Need to recover (encrypted) files from XP install on another hard drive

[Daniel]

I've got a problem where I cant boot into Windows XP Pro. I get an error
trying to load a corrupted file or something (usually whole system locks, or
I see the file its trying to load if I select safe mode). Booting up on my
other XP install on an IDE drive & renaming the bad files doesn't fix
anything. (This happened after having the computer & surge protector shut
off for 10 days while I was away, power on, boot up, crash, cant reboot.
I've had other problems with this board & also now have lost the on board
NIC too.)

If I enable boot logging, where is that log file at & what additional
information should I be looking for?

I DO have a 2nd hard drive in the system with WindowsXP on it (was able to
install on that one just fine, so hardware is likely NOT issue), but I have
a few folders I need to access. First of all I need all of the stuff in
that user account/profile (in the documents & settings area). I also have a
special folder that was created by that user (it is listed in green compared
to other folders in Windows Explorer). I'm pretty sure those files are
encrypted, & when I try to open or copy one I get an error saying I don't
have permission.

Now the problem is that if I reload Windows I lose this stuff. I don't
remember the admin password & since it is a SATA drive then the password
cracking tools (boot disks) wont recognize the hard drive (I guess I could
get a SATA to IDE converter & try after that).

Now I DO know the main windows account password, the one which actually
created those folders & has full privileges in Windows. Also remember I can
access this partition of the drive when I boot up on my other hard drive's
install of Windows.

Also that computer does not have network access as the on board NIC is
appears to be dead.

IF I'm eventually able to (once I get my SATA to IDE adapter so the boot
disks will recognize the drive) get a password cracking utility to recognize
the admin password & use the XP install CD to boot into recovery mode, can I
then copy the files to another partition or drive & have them lose their
encryption that way? Or is there a way to turn off the encryption (as I
could logged into XP itself under that user account)?

What about a way to have Windows (on the IDE drive) be told that there is
another windows on the SATA drive & to copy/recover the user settings &
files from it? I do know the password to this user account (not limited
account, full default admin style privileges) so that is not a problem.
(The only problem is inability to boot into that Windows).

Or just some way (without reinstall since that loses the accounts & files &
BTW a reinstall over itself / repair didn't fix either, tried twice) to
force windows to boot at least into safe mode? To only boot the OS &
nothing else? I select safe mode & it tries to load a huge list of files &
one of them is what stops it. Can't I say to boot windows only & not that
list of files? Or other than renaming the files how do I tell windows not
to load them? (Remember I have access to the drive from within the other XP
install).

If patches are needed that's not a problem as this is a licensed copy of
Windows on the original drive (didn't bother the whole registration thing on
the 2nd install since it is for troubleshooting only & will be wiped to free
up that drive as soon as this is fixed).

Any help is much appreciated.

 

[johns]

This takes talent. You must be in-training to
become a professor. Seems you've backed
yourself into a corner with too much theory
and too little fact. I've been called to this
one about 1000 times now, and it is a challenge.
My advice to begin with is take the bad
disk, and mount it as a SATA 2 in a known
good computer ... not hacked by a professor.
Then open the drive folder and click on TOOLS
.... Folder Options ... View ... and scroll down
to the bottom of the list and uncheck Simple
File Sharing. That will let you see SECURITY
TAB under the drive Properties ( Rclick to see ).
Make sure you list Administrator with full
rights ( you may need to ADD Administrator ).
Then, possibly, you can get control of those
files. As for the encrypted files ???? NEVER
encrypt files. If you need to encrypt files, you
more better need to NOT CREATE them in
the first place. Your only chance there is to
contact the person who wrote the Encryption
Program to download an encryption snooper
from him. I think I know the program you
probably used .. and that guy can help you.
He says so on his web site.
The only other thing I can think of .. which I
have done with minor success is to restore
the boot sector. You can get to that by booting
the install cd, and selecting one of the recovery
methods that lets you "sys" the C-drive. Also,
I've run straight Checkdsk and recovered a few
times, but that way can sack the corrupted
files, along with the entire disk if the files
have become crosslinked.

johns

 

[Guest]

