b1f08033d32174ef3618a192f0e101e41196ca76d689057737429af000af2d7e19497ef2151344dfdfdfb9a6bfd0 sha1: 4505118da94b7df471bbbcf6d2c6c744a612e62b
mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-3425643682-3879794161-2639006588-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd" /masterkey:4505118da94b7df471bbbcf6d2c6c744a612e62b ... Private export : OK - 'raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk'
with OpenSSL:2
openssl.exe x509 -inform DER -outform PEM -in 096BA4D021B50F5E78F2B9854A7461678EDAA006.der -out public.pem
openssl.exe rsa -inform PVK -outform PEM -in raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk -out private.pem writing RSA key
openssl.exe pkcs12 -in public.pem -inkey private.pem -password pass:bar -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
certutil -user -p bar -importpfx cert.pfx NoChain,NoRoot Certificate "user" added to store. CertUtil: -importPFX command completed successfully.
Your files should now be accessible, but you may want to take this opportunity to decrypt them:
cipher /d "D:\Users\foo\Pictures\secret.jpg"
cipher /d /s:"D:\Users\foo\Pictures"
(or right click → Advanced → uncheck "Encrypt contents to secure data" → OK).