Recover Default EFS Security Certificate From Old Drive???

[john]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
recently because the 'system' files became corrupted after I loaded the new
Norton 2005 AV. It would not boot to any restore points or any safe modes -
complained 'corrupted config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned a system-wide EFS
Recovery Agent -
which means it used a default EFS certificate to encrypt the folder (I
assume). Of course I can not access that folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat the old drive (I just reassigned it as a "slave" to the new drive).
The old
'ownership' references still shows up since I have only changed ownership on
a few of the folders that I had to recover immediately. The encrypted folder
in question I have NOT taken ownership on (yet).

Can any of you MVP gurus or XP experts give me a clue or some guidance on
how I might recover that old certificate (assuming it is possible)? Where
would that
default EFS certificate be stored on the old drive, and how could I access
it currently? Or is there a default Administrator Recovery Agent certificate
stored somewhere?

thanks for any help

John

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If you did not backup your personal encryption certificate and associated
private key, you are not going to be able to recover the encrypted files.
Your only hope is to perform a "repair install" on that existing Windows XP
installation. There is no way to recover your certificates if you cannot
logon on to that installation using your correct user name and password.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

"John" wrote:

| I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
| recently because the 'system' files became corrupted after I loaded the new
| Norton 2005 AV. It would not boot to any restore points or any safe modes -
| complained 'corrupted config/system file(s).'
|
| Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
| the old drive as a "slave" to the new one so I could recover some critical
| data files (which worked just fine). However, I had (1) folder that was
| encrypted on the old drive and I never had assigned a system-wide EFS
| Recovery Agent -
| which means it used a default EFS certificate to encrypt the folder (I
| assume). Of course I can not access that folder currently.
|
| Is there ANY way to get at that certificate from the old drive? I did NOT
| reformat the old drive (I just reassigned it as a "slave" to the new drive).
| The old
| 'ownership' references still shows up since I have only changed ownership on
| a few of the folders that I had to recover immediately. The encrypted folder
| in question I have NOT taken ownership on (yet).
|
| Can any of you MVP gurus or XP experts give me a clue or some guidance on
| how I might recover that old certificate (assuming it is possible)? Where
| would that
| default EFS certificate be stored on the old drive, and how could I access
| it currently? Or is there a default Administrator Recovery Agent certificate
| stored somewhere?
|
| thanks for any help
|
| John

 

[john]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
news:eTmApExJFHA.1392@TK2MSFTNGP10.phx.gbl...
> If you did not backup your personal encryption certificate and associated
> private key, you are not going to be able to recover the encrypted files.
> Your only hope is to perform a "repair install" on that existing Windows
> XP
> installation. There is no way to recover your certificates if you cannot
> logon on to that installation using your correct user name and password.

What about Recovery Console - which I *think* allows one to log on as
'Administrator'? Any way to do it there? I note the various 'attrib'
commands available do not seem include a decrypt option for 'e' (encrypyted)
folders/files? Is there some other way in Recovery Console that you know of?

Thanks much Carey

John
>
> How to Perform a Windows XP Repair Install
> http://www.michaelstevenstech.com/XPrepairinstall.htm
>
> [Courtesy of MS-MVP Michael Stevens]
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
> Microsoft Newsgroups
>
> Be Smart! Protect Your PC!
> http://www.microsoft.com/athome/security/protect/default.mspx
>
> ------------------------------------------------------------------------------
>
> "John" wrote:
>
> | I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
> | recently because the 'system' files became corrupted after I loaded the
> new
> | Norton 2005 AV. It would not boot to any restore points or any safe
> modes -
> | complained 'corrupted config/system file(s).'
> |
> | Anyway... I bought a new drive and loaded it with XP SP2 as well. I
> assigned
> | the old drive as a "slave" to the new one so I could recover some
> critical
> | data files (which worked just fine). However, I had (1) folder that was
> | encrypted on the old drive and I never had assigned a system-wide EFS
> | Recovery Agent -
> | which means it used a default EFS certificate to encrypt the folder (I
> | assume). Of course I can not access that folder currently.
> |
> | Is there ANY way to get at that certificate from the old drive? I did
> NOT
> | reformat the old drive (I just reassigned it as a "slave" to the new
> drive).
> | The old
> | 'ownership' references still shows up since I have only changed
> ownership on
> | a few of the folders that I had to recover immediately. The encrypted
> folder
> | in question I have NOT taken ownership on (yet).
> |
> | Can any of you MVP gurus or XP experts give me a clue or some guidance
> on
> | how I might recover that old certificate (assuming it is possible)?
> Where
> | would that
> | default EFS certificate be stored on the old drive, and how could I
> access
> | it currently? Or is there a default Administrator Recovery Agent
> certificate
> | stored somewhere?
> |
> | thanks for any help
> |
> | John
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If the Repair Option is not Available
http://www.michaelstevenstech.com/repair_install_warning.htm