This takes talent. You must be in-training to
become a professor. Seems you've backed
yourself into a corner with too much theory
and too little fact. I've been called to this
one about 1000 times now, and it is a challenge.
My advice to begin with is take the bad
disk, and mount it as a SATA 2 in a known
good computer ... not hacked by a professor.
Then open the drive folder and click on TOOLS
... Folder Options ... View ... and scroll down
to the bottom of the list and uncheck Simple
File Sharing. That will let you see SECURITY
TAB under the drive Properties ( Rclick to see ).
Make sure you list Administrator with full
rights ( you may need to ADD Administrator ).
Then, possibly, you can get control of those
files. As for the encrypted files ???? NEVER
encrypt files. If you need to encrypt files, you
more better need to NOT CREATE them in
the first place. Your only chance there is to
contact the person who wrote the Encryption
Program to download an encryption snooper
from him. I think I know the program you
probably used .. and that guy can help you.
He says so on his web site.
The only other thing I can think of .. which I
have done with minor success is to restore
the boot sector. You can get to that by booting
the install cd, and selecting one of the recovery
methods that lets you "sys" the C-drive. Also,
I've run straight Checkdsk and recovered a few
times, but that way can sack the corrupted
files, along with the entire disk if the files
have become crosslinked.

johns

Or you could use a linux boot CD (Knoppix is good) and access the files
regardless of security permissions. Download knoppix (or similar) burn CD
and make sure you PC is set to boot from the CD-ROM. Linux boot CDs
typically access the drive on read-only mode for added safety.
If the files really are encrypted (which you would definitely know because
you would have enabled encryption for some reason and knew exactly what you
were doing when you did it) a boot CD will not help. As I have never felt
the need to encrypt my files, I cannot help you with this one!

Glenn

 

[Daniel]

Or you could use a linux boot CD (Knoppix is good) and access the files
regardless of security permissions. Download knoppix (or similar) burn CD
and make sure you PC is set to boot from the CD-ROM. Linux boot CDs
typically access the drive on read-only mode for added safety.

Yes, I have noticed that when reading about other Linux based boot disks
(for cracking the WinXP Admin password I forgot...been 1.5+yrs since install
on that system & since I have admin ability anyway I never used it & forgot
password).

I will try that disk when I have the chance.

If the files really are encrypted (which you would definitely know because
you would have enabled encryption for some reason and knew exactly what you
were doing when you did it) a boot CD will not help. As I have never felt
the need to encrypt my files, I cannot help you with this one!

I just used the standard WinXP security form of encryption (where you make a
folder that only your login can access & choose to encrypt it's files also).
I did this because this isn't the only computer on the LAN at the time.
Other people had access to it through my sister's computer & I didn't want
them getting to THAT folder since it contained financial data & other
important stuff. Probably in the future I'll go with the next best option
of physical security (removable drive, if they can't physically get to the
drive over the network then they cant get to it when I'm not there because
it would be disconnected & I'll just also not share that drive that way if I
need it in another room I can just take it with me).

So I may or may not be able to access the drive, but my guess is probably
not since I need admin privileges I'd bet. Does that boot disk you
mentioned give XP Admin account password cracking (at least read & reveal
the password) privileges? So then I can go into recovery mode (why wont XP
allow me to get into recovery mode with access to another admin style
account & only not mess with another user's stuff that I'd not normally be
able to get?).

Any other ideas of how to get Windows to boot? BTW this is my ONLY SATA
capable system & that XP install isn't booting (so I can hook up the drive
to a system or that one for that matter that already has XP on it working).

Thanks for the reply.

 

[`AMD tower]

I saved a couple of old 5 1/2 inch drives, and the floppies that go with
them,
and use them for "secure" backups.
Probably dumb, but I can sleep at night.

 

[Guest]

Yes, I have noticed that when reading about other Linux based boot disks
(for cracking the WinXP Admin password I forgot...been 1.5+yrs since
install
on that system & since I have admin ability anyway I never used it &
forgot
password).

I will try that disk when I have the chance.

I just used the standard WinXP security form of encryption (where you make
a
folder that only your login can access & choose to encrypt it's files
also).
I did this because this isn't the only computer on the LAN at the time.
Other people had access to it through my sister's computer & I didn't want
them getting to THAT folder since it contained financial data & other
important stuff. Probably in the future I'll go with the next best option
of physical security (removable drive, if they can't physically get to the
drive over the network then they cant get to it when I'm not there because
it would be disconnected & I'll just also not share that drive that way if
I
need it in another room I can just take it with me).

So I may or may not be able to access the drive, but my guess is probably
not since I need admin privileges I'd bet. Does that boot disk you
mentioned give XP Admin account password cracking (at least read & reveal
the password) privileges? So then I can go into recovery mode (why wont
XP
allow me to get into recovery mode with access to another admin style
account & only not mess with another user's stuff that I'd not normally be
able to get?).

