Cannot access files using backed-up EFS key...

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I was using Windows XP Professional (with SP2) and my system crashed. I
rebooted my system but it keeps going in an infinite loop of crashing and
rebooting. I tried repairing the installation using my Windows CD but the
same issue remains. I have given up on a repair (there have been several
issues with third-party software anyways) and just want to copy my files off
the hard drive and start fresh.

My hard drive is an external enclosure hooked up to a different computer,
also running XP Pro. SP2. (Note: The account I'm using is an administrator.)
I had backed up my EFS key last month and saved it on a flash drive, so I
copied it to the local computer's hard drive and followed the instructions I
found in the Microsoft KB.
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx)
Everything is fine until I get to #3 under "Data Recovery Using EFS" (At
Figure #8). When I perform that step I receive the error message "To add
users to this file, you must have access to the file and Write or Modify
permission for it."

I have no idea what to do. Some of the data is backed up externally, but not
the last month's worth, so I really need to access my files!

Any ideas??
Lutz
 
As Doug said you need to have proper permissions to access encrypted files
and it would be best just to make sure you have full control permissions.
Also you are going about the wrong way to access your EFS files. See the
section under "importing keys" and images 15 and 16. Hopefully you have a
password protected .pfx file backed up as that is what is needed to restore
your EFS private key and if so you will be prompted for the password when
you attempt to import it. --- Steve
 
Doug,

I should have noted it previously, but I have already taken ownership of the
files. Unfortunately access is still denied. Any other ideas?

Lutz
 
Steven L Umbach said:
As Doug said you need to have proper permissions to access encrypted files
and it would be best just to make sure you have full control permissions.
Also you are going about the wrong way to access your EFS files. See the
section under "importing keys" and images 15 and 16. Hopefully you have a
password protected .pfx file backed up as that is what is needed to restore
your EFS private key and if so you will be prompted for the password when
you attempt to import it. --- Steve
Click to expand...
 
Steve,

I'm sorry, I don't know what happened there...I submitted the post but my
text was left off.

I followed the instructions further down the page as you said, but am still
unable to proceed. I am still told "access denied" when trying to access the
files, and when trying to decrypt them (by unchecking the option for
encryption) I am told that "an error has occurred applying attributes to the
file: [...] The operation completed successfully." The files remain encrypted
and unaccessible. As I just wrote above, I have already taken ownership of
the files but forgot to mention it previously.

Is there something I'm missing?

Any other ideas??
Lutz
 
s you said, but am still
unable to proceed. I am still told "access denied" when trying to access the
files, and when trying to decrypt them (by unchecking the option for
encryption) I am told that "an error has occurred applying attributes to the
file: [...] The operation completed successfully." The files remain encrypted
and unaccessible. As I just wrote above, I have already taken ownership of
the files but forgot to mention it previously.

Is there something I'm missing?
Click to expand...
Just to check.,...
When you run EFSINFO /r /u /c, do you have:
a) A certificate with the thumbprint returned for either the user or the
recovery agent for the file you are trying to access
b) If you open the Certificates console, focused on the current user,
does the certificate indicate that you have the private key associated
with the certificate?

Brian
 
Right click the file(s) in question, select Properties and go to the Security tab. Ensure that your username is listed and has Full Control privileges.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

Lutz said:
Steve,

I'm sorry, I don't know what happened there...I submitted the post but my
text was left off.

I followed the instructions further down the page as you said, but am still
unable to proceed. I am still told "access denied" when trying to access the
files, and when trying to decrypt them (by unchecking the option for
encryption) I am told that "an error has occurred applying attributes to the
file: [...] The operation completed successfully." The files remain encrypted
and unaccessible. As I just wrote above, I have already taken ownership of
the files but forgot to mention it previously.

Is there something I'm missing?

Any other ideas??
Lutz



Click to expand...
 
Did you import your EFS private key from a .pfx file and did that work??
Note that taking ownership of files only gives you the ability to change
permissions to them and does not grant you any so you need to make sure you
have full control to the folder/files if you have not done that yet. The
other thing to check is that the thumbprint on the certificate/private key
you imported matches the thumbprint shown needed to access the EFS file. You
can go to the properties/advanced - details to view the thumbprint info for
the EFS file. Use the mmc snapin for certificates for user [that you used to
import the .pfx file] to view the thumbprint of the EFS certificate in your
personal certificate store. --- Steve


Lutz said:
Steve,

I'm sorry, I don't know what happened there...I submitted the post but my
text was left off.

I followed the instructions further down the page as you said, but am
still
unable to proceed. I am still told "access denied" when trying to access
the
files, and when trying to decrypt them (by unchecking the option for
encryption) I am told that "an error has occurred applying attributes to
the
file: [...] The operation completed successfully." The files remain
encrypted
and unaccessible. As I just wrote above, I have already taken ownership of
the files but forgot to mention it previously.

Is there something I'm missing?

Any other ideas??
Lutz



Click to expand...
 
They don't match! I only had a single Windows username, which is the one I
used to create, access, and encrypt the files. The pfx file I have is the
backup of the key for that username. However, they are totally different
"thumbprints." Does that mean the data's gone for good?

