Cannot get EFS recovery agent function to work!

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
encrypted some files before I knew anything about EFS - now a program
that uses some of the files cannot access them. The files were encrypted
under my "power user" account. The certificate that Win2k used to
encrypt them is enabled for "All Purposes" including Encrypted File
System, and File Recovery. As Administrator, I cannot import this
certificate for the Recovery Agent - says it is not enabled for file
recovery.

My Recovery Agent certificate (issued by Administrator to Administrator,
has a different thumbprint and is for File Recovery only.

Does EFS recovery agent's certificate thumbprint have to match the
certificate the files were encrypted with in order to recover these files?

Ken
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Yes. for more info:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
"kgstrong" <kgstrong@hotmail.com> wrote in message
news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
>
> I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
> encrypted some files before I knew anything about EFS - now a program that
> uses some of the files cannot access them. The files were encrypted under
> my "power user" account. The certificate that Win2k used to encrypt them
> is enabled for "All Purposes" including Encrypted File System, and File
> Recovery. As Administrator, I cannot import this certificate for the
> Recovery Agent - says it is not enabled for file recovery.
>
> My Recovery Agent certificate (issued by Administrator to Administrator,
> has a different thumbprint and is for File Recovery only.
>
> Does EFS recovery agent's certificate thumbprint have to match the
> certificate the files were encrypted with in order to recover these files?
>
> Ken
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Yes the thumbprints need to match for either the user or Recovery Agent. If
you have a stand alone computer and the RA is the built in administrator
account [which it would be by default] then logon as that account and try to
decrypt the files. The utility efsinfo can display information on the
recovery agent. You can use the certificates mmc snapin for user to view
certificate information and the certificate will need to show that it has
the matching private key for the certificate. If you reinstalled the
operating system [other than an upgrade install] at some point the original
user and RA certificate/private key would have been destroyed. The EFS
certificate and private key for a user/RA are stored in the user's/RA's
profile folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
practices

"kgstrong" <kgstrong@hotmail.com> wrote in message
news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
>
> I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
> encrypted some files before I knew anything about EFS - now a program that
> uses some of the files cannot access them. The files were encrypted under
> my "power user" account. The certificate that Win2k used to encrypt them
> is enabled for "All Purposes" including Encrypted File System, and File
> Recovery. As Administrator, I cannot import this certificate for the
> Recovery Agent - says it is not enabled for file recovery.
>
> My Recovery Agent certificate (issued by Administrator to Administrator,
> has a different thumbprint and is for File Recovery only.
>
> Does EFS recovery agent's certificate thumbprint have to match the
> certificate the files were encrypted with in order to recover these files?
>
> Ken
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I did reinstall Win2k from scratch a while back; then restored the rest
of my files from a backup. The certificate that the files were
encrypted with no longer exists on my system.

However, I was able to decrypt the files using a program called Advanced
EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
lesson in what NOT to do.

Thanks for the help.
Ken Strong


Steven L Umbach wrote:
> Yes the thumbprints need to match for either the user or Recovery Agent. If
> you have a stand alone computer and the RA is the built in administrator
> account [which it would be by default] then logon as that account and try to
> decrypt the files. The utility efsinfo can display information on the
> recovery agent. You can use the certificates mmc snapin for user to view
> certificate information and the certificate will need to show that it has
> the matching private key for the certificate. If you reinstalled the
> operating system [other than an upgrade install] at some point the original
> user and RA certificate/private key would have been destroyed. The EFS
> certificate and private key for a user/RA are stored in the user's/RA's
> profile folder. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
> practices
>
> "kgstrong" <kgstrong@hotmail.com> wrote in message
> news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
>
>>I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
>>encrypted some files before I knew anything about EFS - now a program that
>>uses some of the files cannot access them. The files were encrypted under
>>my "power user" account. The certificate that Win2k used to encrypt them
>>is enabled for "All Purposes" including Encrypted File System, and File
>>Recovery. As Administrator, I cannot import this certificate for the
>>Recovery Agent - says it is not enabled for file recovery.
>>
>>My Recovery Agent certificate (issued by Administrator to Administrator,
>>has a different thumbprint and is for File Recovery only.
>>
>>Does EFS recovery agent's certificate thumbprint have to match the
>>certificate the files were encrypted with in order to recover these files?
>>
>>Ken
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Glad you got it to work but the EFS private key that was used to encrypt the
files must have been available - possibly from a restore of the user's
profile from a backup?? --- Steve