Any other ideas of how to get Windows to boot? BTW this is my ONLY SATA
capable system & that XP install isn't booting (so I can hook up the drive
to a system or that one for that matter that already has XP on it
working).

Thanks for the reply.

Here is a link to the 'Offline NT Password & Registry Editor' which can be
used to easily reset the Adminstrator Password on NT/2000/XP systems: -

http://home.eunet.no/~pnordahl/ntpasswd/

Download the CD version, burn to a disc and boot your PC from the new disk.
As you work yuur way through, all default options are set towards resetting
the admin password to 'blank' which you might want to try.

I found a good read here: -

http://support.microsoft.com/kb/223316/EN-US/ 'Best practices for the
Encrypting File System'

and here: -

http://support.microsoft.com/kb/308993/EN-US/ 'How To Remove File
Encryption in Windows XP'

As I said, I have never really looked into Windows file encryption, so I
can't go into any detail.

Glenn

 

[David Maynard]

I've got a problem where I cant boot into Windows XP Pro. I get an error
trying to load a corrupted file or something (usually whole system locks, or
I see the file its trying to load if I select safe mode). Booting up on my
other XP install on an IDE drive & renaming the bad files doesn't fix
anything. (This happened after having the computer & surge protector shut
off for 10 days while I was away, power on, boot up, crash, cant reboot.
I've had other problems with this board & also now have lost the on board
NIC too.)

If I enable boot logging, where is that log file at & what additional
information should I be looking for?

I DO have a 2nd hard drive in the system with WindowsXP on it (was able to
install on that one just fine, so hardware is likely NOT issue), but I have
a few folders I need to access. First of all I need all of the stuff in
that user account/profile (in the documents & settings area). I also have a
special folder that was created by that user (it is listed in green compared
to other folders in Windows Explorer). I'm pretty sure those files are
encrypted, & when I try to open or copy one I get an error saying I don't
have permission.

Now the problem is that if I reload Windows I lose this stuff.

Perhaps I'm missing some subtlety in there but what's wrong with doing a
repair install?

<snip>

 

[kony]

Perhaps I'm missing some subtlety in there but what's wrong with doing a
repair install?

<snip>

Agreed, that would seem a good attempt to get it working
again. Remaining two issues are then why the problem,
possibly a virus/etc that a repair won't remove, or a drive
malfunction making it prudent to first copy off everything
no matter what happens next.

 

[Daniel]

Agreed, that would seem a good attempt to get it working
again. Remaining two issues are then why the problem,
possibly a virus/etc that a repair won't remove, or a drive
malfunction making it prudent to first copy off everything
no matter what happens next.

Sorry for not making that clear in the original post. The reason a repair
install isn't looked at is because just a repair (twice) didn't fix it (same
error), & I tried a complete reinstall (non-format) but canceled before it
started anything because Windows warned me that a new install would kill any
user accounts & files encrypted or protected by those user accounts.

There is only a single folder outside of the documents & settings area which
is blocked that I need to copy the contents of. Then reloading Windows is
no problem.

 

[paulmd]

Sorry for not making that clear in the original post. The reason a repair
install isn't looked at is because just a repair (twice) didn't fix it (same
error), & I tried a complete reinstall (non-format) but canceled before it
started anything because Windows warned me that a new install would kill any
user accounts & files encrypted or protected by those user accounts.

There is only a single folder outside of the documents & settings area which
is blocked that I need to copy the contents of. Then reloading Windows is
no problem.

You are basicly screwed. If the Encrypted fileSystem was EASY to break,
there'd be no point.

THis program claims to work. But it may be snakeoil. It's free to try,
though. I've not used it myself.

http://www.openwall.com/passwords/microsoft-windows-ntfs-efs

 

[Tweek]

Sorry for not making that clear in the original post. The reason a repair
install isn't looked at is because just a repair (twice) didn't fix it
(same
error), & I tried a complete reinstall (non-format) but canceled before it
started anything because Windows warned me that a new install would kill
any
user accounts & files encrypted or protected by those user accounts.

There is only a single folder outside of the documents & settings area
which
is blocked that I need to copy the contents of. Then reloading Windows is
no problem.

This might have been covered, but have you booted to the recovery console
and run a chkdsk /r yet? If not try it, then if it still doesn't boot try a
repair install again.

