Recover Default EFS Security Certificate From Old Drive???

[John]

I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
recently because the 'system' files became corrupted after I loaded the new
Norton 2005 AV. It would not boot to any restore points or any safe modes -
complained 'corrupted config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned a system-wide EFS
Recovery Agent -
which means it used a default EFS certificate to encrypt the folder (I
assume). Of course I can not access that folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat the old drive (I just reassigned it as a "slave" to the new drive).
The old
'ownership' references still shows up since I have only changed ownership on
a few of the folders that I had to recover immediately. The encrypted folder
in question I have NOT taken ownership on (yet).

Can any of you MVP gurus or XP experts give me a clue or some guidance on
how I might recover that old certificate (assuming it is possible)? Where
would that
default EFS certificate be stored on the old drive, and how could I access
it currently? Or is there a default Administrator Recovery Agent certificate
stored somewhere?

thanks for any help

John

 

[Carey Frisch [MVP]]

If you did not backup your personal encryption certificate and associated
private key, you are not going to be able to recover the encrypted files.
Your only hope is to perform a "repair install" on that existing Windows XP
installation. There is no way to recover your certificates if you cannot
logon on to that installation using your correct user name and password.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
| recently because the 'system' files became corrupted after I loaded the new
| Norton 2005 AV. It would not boot to any restore points or any safe modes -
| complained 'corrupted config/system file(s).'
|
| Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
| the old drive as a "slave" to the new one so I could recover some critical
| data files (which worked just fine). However, I had (1) folder that was
| encrypted on the old drive and I never had assigned a system-wide EFS
| Recovery Agent -
| which means it used a default EFS certificate to encrypt the folder (I
| assume). Of course I can not access that folder currently.
|
| Is there ANY way to get at that certificate from the old drive? I did NOT
| reformat the old drive (I just reassigned it as a "slave" to the new drive).
| The old
| 'ownership' references still shows up since I have only changed ownership on
| a few of the folders that I had to recover immediately. The encrypted folder
| in question I have NOT taken ownership on (yet).
|
| Can any of you MVP gurus or XP experts give me a clue or some guidance on
| how I might recover that old certificate (assuming it is possible)? Where
| would that
| default EFS certificate be stored on the old drive, and how could I access
| it currently? Or is there a default Administrator Recovery Agent certificate
| stored somewhere?
|
| thanks for any help
|
| John

 

[John]

If you did not backup your personal encryption certificate and associated
private key, you are not going to be able to recover the encrypted files.
Your only hope is to perform a "repair install" on that existing Windows
XP
installation. There is no way to recover your certificates if you cannot
logon on to that installation using your correct user name and password.

What about Recovery Console - which I *think* allows one to log on as
'Administrator'? Any way to do it there? I note the various 'attrib'
commands available do not seem include a decrypt option for 'e' (encrypyted)
folders/files? Is there some other way in Recovery Console that you know of?

Thanks much Carey

John

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
| recently because the 'system' files became corrupted after I loaded the
new
| Norton 2005 AV. It would not boot to any restore points or any safe
modes -
| complained 'corrupted config/system file(s).'
|
| Anyway... I bought a new drive and loaded it with XP SP2 as well. I
assigned
| the old drive as a "slave" to the new one so I could recover some
critical
| data files (which worked just fine). However, I had (1) folder that was
| encrypted on the old drive and I never had assigned a system-wide EFS
| Recovery Agent -
| which means it used a default EFS certificate to encrypt the folder (I
| assume). Of course I can not access that folder currently.
|
| Is there ANY way to get at that certificate from the old drive? I did
NOT
| reformat the old drive (I just reassigned it as a "slave" to the new
drive).
| The old
| 'ownership' references still shows up since I have only changed
ownership on
| a few of the folders that I had to recover immediately. The encrypted
folder
| in question I have NOT taken ownership on (yet).
|
| Can any of you MVP gurus or XP experts give me a clue or some guidance
on
| how I might recover that old certificate (assuming it is possible)?
Where
| would that
| default EFS certificate be stored on the old drive, and how could I
access
| it currently? Or is there a default Administrator Recovery Agent
certificate
| stored somewhere?
|
| thanks for any help
|
| John

 

[Carey Frisch [MVP]]

If the Repair Option is not Available
http://www.michaelstevenstech.com/repair_install_warning.htm

"Recovery Console SP2 revision"
http://www.michaelstevenstech.com/xpfaq.html#21

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| What about Recovery Console - which I *think* allows one to log on as
| 'Administrator'? Any way to do it there? I note the various 'attrib'
| commands available do not seem include a decrypt option for 'e' (encrypyted)
| folders/files? Is there some other way in Recovery Console that you know of?
|
| Thanks much Carey

 

[Torgeir Bakken \(MVP\)]

I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
recently because the 'system' files became corrupted after I loaded the new
Norton 2005 AV. It would not boot to any restore points or any safe modes -
complained 'corrupted config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned a system-wide EFS
Recovery Agent -
which means it used a default EFS certificate to encrypt the folder (I
assume). Of course I can not access that folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat the old drive (I just reassigned it as a "slave" to the new drive).
The old
'ownership' references still shows up since I have only changed ownership on
a few of the folders that I had to recover immediately. The encrypted folder
in question I have NOT taken ownership on (yet).

Can any of you MVP gurus or XP experts give me a clue or some guidance on
how I might recover that old certificate (assuming it is possible)? Where
would that
default EFS certificate be stored on the old drive, and how could I access
it currently? Or is there a default Administrator Recovery Agent certificate
stored somewhere?

Hi

As you have access to the user profile folders for the user that
encrypted the files and if you remember the password for the user
that encrypted the data, you might be able to save the files.

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/

 

[Torgeir Bakken \(MVP\)]

If you did not backup your personal encryption certificate and associated
private key, you are not going to be able to recover the encrypted files.
Your only hope is to perform a "repair install" on that existing Windows XP
installation. There is no way to recover your certificates if you cannot
logon on to that installation using your correct user name and password.

Hi Carey,

What you state above is not correct, there are some other cases where
you will be able to recover the encryption certificate without needing
to logon to the original installation.

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/

 

[John]

Hi

As you have access to the user profile folders for the user that
encrypted the files and if you remember the password for the user
that encrypted the data, you might be able to save the files.

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/

Thanks Torgier - very good site. I have found the files in question in
Recovery console, but - so far - have not been able to get the key in
question to work on the new system. The thumbprint on the key I recovered
matches the encrypted folder I had, but I am having trouble getting the file
to export to the new system. I think portions of the user profile may have
been corrupted or lost - which is why the old drive would not boot to
windows in the first place. I have not tried the hex editor procedure yet -
will report back if that works.

THANKS very much for the great link.

John