Re: EFS + unbootable HDD help ...

Mikael;
You MUST have the original keys.
Simply reinstalling Windows even if the same name and password is used is
vastly insufficient.
If that worked, EFS would not be secure.
The site you used (beginningtoseethelight) is the most practical procedure.
For all practical purposes there is no hack or crack for EFS, except of
course time.
I imagine that in a few years or decades, today's EFS may be easily broken
by anyone with normal computer access---but not today.

I believe Microsoft uses a similar procedure as beginningtoseethelight, you
could try them, Step 3 on this page:
http://www3.telus.net/dandemar/encrypt.htm
You will still need access to the ORIGINAL keys.

Also see the links near the bottom of that page for ways to help prevent
this in the future.

You may have discovered why encryption is often called "The Delayed Recycle
Bin".

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


<andersen_mikael@xxxxxxxxxxx> wrote in message
news:1140641871.787387.106900@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Here's the deal:

1) HDD crashes, making it unbootable
2) It contains EFS encrypted files and I didn't backup keys

Yes, I know ... I'm a moron ... but not all hope is out and I'd like
any help ...

My hope is that:
1) I did make weekly backups and thus have the encrypted files
available.
2) Using Stellar's recovery tool I was (and still am) able to recover
virtually *all* files from the NTFS drive (haven't located a defect
file yet!!!) - accessing it from Explorer, makes the HDD make 'funny'
noises - like "I can't read anything", until it gives up and suggests
me to format :)

However recovering EFS encrypted files using Stellar is not possible
(they just contain garbage) and is not access controlled (thus not
marked green) - anyone knows of any tools that can recover EFS
encrypted files from a damaged disk??? (I've tried some different
tools, which all fails in scanning the HDD - only Stellar succeded
incl. Active Undelete, File Scavenger)

Now on to my recovery attempts ...

I first tried following the description at
http://www.beginningtoseethelight.org/efsrecovery/index.php by changing
the SID (the "blue text" description, but no luck - still access
denied).

Then it came to me ... at least I thought ... I'll simply recreate my
OS. Since I could recover all files:
1) I simply took an old HDD, made it primary drive, installed XP on it
(until first reboot).
2) I then made my (newly bought) replacement disc primary again and
booted on it (leaving the newly formatted disc as sec. disc).
3) Copied all recovered files to the just installed HDD (I first delete
the newly installed XP - both windows + docs. and settings folder and
then copied). I copied docs and settings + windows folder + selected
"program files" folders - made that HHD primary again and booted ...

And voila ... sign on dialog, logging in ... everything looks like
before - GREAT (was now able to easily export outlook express accounts
too, great!). But decrypt wont work ... still access denied (ownership
of files was claimed).

So I tried to encrypt a random file while watching the C:\Documents and
Settings\<user>\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-179605362-725345543-1003
folder (and protect) - and immed. after the encrypt, a new file was
generated ... I'm baffled ... it's like it can't see the file(s)
already present - how/why can't it see the files already present?????

Then I noted that the files from the recovery didn't have the same
attributes set (wasn't marked as system file and wasn't hidden - which
file created in protect folder was when created), so perhaps Stellar
didn't recover them "correctly" ??

Can anyone help ? I seem to be stuck ...
1) Since I completely replaced the new XP installation with the
recovered one - and even running on the same physical machine - I can't
see how this could fail ... unless the key-files wasn't recovered
correctly by Stellar ... making the XP installation not recognize
them??

That'll put me back to my above question, about a (even better) tool,
which can extract both the latest versions of my encrypted files, along
with the correct EFS key files ?!
2) Did I miss someting in "restoring" my OS, which would make this
approach fail?

looking forward to your help ....

Sincerly

Mikael Andersen


.

Relevant Pages

  • News reader software failure. The EFS question in a nutshell.
    ... The EFS question: In numerous places, readers are told that they can recover ... What then is the minimum required to recover encrypted files? ... EFS keeps your private key in cache until you log off. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypting File System - EFS in Win XP
    ... > does support file sharing between multiple users on a single file. ... > This diverse from Windows XP because EFS states that the users who will be ... You do not have EFS encrpytion on a folder. ... >> Authorizing Multi-User Access to Encrypted Files ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Certificate Needed
    ... a backup and restore of an EFS ... not load some of them because the encrypted files were still present. ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ...
    (microsoft.public.security)
  • EFS + unbootable HDD help ...
    ... HDD crashes, making it unbootable ... I did make weekly backups and thus have the encrypted files ... Using Stellar's recovery tool I was able to recover ... However recovering EFS encrypted files using Stellar is not possible ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: opening an encrypted files
    ... >that drive I create encrypted files (using XP Pro's built-in EFS). ... I want to be able to access those files when I plug that USB ... link in the world - a solid password that hardly any home user bothers ...
    (microsoft.public.windowsxp.general)