 

[Daniel]

This might have been covered, but have you booted to the recovery console
and run a chkdsk /r yet? If not try it, then if it still doesn't boot try a
repair install again.

No, not done that yet because cant get through forgotten admin password.
Well I'll have a SATA to IDE adapter next week & can crack it then, after
that I can do this.

Thanks for suggestion, not tried (or heard of that) yet. What does it do?

 

[Mxsmanic]

I just used the standard WinXP security form of encryption (where you make a
folder that only your login can access & choose to encrypt it's files also).
I did this because this isn't the only computer on the LAN at the time.
Other people had access to it through my sister's computer & I didn't want
them getting to THAT folder since it contained financial data & other
important stuff. Probably in the future I'll go with the next best option
of physical security (removable drive, if they can't physically get to the
drive over the network then they cant get to it when I'm not there because
it would be disconnected & I'll just also not share that drive that way if I
need it in another room I can just take it with me).

Encryption depends on a key. If you do not have the key, you cannot
decrypt, and the data is lost. If you did not provide a key for
encryption, the system generated it from some unique information about
you. While that theoretically enables you to recreate the key, you
have to know how the system created the key, and you may or may not be
able to easily recreate the required conditions. My guess is that the
encryption is at least secure enough to make this almost ridiculously
difficult, but I don't use Windows encryption myself.

So I may or may not be able to access the drive, but my guess is probably
not since I need admin privileges I'd bet. Does that boot disk you
mentioned give XP Admin account password cracking (at least read & reveal
the password) privileges?

There's no such thing as password cracking; there is only password
guessing. If the password is well chosen, no "cracking" program will
work.

 

[kony]

Encryption depends on a key. If you do not have the key, you cannot
decrypt, and the data is lost.

.... unless the key is sufficiently short enough to crack,
which we hope isn't the case.

If you did not provide a key for
encryption, the system generated it from some unique information about
you. While that theoretically enables you to recreate the key,

Doubtful, then anyone else could come along and input this
(usually known) information and generate the key again.

you
have to know how the system created the key, and you may or may not be
able to easily recreate the required conditions. My guess is that the
encryption is at least secure enough to make this almost ridiculously
difficult, but I don't use Windows encryption myself.

There's no "difficult" about it, very secure encryption is
just as easy to crack as very poor encryption, It is "easy"
it just takes _infinitely_long_time_ to do it.

However, this is only considering brute force. There are
quite a few tricks that can help when it's a single static
key. For example, with Windows there are quite a few known
files that are static, as well as those files' contents.
That is a HUGE help to decryption specialists.

There's no such thing as password cracking; there is only password
guessing. If the password is well chosen, no "cracking" program will
work.

Nope, there is password cracking... and not just dictionary
or brute force attempts.

Frankly, instead of cracking, if I were the OP I'd be trying
to track down "reccerts.exe",
or http://www.elcomsoft.com/aefsdr.html
or http://www.beginningtoseethelight.org/efsrecovery/
or http://www.google.com

 

[Ed Medlin]

No, not done that yet because cant get through forgotten admin password.
Well I'll have a SATA to IDE adapter next week & can crack it then, after
that I can do this.

Thanks for suggestion, not tried (or heard of that) yet. What does it do?

There are 3 things there that have saved my behind. chkdsk /r that will run
chkdsk and repair, fixmbr which rebuilds the master boot record, and fixboot
which will get you back to normal after running a dual boot system. The
latter 2 just saved me yesterday after recieving Vista RC1 from MS and it
not completing it's install and basically screwing up my mbr and the boot
sector not allowing me into XP until I booted the XP cd and entered the
recovery console. The recovery console can be a great life saver. Since I
don't use a PW because I am sole user of this system I just have to hit
enter to get in.........I don't know how you can get in if you have
forgotten your PW.

Ed

 

[Mxsmanic]

... unless the key is sufficiently short enough to crack,
which we hope isn't the case.

Well-chosen keys are extremely difficult to crack, even if they aren't
very long. For example, a simple 12-character key, if it is
completely random and alphanumeric, would take millions of years to
crack.

Of course, many keys are far from random, if they are chosen by human
beings.

Doubtful, then anyone else could come along and input this
(usually known) information and generate the key again.

Not if it is generated from internal system data unique to each user
account on the system. However, the mere fact that it can be
generated (rather than being required to come from the user himself)
means that anyone finding out how the key is generated can decrypt the
data.

If the user is not asked for a key, then the only other possibility is
automatic generation of the key, as described above. That is
fundamentally insecure, but it's more convenient for users who don't
understand security to begin with.