"kgstrong" <kgstrong@hotmail.com> wrote in message
news:OR2jjGmMFHA.3336@TK2MSFTNGP09.phx.gbl...
>I did reinstall Win2k from scratch a while back; then restored the rest of
>my files from a backup. The certificate that the files were encrypted with
>no longer exists on my system.
>
> However, I was able to decrypt the files using a program called Advanced
> EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
> lesson in what NOT to do.
>
> Thanks for the help.
> Ken Strong
>
>
> Steven L Umbach wrote:
>> Yes the thumbprints need to match for either the user or Recovery Agent.
>> If you have a stand alone computer and the RA is the built in
>> administrator account [which it would be by default] then logon as that
>> account and try to decrypt the files. The utility efsinfo can display
>> information on the recovery agent. You can use the certificates mmc
>> snapin for user to view certificate information and the certificate will
>> need to show that it has the matching private key for the certificate. If
>> you reinstalled the operating system [other than an upgrade install] at
>> some point the original user and RA certificate/private key would have
>> been destroyed. The EFS certificate and private key for a user/RA are
>> stored in the user's/RA's profile folder. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
>> best practices
>>
>> "kgstrong" <kgstrong@hotmail.com> wrote in message
>> news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
>>
>>>I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
>>>encrypted some files before I knew anything about EFS - now a program
>>>that uses some of the files cannot access them. The files were encrypted
>>>under my "power user" account. The certificate that Win2k used to
>>>encrypt them is enabled for "All Purposes" including Encrypted File
>>>System, and File Recovery. As Administrator, I cannot import this
>>>certificate for the Recovery Agent - says it is not enabled for file
>>>recovery.
>>>
>>>My Recovery Agent certificate (issued by Administrator to Administrator,
>>>has a different thumbprint and is for File Recovery only.
>>>
>>>Does EFS recovery agent's certificate thumbprint have to match the
>>>certificate the files were encrypted with in order to recover these
>>>files?
>>>
>>>Ken
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Can someone please confirm that as long as I know the password for the
user account which encrypted the files, I will be able decrypt them?

I have lost the user profile (temp files, application data, local
settings, etc.) but I have NOT forgotten the password, and I'm able to
log in. However, I'm now unable to decrypt the EFS data files.

Any suggestions will be appreciated.



--
cuppachino
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1504209.html
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

The user profile is where the EFS private key is stored and thus your EFS
private key is gone. If you have backed the EFS private key to a .pfx file
then you could try to import it back into the user profile while logged on
as that user and try to decrypt the files. For Windows 2000 a Recovery Agent
is required which would be the built in administrator account for a non
domain computer and possibly "the" domain administrator account for the
domain. The Efsinfo utility will show if and who the RA is for an EFS file
and thumprint info. --- Steve


"cuppachino" <cuppachino.1neeu2@mail.mcse.ms> wrote in message
news:cuppachino.1neeu2@mail.mcse.ms...
>
> Can someone please confirm that as long as I know the password for the
> user account which encrypted the files, I will be able decrypt them?
>
> I have lost the user profile (temp files, application data, local
> settings, etc.) but I have NOT forgotten the password, and I'm able to
> log in. However, I'm now unable to decrypt the EFS data files.
>
> Any suggestions will be appreciated.
>
>
>
> --
> cuppachino
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1504209.html
>