GreenieLeBrun said:
That is correct. Why? Because the SID (Security Identifier) is unique to
each account and even if you re-create the account the SID will be different
Even with the same SID assigned to your newly created account as was
assigned to your old account, EFS won't decrypt because the cert you
generate under the new instance of Windows won't be the same as the one
you created under the other instance of Windows. You need the cert that
you created under a particular instance of Windows. The cert can be
assigned (accessed) by multiple SIDs (accounts). When you decrypt, the
EFS cert assigned to the SID of the account you are currently logged
under gets used. The SID is not encoded into the EFS certificate. You
simply manage your certs so that a SID can use a particular cert. If
the SID were used in the cert, you would never be able to use that cert
to import it into a new install of Windows because the SID for the
same-named account would be different. SIDs are used in certificate
management, not within the cert itself; otherwise, you would never be
able to import an EFS cert into a different instance of Windows.
The username and password are irrelevant (well, there is some use of the
password along with the cryptographic key assigned to an account). If
that was all that was used then there would be no security to EFS as
anyone could create an account with that username and password to get at
your EFS-protected files. EFS is not a simplistic password scheme to
scramble the contents of files. It uses a cryptographic key that was
assigned by Windows to the SID associated with your account. A long
time ago, I found an article via Googling around on EFS recovery that
purported a means of recovering the RSA key used to create your EFS
cert. Under each userprofile is the user's registry hive (ntuser.dat).
By creating a new account (same username and password) and recovering
this user hive from backups, and because the crypto key was in the user
data portion of the registry that was used to create the EFS cert, you
could somehow regenerate the EFS cert to decrypt those files. I don't
remember the specifics since I never had to go through all that, and it
requires restoring the user registry hive from backups which most users
don't do, anyway. If they're complaining about losing access to
EFS-protected files then they probably also haven't saved partition
images for recovery. The idea was to recover the crypto key stored in
the registry for that user's old account. If Jake has saved partition
images to restore from, he wouldn't be here asking about EFS. He never
did explain why he needed to reformat his hard disk.
Jake could buy software to regain access to EFS-protected files, like
from
http://www.elcomsoft.com/aefsdr.html. Depends on whether or not
Jake feels his EFS-protected data is worth $150 or $300 to recover it.
There is a free trial version that you can download. It probably only
tells you if the product could successfully decrypt the file(s) but
won't actually do it until you pay them for their rescue.
