Windows crashed, EFS-Files lost???

[Guest]

Hi!

I upgradet my system with new RAM, wanted to start Windows XP SP2 and it
crashed. Now it's unable for me to start my old system, so i installed a
second one, to recover my files.

Now, i cannot access my efs-encrypted files, ok, this is, how it should
work, and i am glad, THAT it works (otherwise efs would be senseless).

But i will access my old data, my complete old system is on my hdd (so the
keys should be too), i know all passwords, is it maybe possible to start a
system from cd, that uses the login data from the hdd, but the system data
from the disc (system on the hdd is defect, so system starts from disc, but
account information is loaded from the hdd -> i can access my efs data).

I don't know, if such a disc exists, or if an other solution for this
problem is possible, but i would be glad, if someone could help me.

best regards

 

[Jan Peter Stotz]

I upgradet my system with new RAM, wanted to start Windows XP SP2 and it
crashed. Now it's unable for me to start my old system, so i installed a
second one, to recover my files.

Now, i cannot access my efs-encrypted files, ok, this is, how it should
work, and i am glad, THAT it works (otherwise efs would be senseless).

Next time, you should export the EFS private key before the crash. That
makes the EFS recovery procedure much easier...

But i will access my old data, my complete old system is on my hdd (so the
keys should be too), i know all passwords,

Ok, that is a good start. There are some commercial EFS-recovery tools
which are capable of extract the private key from your old userprofile.
For example:
"Advanced EFS Data Recovery" http://www.elcomsoft.com/aefsdr.html

Or you can try to do it manually:
http://www.beginningtoseethelight.org/efsrecovery/index.php

Jan

 

[Guest]

Next time, you should export the EFS private key before the crash. That
makes the EFS recovery procedure much easier...

i should...

Ok, that is a good start. There are some commercial EFS-recovery tools
which are capable of extract the private key from your old userprofile.
For example:
"Advanced EFS Data Recovery" http://www.elcomsoft.com/aefsdr.html

The problem is, that aefsdr is just for SP1 and i own a SP2, so the tool
can't find the data. It's funny, when i want to access my data (Documents and
Settings/me) throught the Explorer, it always tells me, that i have not
enough priviledges, but aefsdr shows me all the folders and files in the
"Documents and Settings" Folder (but it's not possible to open or copy the
files).

Or you can try to do it manually:
http://www.beginningtoseethelight.org/efsrecovery/index.php

looks good, but i am not sure, if this works also in SP2, do u know if it
works?

 

[Jan Peter Stotz]

The problem is, that aefsdr is just for SP1 and i own a SP2, so the tool
can't find the data.

On their homepage they explicitly include XP SP2:

| Advanced EFS Data Recovery (or AEFSDR) is a program to recover (decrypt)
| files encrypted on NTFS (EFS) partitions created in Windows 2000,
| Windows XP and Windows Server 2003. [..] AEFSDR [..] decrypts the files
| under [..] Windows XP (including Service Packs 1 and 2) [..]

It's funny, when i want to access my data (Documents and
Settings/me) throught the Explorer, it always tells me, that i have not
enough priviledges, but aefsdr shows me all the folders and files in the
"Documents and Settings" Folder (but it's not possible to open or copy the
files).

Did you corrected the NTFS security - give you current account full control
for the needed folders?

looks good, but i am not sure, if this works also in SP2, do u know if it
works?

AFAIK there is absolutely no difference between EFS in XP SP1 and SP2. The
last change was the possibility tu use AES as cipher which was introduced
with XP SP1.

Jan

 

[Steven L Umbach]

I would focus on trying to get the old operating system to start. You might
try an upgrade/repair install to see if that works as shown in the link
below. Then you should have access to your EFS files. If you do a repair
install and it works you would need to first install the service pack you
were using and then all critical updates at Windows Updates if you decide to
keep using it as those are rolled back by an upgrade/repair install. ---
Steve

http://helpdesk.its.uiowa.edu/windows/instructions/repairinstall.htm

"Windows XP SP2 crashed, EFS-Data lost?" <Windows XP SP2 crashed, EFS-Data
[email protected]> wrote in message
news[email protected]...

 

[enesposito]

sorry for my english, I am from Italy


1) assign to the new system the old sid

get the old sid from the name of the folder that contain the private
key

C:\Documents and Settings\username\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1390067357-507921405-1708537768-1109

to give the new sid ( in my system
S-1-5-21-1390067357-507921405-1708537768 ) use newsid
http://www.sysinternals.com/ntw2k/source/newsid.shtml


2) on the new system you must have a user with the same uid of the
user that encrypted, you can get the uid the name of the folder that
contain the private key (in my system 1109)


to chek the user uid use efsinfo from Microsoft, if you not have user
with that uid create users until the user with the right uid (the uid
is progressivly generated)

you can also use the administrator (uid 500), that is default efs
recovery agent, in that case you must use the administrator's keys

to the user you must assign the same password of the user who
encrypted and administrators right


3)you must copy on the new machine the folders:

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\Crypto

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\Protect

C:\Documents and Settings\utentechehacriptato\Application
Data\Microsoft\SystemCertificates


in the profile folder of the user with the same uid, overwriting
existing files


4) to decrypt you must logon with that user


see also http://www.beginningtoseethelight.org/efsrecovery/

if you have any problem write me (e-mail address removed)

hi
Enrico