As to the other questions:
* I am told that EFSINFO could not be found/does not exist.
* Yes, the account I'm using has been given full control privleges.
* Yes, they key was imported successfully, though that now seems irrelevent
since the prints don't match?

Is there any hope of recovery at this point? Is there anything I can do?
Lutz
 
I don't have pfx file as drive was formatted and i have forget password
also
so is there any means by which i can access that encrypted folder.
 
That is bad news. What may have happened is at one time you exported the
private key and then selected the option to delete the private key if export
is successful. Newly encrypted files after that point would then use a newly
generated EFS certificate/private key. I suppose corruption of the EFS
certificate/private key could also cause the same. You need the EFS private
key that matches that thumbprint or the files can not be decrypted as they
are protected by AES 256 algorithm.

If you formatted the system drive of the old operating system that was
giving you a problem then the needed EFS private key was most likely
destroyed. It would be in the user profile folder under documents and
settings in the application data\Microsoft\crypto\rsa folder. Though
unlikely it may be possible to recover that folder with a file recovery
program even if the system drive has been formatted. If it is found you may
be able to gain access to your EFS files with the paid help of Microsoft
Support or with a program for EFS recovery from Elcomsoft [see links below]
that will search the computer for EFS private keys and if found prompt you
for the associated username and password to see if you can access it. They
have a free version that can do that but it will only recover very small
files and the full version is around $100. You can email them if you have
any specific questions. The last two links are to downloads for data
recovery programs. --- Steve

http://www.elcomsoft.com/company.html
http://www.elcomsoft.com/aefsdr.html

http://www.snapfiles.com/Freeware/system/fwdatarecovery.html
http://www.snapfiles.com/Shareware/system/swdatarecovery.html
 
Steve,

Thanks for all your help so far! It is most appreciated!

I have not formatted the drive so I don't have to worry about file recovery
software. The only issue is that the system cannot be booted...crashes and
reboots and a repair install didn't help.

I browsed to "application data\Microsoft\crypto\rsa folder" on the drive in
the external enclosure using the other computer and found 11 system files
that look like they begin with "thumbprint" IDs, but none of them match the
thumbprint supposedly on my files. Am I correct in my assumption that one
should match the beginning of the file name?

I downloaded the free trial version of AEFSDR 3.0 and it found 531 keys, 4
of which could be decryped. (Is it normal to have that many?) A scan showed
that all but 1 of over 5,000 files could be decrypted, and showed me the
first 512K of each to prove it. Thus, I know that method will work.

However, I'm wondering if there's a cheaper way. When you said paid help of
Microsoft, do you mean Windows XP Support or something else? What I'm
thinking of is when you purchase a retail copy of Windows you get 2 free
support requests...does that count in this case? Could they help recover my
files (low/no cost)?

Again, thank you for your help so far and eagerly awaiting your reply.
Lutz
 
Lutz said:
Steve,

Thanks for all your help so far! It is most appreciated!

I have not formatted the drive so I don't have to worry about file
recovery software. The only issue is that the system cannot be
booted...crashes and reboots and a repair install didn't help.

I browsed to "application data\Microsoft\crypto\rsa folder" on the drive
in the external enclosure using the other computer and found 11 system
files that look like they begin with "thumbprint" IDs, but none of them
match the thumbprint supposedly on my files. Am I correct in my assumption
that one should match the beginning of the file name?

I downloaded the free trial version of AEFSDR 3.0 and it found 531 keys, 4
of which could be decryped. (Is it normal to have that many?) A scan
showed that all but 1 of over 5,000 files could be decrypted, and showed
me the first 512K of each to prove it. Thus, I know that method will work.

However, I'm wondering if there's a cheaper way. When you said paid help
of Microsoft, do you mean Windows XP Support or something else? What I'm
thinking of is when you purchase a retail copy of Windows you get 2 free
support requests...does that count in this case? Could they help recover
my files (low/no cost)?
Click to expand...

No, there is no cheaper way. If you data is important then $100 is a good
deal. I don't think bottom-tier MS tech support handles this. Bottom-tier
tech support is - IIRC - $35/hr. Specialized tech support is $245/hr., or
at least it was the last time I bought some a few years ago.

Data recovery by specialists such as Drive Savers starts at around $500 and
goes up from there.

So if you want your data, bite the bullet and pay to get it back. Then spend
some time learning about encryption before you try to encrypt anything else
again.

Malke
 
Wow 531 keys. I can't say that I have ever seen that many unless it means
FEK. The important thing is that it indicates that almost all your files can
be recovered. I don't believe that the numbers you see in the folder are the
thumbprints. I don't know if Microsoft would do a free support call for your
situation but you could call and ask. If not the Elcomsoft product would be
a more economical way to go.

