0XC0000290

STATUS_NO_USER_KEYS (0xC0000290): Missing EFS keys fix

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

You're getting 0xC0000290 because Windows can't find your Encrypting File System (EFS) keys. The fix is to re-create them or restore from backup.

Quick answer for advanced users

Run cipher /r:filename in an admin command prompt to create a new EFS recovery agent certificate, then use certlm.msc to import it into Trusted People. If you had keys backed up, restore the .pfx file via certmgr.msc → Personal → Certificates.

What's actually happening here

Error 0xC0000290 means Windows tried to decrypt a file or folder protected by the Encrypting File System (EFS), but your user account's EFS private key is missing. This usually happens after a Windows reinstall, a user profile rebuild, or if you migrated to a new machine without exporting your EFS certificate. EFS ties encryption to a specific certificate stored in your user's certificate store — lose that cert, and the files become inaccessible. The system literally says: "I have no key for this user."

This isn't a permission issue or a corrupted file. The encryption is still intact, but the lock (your private key) is gone. The only way in is to either restore that key or — if you're the recovery agent — create a new one and re-encrypt everything. If you never set up a recovery agent and have no backup, those files are gone. Sorry.

Numbered fix steps

  1. Check if you have a backup EFS certificate. Look for a .pfx or .cer file you may have exported earlier. Search your backups, cloud storage, or old USB drives. If you find one, jump to step 4.
  2. Open CertMgr as current user. Press Win+R, type certmgr.msc, hit Enter. Expand Personal → Certificates. If you see any certificates with Intended Purposes showing "Encrypting File System", you might still have a key. Double-click it, go to Details tab, check if it says "You have a private key that corresponds to this certificate." If not, it's useless.
  3. Create a new EFS recovery agent certificate. Open Command Prompt as Admin (right-click Start → Terminal (Admin)). Run: 
    cipher /r:EFSRecovery
    This creates two files: EFSRecovery.cer (public) and EFSRecovery.pfx (private key). It'll prompt for a password — use something strong and store it somewhere safe.
  4. Import the recovery certificate. Open certlm.msc (Local Machine store) as Admin. Expand Trusted People → Certificates. Right-click → All Tasks → Import. Browse to the .cer file you just created. Complete the wizard.
  5. Assign the recovery agent to your files. Right-click the encrypted folder or file → Properties → General → Advanced → Details → Add. Browse and pick the recovery certificate you imported. This tells Windows "this cert can decrypt these files."
  6. Decrypt the files. Now try to open them. If they still won't open, right-click the file → Properties → General → Advanced → uncheck "Encrypt contents to secure data" → OK. Windows will prompt for the recovery certificate's private key (the .pfx file). You'll need to import that .pfx into your Personal store first (certmgr.msc → Personal → Import).

Alternative fixes if the main one fails

  • Restore from a system backup. If you have a full system backup from before the key went missing, restore the entire C:\Users\YourUsername\AppData\Roaming\Microsoft\Crypto\RSA folder. That's where the private keys live. This is a long shot but works if the backup is recent enough.
  • Use a third-party EFS recovery tool. Tools like Elcomsoft Advanced EFS Data Recovery can sometimes brute-force or recover keys from unallocated disk space. Costs money, but it's your last chance if no backup exists. I've seen it work on NTFS drives with partially overwritten key data.
  • Check for domain-issued certificates. If this is a domain-joined machine, ask your domain admin if they pushed an EFS recovery policy. Run gpresult /h gp.html and look under Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Encrypting File System. If a data recovery agent certificate is listed, export and import it.

Prevention tip — do this now

Back up your EFS certificate every time you encrypt a file. Open certmgr.msc, export the certificate with the private key as a .pfx, password-protect it, and store it in two places — one offline (USB drive in a drawer) and one encrypted cloud backup. Also run this command once to set up a recovery agent before you need it: 

cipher /r:RecoveryAgent
Store that .pfx and .cer in a safe place. You won't think about it until the day 0xC0000290 shows up — and then you'll be glad you did.

Was this solution helpful?

STATUS_NO_USER_KEYS 0xC0000290 EFS keys missing Encrypting File System error cannot access encrypted files EFS certificate missing Windows EFS recovery cipher command EFS backup Windows 10 EFS error access denied encrypted files