Recover encrypted file?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My wife was running Windows XP Pro on her laptop. She had a Microsoft Word
document containing various passwords. I (foolishly, it turns out) suggested
that she encrypt the file, which she did with the normal XP encryption
mechanism. The laptop suffered a catastrophic hardware failure and is no
longer in service. I have a backup tape of the whole system that was done
with the XP backup accessory. I've restored that to another XP system and
find that I cannot decrypt that file, even logged in as administrator (I've
seen comments in help documents that suggest that the administrator is the
default designated recovery agent; well, apparently not in this case). The
help information for this is so confusing it, too, might as well be
encrypted. I am a computer professional -- I wrote my first computer program
as a college student in 1960! -- and have done a good deal of operating
systems programming myself, so I'm not a novice. Can someone cut through all
this crazy complexity and suggest how I might decrypt this file?

Thanks --
/Don Allen
 
If you neglected to make a copy of your Personal Encryption Certificate,
and associated Private Key (and no recovery agent certificates exist)
when your original Windows XP installation was still operational, you
won't be able to open or use your encrypted files.
No back door exists, nor is there any practical way to open those files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption security algorithm is now completely different
with a reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

-------------------------------------------------------------------------------------------

:

| My wife was running Windows XP Pro on her laptop. She had a Microsoft Word
| document containing various passwords. I (foolishly, it turns out) suggested
| that she encrypt the file, which she did with the normal XP encryption
| mechanism. The laptop suffered a catastrophic hardware failure and is no
| longer in service. I have a backup tape of the whole system that was done
| with the XP backup accessory. I've restored that to another XP system and
| find that I cannot decrypt that file, even logged in as administrator (I've
| seen comments in help documents that suggest that the administrator is the
| default designated recovery agent; well, apparently not in this case). The
| help information for this is so confusing it, too, might as well be
| encrypted. I am a computer professional -- I wrote my first computer program
| as a college student in 1960! -- and have done a good deal of operating
| systems programming myself, so I'm not a novice. Can someone cut through all
| this crazy complexity and suggest how I might decrypt this file?
|
| Thanks --
| /Don Allen
 
Thank you for your response, though I don't like the answer much!

Your use of the word "neglected" brings up the issue that Windows 2000 and
XP allow you to casually encrypt files without warning you of this trap --
that encryption keys must be backed up separately from a normal backup (which
makes sense if you're a computer pro and you think about it; I didn't think
about it and there's zero chance an ordinary user would). Some sort of
warning ("If you encrypt this file/folder, you must do x,y, and z to back up
the encryption key. If you do not do this and your system fails, you will not
be able to recover the encrypted files.") I think would be in order to help
users avoid falling into the trap I did.

But thanks again for trying to help.

/Don
 
Don said:
My wife was running Windows XP Pro on her laptop. She had a Microsoft Word
document containing various passwords. I (foolishly, it turns out) suggested
that she encrypt the file, which she did with the normal XP encryption
mechanism. The laptop suffered a catastrophic hardware failure and is no
longer in service. I have a backup tape of the whole system that was done
with the XP backup accessory. I've restored that to another XP system and
find that I cannot decrypt that file, even logged in as administrator (I've
seen comments in help documents that suggest that the administrator is the
default designated recovery agent; well, apparently not in this case). The
help information for this is so confusing it, too, might as well be
encrypted. I am a computer professional -- I wrote my first computer program
as a college student in 1960! -- and have done a good deal of operating
systems programming myself, so I'm not a novice. Can someone cut through all
this crazy complexity and suggest how I might decrypt this file?

Thanks --
/Don Allen
Click to expand...


Bad news, I'm afraid.

If the your encryption certificates and keys were not backed up
before the reinstallation, and the workstation isn't part of a domain
(whose Administrator might act as the designated recovery agent), those
files are gone, for all practical purposes. Encryption works well and
there is no "back door" or hack to access the files. (Wouldn't be much
point to EFS if it were easily by-passed.)