"Recovery Console SP2 revision"
http://www.michaelstevenstech.com/xpfaq.html#21

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

"John" wrote:

| What about Recovery Console - which I *think* allows one to log on as
| 'Administrator'? Any way to do it there? I note the various 'attrib'
| commands available do not seem include a decrypt option for 'e' (encrypyted)
| folders/files? Is there some other way in Recovery Console that you know of?
|
| Thanks much Carey

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

John wrote:

> I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
> recently because the 'system' files became corrupted after I loaded the new
> Norton 2005 AV. It would not boot to any restore points or any safe modes -
> complained 'corrupted config/system file(s).'
>
> Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
> the old drive as a "slave" to the new one so I could recover some critical
> data files (which worked just fine). However, I had (1) folder that was
> encrypted on the old drive and I never had assigned a system-wide EFS
> Recovery Agent -
> which means it used a default EFS certificate to encrypt the folder (I
> assume). Of course I can not access that folder currently.
>
> Is there ANY way to get at that certificate from the old drive? I did NOT
> reformat the old drive (I just reassigned it as a "slave" to the new drive).
> The old
> 'ownership' references still shows up since I have only changed ownership on
> a few of the folders that I had to recover immediately. The encrypted folder
> in question I have NOT taken ownership on (yet).
>
> Can any of you MVP gurus or XP experts give me a clue or some guidance on
> how I might recover that old certificate (assuming it is possible)? Where
> would that
> default EFS certificate be stored on the old drive, and how could I access
> it currently? Or is there a default Administrator Recovery Agent certificate
> stored somewhere?
Hi

As you have access to the user profile folders for the user that
encrypted the files and if you remember the password for the user
that encrypted the data, you might be able to save the files.

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Carey Frisch [MVP] wrote:

> If you did not backup your personal encryption certificate and associated
> private key, you are not going to be able to recover the encrypted files.
> Your only hope is to perform a "repair install" on that existing Windows XP
> installation. There is no way to recover your certificates if you cannot
> logon on to that installation using your correct user name and password.
Hi Carey,

What you state above is not correct, there are some other cases where
you will be able to recover the encryption certificate without needing
to logon to the original installation.

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[john]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:%23FRGrm%23JFHA.2796@tk2msftngp13.phx.gbl...
> John wrote:
>
>> I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
>> recently because the 'system' files became corrupted after I loaded the
>> new Norton 2005 AV. It would not boot to any restore points or any safe
>> modes - complained 'corrupted config/system file(s).'
>>
>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
>> assigned the old drive as a "slave" to the new one so I could recover
>> some critical
>> data files (which worked just fine). However, I had (1) folder that was
>> encrypted on the old drive and I never had assigned a system-wide EFS
>> Recovery Agent -
>> which means it used a default EFS certificate to encrypt the folder (I
>> assume). Of course I can not access that folder currently.
>>
>> Is there ANY way to get at that certificate from the old drive? I did NOT
>> reformat the old drive (I just reassigned it as a "slave" to the new
>> drive). The old
>> 'ownership' references still shows up since I have only changed ownership
>> on a few of the folders that I had to recover immediately. The encrypted
>> folder in question I have NOT taken ownership on (yet).
>>
>> Can any of you MVP gurus or XP experts give me a clue or some guidance on
>> how I might recover that old certificate (assuming it is possible)? Where
>> would that
>> default EFS certificate be stored on the old drive, and how could I
>> access it currently? Or is there a default Administrator Recovery Agent
>> certificate stored somewhere?
> Hi
>
> As you have access to the user profile folders for the user that
> encrypted the files and if you remember the password for the user
> that encrypted the data, you might be able to save the files.
>
> Take a look at this site for more details:
>
> http://www.beginningtoseethelight.org/efsrecovery/

Thanks Torgier - very good site. I have found the files in question in
Recovery console, but - so far - have not been able to get the key in
question to work on the new system. The thumbprint on the key I recovered
matches the encrypted folder I had, but I am having trouble getting the file
to export to the new system. I think portions of the user profile may have
been corrupted or lost - which is why the old drive would not boot to
windows in the first place. I have not tried the hex editor procedure yet -
will report back if that works.

THANKS very much for the great link.

John