Re: HELP WITH DE-CRYPTION!!

GreenieLeBrun wrote:

Jake wrote:
so there is no point im using the same pc with the same password and
the same every thing if the key is not exported :-( and the encrypted
file is locked forever :-(

"John John (MVP)" wrote:

The missing step is that you didn't save your encryption key on
removable media and store it in a safe place! You can't recover the
files without expert help, if at all. You will now have to rely on a
data recovery firm or on a software recovery solution.

John

Jake wrote:
THIS IS DAMN URGENT :-(

machine: Win Xp Sp2

i have some important files on an external hard drive, i encrypted
them on the hard drive using my account on my laptop (admin
account).

i for matted my laptop then created an account of the same name and
password, even my laptop regained the same name.

im trying to access the encrypted files on the external hard drive
and i cant :-(

obviously there is a missing step :-(

please any help its really urgent :-(

That is correct. Why? Because the SID (Security Identifier) is unique to
each account and even if you re-create the account the SID will be different

Even with the same SID assigned to your newly created account as was
assigned to your old account, EFS won't decrypt because the cert you
generate under the new instance of Windows won't be the same as the one
you created under the other instance of Windows. You need the cert that
you created under a particular instance of Windows. The cert can be
assigned (accessed) by multiple SIDs (accounts). When you decrypt, the
EFS cert assigned to the SID of the account you are currently logged
under gets used. The SID is not encoded into the EFS certificate. You
simply manage your certs so that a SID can use a particular cert. If
the SID were used in the cert, you would never be able to use that cert
to import it into a new install of Windows because the SID for the
same-named account would be different. SIDs are used in certificate
management, not within the cert itself; otherwise, you would never be
able to import an EFS cert into a different instance of Windows.

The username and password are irrelevant (well, there is some use of the
password along with the cryptographic key assigned to an account). If
that was all that was used then there would be no security to EFS as
anyone could create an account with that username and password to get at
your EFS-protected files. EFS is not a simplistic password scheme to
scramble the contents of files. It uses a cryptographic key that was
assigned by Windows to the SID associated with your account. A long
time ago, I found an article via Googling around on EFS recovery that
purported a means of recovering the RSA key used to create your EFS
cert. Under each userprofile is the user's registry hive (ntuser.dat).
By creating a new account (same username and password) and recovering
this user hive from backups, and because the crypto key was in the user
data portion of the registry that was used to create the EFS cert, you
could somehow regenerate the EFS cert to decrypt those files. I don't
remember the specifics since I never had to go through all that, and it
requires restoring the user registry hive from backups which most users
don't do, anyway. If they're complaining about losing access to
EFS-protected files then they probably also haven't saved partition
images for recovery. The idea was to recover the crypto key stored in
the registry for that user's old account. If Jake has saved partition
images to restore from, he wouldn't be here asking about EFS. He never
did explain why he needed to reformat his hard disk.

Jake could buy software to regain access to EFS-protected files, like
from http://www.elcomsoft.com/aefsdr.html. Depends on whether or not
Jake feels his EFS-protected data is worth $150 or $300 to recover it.
There is a free trial version that you can download. It probably only
tells you if the product could successfully decrypt the file(s) but
won't actually do it until you pay them for their rescue.
.

Relevant Pages

  • Re: EFS recovery problem
    ... this seems to break efs as it does not update the locking ... some files are missing - for each cert in mmc, ... >especially now since my account name is Dave for some reason. ... export the Dave User certificate ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS recovery problem
    ... I should have studied EFS ... Dave User cert, I get "Access Denied". ... especially now since my account name is Dave for some reason. ... export the Dave User certificate (in *.p7b ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Help Needed on Recovering Encrypted files
    ... When I encrypt a file from a user account I should be able to access those ... Only if you use the account that was created under the instance of Windows where you used EFS. ... The SID for an account on another host, or even on the same host, will be different. ... The SID is recorded in the SAM database, so there is a way to get around EFS if you know the login credentials for that SID-identified account but it is a convoluted procedure and only works under limited scenarios. ...
    (microsoft.public.windowsxp.general)
  • Re: EFS Decryption Problem
    ... Was it only used to match up to the backed up userprofile, ... I thought the account's SID and password was involved in generating the ... a new account is created). ... instance of Windows would have a different SID even after restoring the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS recovery problem
    ... > groups *should* _not_ effect efs. ... >>A recovery agent will only be of use if it was set up before ... >>and since changing the group memberships of an account should ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)