Microsoft Office passwords have been somewhat problematic for administrators. Suppose, for example, that a user password-protects a critical document and then leaves the company. In the past, an administrator would have little choice but to purchase a password-cracking tool for Office documents and launch a brute-force attack in an effort to determine the document's password.
With the introduction of Office 2013, however, there is a better way. Microsoft offers a free tool that administrators can use to get into previously inaccessible OOXML, Word, Excel or PowerPoint files.
The DocRecrypt tool is used to strip the password from (or assign a new password to) Microsoft Office 2013 documents. Previously, such documents might have remained locked forever in the event of a forgotten password.
The download consists of a self-extracting executable. Simply double-click on the executable file, accept the license agreement, and the DocRecrypt tool will be installed.
DocRecrypt is a command-line tool. The installer places the DocRecrypt.exe file in the C:\Program Files\Microsoft Office\DocRecrypt folder.
The syntax for using DocRecrypt is relatively simple:
DocRecrypt [-p <new password>] –i <input file or folder> [-o <output file or folder>] [-q]
DocRecrypt uses "–i" to specify the name of the file that needs to be unlocked. As an alternative, this switch can be used to specify an entire folder filled with Office documents.
The optional parameter "–p" can be used to assign a brand new Microsoft Office password to sensitive documents. Simply append the new password to the parameter.
The "–o" specifies a new file or folder. This option allows users to create an unprotected document without overwriting the original in the process.
The "–q" switch is used to run the tool in Quiet mode, which is useful if you want to use it from within a script.
Note that the parameters are case-sensitive and must be entered in lower case.
Of the parameters listed in the syntax above, only the "–i" parameter is required. This parameter is used to specify a file or folder. If you select a folder, then the operation you are performing will apply to all of the Office documents within the folder, as long as they are in Office Open XML format. Documents saved in legacy Microsoft Office formats will be ignored.
To see how the "–i" parameter works, imagine that you wanted to remove the password from a protected document named "Text.docx." To do so, you could enter the following command:
DocRecrypt –i Test.docx
The above command assumes that the document is in the same folder as the DocRecrypt tool. Since that normally won't be the case in the real world, you will usually need to specify the protected document's path and file name.
You won't be able to use the DocRecrypt tool to remove the password from just any Microsoft Office document. For the tool to work, an administrator must have the private key to the escrow certificate, and the document must have the escrow key option enabled.
This is done by using Group Policy settings to push registry changes to end-user computers. These registry changes automatically associate the escrow certificate with any newly created, password-protected documents. Because the information about the escrow certificate is embedded in the document's header, admins can unlock the document if they have the private key for the escrow certificate.
This brings up another important point. DocRecrypt can be only used to unlock Office 2013 documents. Furthermore, the tool can only be run on Windows 7, Windows 8 and Windows Server 2012.
DocRecrypt is an invaluable tool for gaining access to protected documents when the Microsoft Office password is unknown. Because of its certificate requirements, you will need to implement the necessary public-key infrastructure and Group Policy settings first. DocRecrypt is only useful if the escrow certificate was linked to the document before the password was forgotten. Therefore, you must be proactive if you intend to use this tool.
This was first published in April 2013