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
Aloha Don,

I think I may just have the solution you need. You see, I had EFS trouble
just-a-few-posts-in-this-forum-ago and this fine fellow below named Steven
gave me this reply. I was skeptical at first, but I tried the trial version
out and luckily it partially decrypted a text file which clued me in that it
really did work. When you try the trial version out, it will tell you if you
can decrypt or not. If it can decrypt, it will tell you that it only decrypts
a "snippet" of the file so as to encourage you to buy the full product. I
found that partially decrypted MS Office & PDF files were no good to me as
they were truncated and didn't open as such. Lucky for me I had an actual
old-fashioned text file which decrypted perfectly, albeit only the first
portion of it though. I opted for the personal edition which was the cheaper
of the two versions, but it worked flawlessly. I tip my hat to Steven for
being so sharp on this subject matter and for sharing this life saving tip
with me. Take care and best of luck.

Very Respectfully,
Chris Elmore

Steven L Umbach wrote:

"The article in the KB link is for Windows 2000 but also applies to XP Pro.
Since your computer's and users' SIDs changed your EFS private key will no
longer work and to avoid such a problem you need to backup your EFS private
key before you use sysprep which it sounds like you did not do. What I would
do is to try the free version of software from ElcomSoft to see if it can
find and access your EFS private key after you input the password used for
your user account associated with the private key. If it can then you may
want to buy the full version for $99 to try and recover your files. The
free version will only recover EFS small files but will show if the program
can work or not for you. --- Steve

http://support.microsoft.com/?kbid=288348
<http://www.elcomsoft.com/aefsdr.html >; --- ElcomSoft"
 
Don Allen said:
My wife was running Windows XP Pro on her laptop. She had a Microsoft Word
document containing various passwords. I (foolishly, it turns out)
suggested
that she encrypt the file, which she did with the normal XP encryption
mechanism. The laptop suffered a catastrophic hardware failure and is no
longer in service. I have a backup tape of the whole system that was done
with the XP backup accessory. I've restored that to another XP system and
find that I cannot decrypt that file, even logged in as administrator
(I've
seen comments in help documents that suggest that the administrator is the
default designated recovery agent; well, apparently not in this case). The
help information for this is so confusing it, too, might as well be
encrypted. I am a computer professional -- I wrote my first computer
program
as a college student in 1960! -- and have done a good deal of operating
systems programming myself, so I'm not a novice. Can someone cut through
all
this crazy complexity and suggest how I might decrypt this file?
Click to expand...

If you backed up the system state and the user's profile you should be able
to recover the key to access the encrypted files.

If you have a full backup including the system state then you can perform a
clean install of Windows then restore that backup, logon as the user and you
should have access. Note this will overwrite whatever you currently have on
the drive so make sure that is backed up first. When finished copying the
encrypted files to CD or floppy you would have to perform the same operation
again restoring this new backup.

If the backup does not include the system state but does include the user
profile with the key then there is 3rd party software that may be able to
recover the key and decrypt the files.

http://www.elcomsoft.com/aefsdr.html

Note: I have not personally tried this software. Others have reported
varying degrees of success.

Kerry
 
1) assign to the new system the old sid

get the old sid from the name of the folder that contain the private
key

C:\Documents and Settings\username\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1390067357-507921405-1708537768-1109

to give the new sid ( in my system
S-1-5-21-1390067357-507921405-1708537768 ) use newsid
http://www.sysinternals.com/ntw2k/source/newsid.shtml


2) on the new system you must have a user with the same uid of the
user that encrypted, you can get the uid the name of the folder that
contain the private key (in my system 1109)


to chek the user uid use efsinfo from Microsoft, if you not have user
with that uid create users until the user with the right uid (the uid
is progressivly generated)

you can also use the administrator (uid 500), that is default efs
recovery agent, in that case you must use the administrator's keys

to the user you must assign the same password of the user who
encrypted and administrators right


3)you must copy on the new machine the folders:

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\Crypto

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\Protect

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\SystemCertificates


in the profile folder of the user with the same uid, overwriting
existing files


4) to decrypt you must logon with that user


see also http://www.beginningtoseethelight.org/efsrecovery/

if you have any problem write me (e-mail address removed)

hi
Enrico
 
Back
Top