The other option is to try and get your system to start. However I would be
sure to backup the RSA folder right away to make sure you have those private
keys no matter what. If you have not tried it yet try booting into Safe Mode
or boot with last known good configuration that you see in the alternate
start menu when you try to boot into Safe Mode. If you feel comfortable
using it you could also try using Recovery Console to try and repair the
system which may involve disabling non critical services or drivers that are
causing the problem. However the problem could be hardware related. I have
sometimes had success putting a hard drive into another computer as the
primary and then starting it up and plug and play reconfigured enough to
allow it to start up in the other computer. You could also try loading the
system registry hive for HKLM for the problem operating system from the
operating system that you currently are using and making sure that the
registry value below is set to the value shown. Start regedit and highlight
HKLM. then select file - load hive. Navigate to windows\system32\config for
the problem operating system and find system and then hit open. Give a name
to that hive. Expand HLKM, find the name, open it and go to the key below
and make sure that value is as shown. When done highlight the hive you named
and go to file and select unload hive. Then try again to get the operating
system to boot. Another thing I occasionally try in a problem system is to
make a backup of the windows\system32\config folder [so you can always get
back to where you were] and then copy the contents of the \windows\repair
folder to the windows\system32\config folder. --- Steve

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\Control\CrashControl\AutoReboot:
0x00000000

http://support.microsoft.com/kb/314058/ --- XP Recovery Console
 
I tried all of your suggestions but still couldn't get Windows to boot
properly. I contacted Microsoft and they suggested the same thing as you
did...use Elcomsoft's program to recover the files, then reformat the drive.
I decided it was worth it and used their software to recover all but one of
my files. I just wish I knew why the backed-up key didn't work. (I know the
"thumbprints" didn't match, but I wonder why that is.) Looks like I'll be
using a third-party encryption program as opposed to EFS from now on.

Thanks for all of your help Steve!
Lutz
 
Glad to help even though it cost you a bit of money but apparently it was
well worth it to you and at least you had the option to recover your files
as many many have not after reinstalling their operating system or due to
key corruption. Offhand it is hard to say why the backup was the incorrect
one. Like I said earlier a common reason is that a user exports his private
key and selects the option to delete it when done if successful. Then he
forgets to import it again when he wants to encrypt new files and the
operating system requests/generates a new one that is used for any new EFS
files. Just beware that any encryption program has risks. I recommend that
those that encrypt data where possible keep clear text backups such as to
DVD/cdrom/USB flash drive and then secure those in a safe place. In the
future if you continue to use EFS and I probably don't have to tell you this
but be sure to backup every EFS certificate you find in your personal
certificate store and never delete any you see there unless you are 100
percent sure they are not needed anymore. Expired EFS certificate/private
keys also still can be possibly used to decrypt files that they encrypted
before the date they expired. Another thing to consider is to designate a
Recovery Agent for your computer in Local Security Policy local
policies\public key policies\encrypted file system and then export and
delete that EFS private key to a password protected .pfx file to a couple
safe places. Once you designate a RA it will be used for all newly encrypted
and opened EFS files for every user on the computer and you can use cipher
/U to force it to be added to all current EFS files. Of course verify that
the RA is actually showing for the EFS files after you implement it via
Local Security Policy and try using it to recover a few test files. ---
Steve
 
Steven L Umbach said:
That is bad news. What may have happened is at one time you exported the
private key and then selected the option to delete the private key if export
is successful.
Click to expand...
If this was true on his first log out the cache would have been cleared of
his private key and he would have not been able to access his files long
before his problem.
Newly encrypted files after that point would then use a newly
generated EFS certificate/private key.
Click to expand...
Indeed leaving his old files in state of "Access Denied"
I suppose corruption of the EFS
certificate/private key could also cause the same. You need the EFS private
Click to expand...

I have the same issue only I do have an EFS certificate that matches yet it
still doesn't work, I know all the articles say you can use this to decrypt
files but it doesn't work.
key that matches that thumbprint or the files can not be decrypted as they
are protected by AES 256 algorithm.

If you formatted the system drive of the old operating system that was
giving you a problem then the needed EFS private key was most likely
destroyed. It would be in the user profile folder under documents and
settings in the application data\Microsoft\crypto\rsa folder. Though
unlikely it may be possible to recover that folder with a file recovery
program even if the system drive has been formatted. If it is found you may
be able to gain access to your EFS files with the paid help of Microsoft
Support or with a program for EFS recovery from Elcomsoft [see links below]
that will search the computer for EFS private keys and if found prompt you
for the associated username and password to see if you can access it. They
have a free version that can do that but it will only recover very small
files and the full version is around $100. You can email them if you have
any specific questions. The last two links are to downloads for data
recovery programs. --- Steve

http://www.elcomsoft.com/company.html
http://www.elcomsoft.com/aefsdr.html

http://www.snapfiles.com/Freeware/system/fwdatarecovery.html
http://www.snapfiles.com/Shareware/system/swdatarecovery.html

Lutz said:
They don't match! I only had a single Windows username, which is the one I
used to create, access, and encrypt the files. The pfx file I have is the
backup of the key for that username. However, they are totally different
"thumbprints." Does that mean the data's gone for good?

As to the other questions:
* I am told that EFSINFO could not be found/does not exist.
* Yes, the account I'm using has been given full control privleges.
* Yes, they key was imported successfully, though that now seems
irrelevent
since the prints don't match?

Is there any hope of recovery at this point? Is there anything I can do?
Lutz
Click to expand...
Click to expand...
 
Back
Top