There's no "difficult" about it, very secure encryption is
just as easy to crack as very poor encryption, It is "easy"
it just takes _infinitely_long_time_ to do it.

When it's an infinitely long time, it's an infinitely low threat.

However, this is only considering brute force. There are
quite a few tricks that can help when it's a single static
key. For example, with Windows there are quite a few known
files that are static, as well as those files' contents.
That is a HUGE help to decryption specialists.

That depends on the type of encryption. However, I suspect that any
built-in Windows encryption isn't that strong, since it still has to
be exportable and practical.

Nope, there is password cracking... and not just dictionary
or brute force attempts.

Not for NT login passwords.

 

[Rod Speed]

kony writes

Well-chosen keys are extremely difficult to crack, even if they aren't
very long. For example, a simple 12-character key, if it is completely
random and alphanumeric, would take millions of years to crack.

Of course, many keys are far from random,
if they are chosen by human beings.

Not if it is generated from internal system data unique to each user
account on the system. However, the mere fact that it can be generated
(rather than being required to come from the user himself) means that
anyone finding out how the key is generated can decrypt the data.

Not necessarily, depends on how well that is done.

If the user is not asked for a key, then the only other possibility
is automatic generation of the key, as described above. That
is fundamentally insecure,

No it isnt. Only the most poorly implemented systems use JUST
internal system data unique to each user account on the system,
its completely trivial to use truely random data instead.

but it's more convenient for users who don't understand security to begin
with.

You clearly dont yourself.

When it's an infinitely long time, it's an infinitely low threat.

That depends on the type of encryption. However, I
suspect that any built-in Windows encryption isn't that
strong, since it still has to be exportable and practical.

Mindlessly silly. Have fun explaining how that
is trivial to do with banking transactions etc.

Not for NT login passwords.

Different matter entirely.

 

[Mxsmanic]

No it isnt. Only the most poorly implemented systems use JUST
internal system data unique to each user account on the system,
its completely trivial to use truely random data instead.

If you use a random key, there's no way to decrypt later, since there
is no way to reconstruct the key. The user can use a random key,
since presumably he'll remember that key, but you cannot use random
keys when they are generated internally.

Either the key comes from internal data, or it comes from the user.

Mindlessly silly. Have fun explaining how that
is trivial to do with banking transactions etc.

Banking transactions are not heavily secured.

Different matter entirely.

An administrator password on XP is an NT login password.

 

[Rod Speed]

Rod Speed writes

If you use a random key, there's no way to decrypt
later, since there is no way to reconstruct the key.

You dont need to reconstruct it, you just record what key was used.

That is why XP encryption allows you to export the key/digital certificate
etc so it can be properly backed up in case the hard drive fails etc.

The user can use a random key, since presumably he'll remember that
key, but you cannot use random keys when they are generated internally.

Wrong, as always, see above.

Either the key comes from internal data, or it comes from the user.

Or it comes from random data and that random data based key is kept.

Banking transactions are not heavily secured.

Clearly you havent got a ****ing clue.

An administrator password on XP is an NT login password.

Pity what was being discussed was the encryption key, not the login password.

 

[David Maynard]

locks, or


on my



Sorry for not making that clear in the original post. The reason a repair
install isn't looked at is because just a repair (twice) didn't fix it (same
error), & I tried a complete reinstall (non-format) but canceled before it
started anything because Windows warned me that a new install would kill any
user accounts & files encrypted or protected by those user accounts.

There is only a single folder outside of the documents & settings area which
is blocked that I need to copy the contents of. Then reloading Windows is
no problem.

As Kony said, copy the needed files off first.

Since you've got a dead system and don't really intend to 'restore' it, per
see, I'd look into some drastic measures to get it back up enough to
decrypt the stuff.

Sure would help to know which file it's complaining about but I suspect
it's something that's in one of the caches so it's being 'restored' after
you delete it. Why it's bad in the cache being another issue.

At any rate, I'd try deleting all the cache sub directories (under windows)
along with your suspect files, wherever they are, and also the service pack
files directory (service pack goes away on a restore anyway). Also
prefetch, software distribution and, for good measure, all the service pack
uninstall directories. Plus clean the temp dir and any other tmp files,
wherever they are.

Then run chkdsk on it and clean up any file system problems, including a
full disk scan (in case of bad sectors).

Run a virus scan on it.

They try another repair reinstall.