I have a laptop with a failed video card. This card was specific to the
laptop and no longer available, so I am unable to log on. However, the hard
drive is fine, including system files, etc.



Unfortunately, I have some encrypted files in my documents folder that I
forgot were encrypted and I am unable to decrypt them without logging on. I
did not back up the certs and keys prior to the video failure.



Is there any way to get the security stuff I need off the drive and decrypt
these files? (I tried, for example, copying the Windows files to one of the
boot partitions in a dual boot VM machine where one of the boot partitions
was loaded with a generic copy of Windows XP, hoping to be able to log on
there. however, startup failed (driver incompatibility, no doubt).

"Bill Fuller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a laptop with a failed video card. This card was specific to the
>laptop and no longer available, so I am unable to log on. However, the hard
>drive is fine, including system files, etc.
>
>
>
> Unfortunately, I have some encrypted files in my documents folder that I
> forgot were encrypted and I am unable to decrypt them without logging on.
> I did not back up the certs and keys prior to the video failure.
>
>
>
> Is there any way to get the security stuff I need off the drive and
> decrypt these files?

The short answer is no, unless you log on.

> (I tried, for example, copying the Windows files to one of the boot
> partitions in a dual boot VM machine where one of the boot partitions was
> loaded with a generic copy of Windows XP, hoping to be able to log on
> there. however, startup failed (driver incompatibility, no doubt).

You must not attempt to re-install windows or make any changes to the OS.
This will almost certainly prevent you from ever regaining access.

I would suggest that you step back, try to find someone somewhere with the
same system, install your drive there, and decrypt the files. That's
about your only chance for recovery.

HTH
-pk

"Patrick Keenan" <(E-Mail Removed)> wrote in message
news:e%(E-Mail Removed)...
> "Bill Fuller" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I have a laptop with a failed video card. This card was specific to the
>>laptop and no longer available, so I am unable to log on. However, the
>>hard drive is fine, including system files, etc.
>>
>>
>>
>> Unfortunately, I have some encrypted files in my documents folder that I
>> forgot were encrypted and I am unable to decrypt them without logging on.
>> I did not back up the certs and keys prior to the video failure.
>>
>>
>>
>> Is there any way to get the security stuff I need off the drive and
>> decrypt these files?
>
> The short answer is no, unless you log on.
>
>> (I tried, for example, copying the Windows files to one of the boot
>> partitions in a dual boot VM machine where one of the boot partitions was
>> loaded with a generic copy of Windows XP, hoping to be able to log on
>> there. however, startup failed (driver incompatibility, no doubt).
>
> You must not attempt to re-install windows or make any changes to the OS.
> This will almost certainly prevent you from ever regaining access.
>
> I would suggest that you step back, try to find someone somewhere with the
> same system, install your drive there, and decrypt the files. That's
> about your only chance for recovery.

Bummer. It is a five year old Toshiba laptop and I have looked everywhere
for one... or the card. No luck, so far. Sure would be nice if I could copy
security files and use my original password.

"Bill Fuller" <(E-Mail Removed)> wrote in message
news:uoPe%(E-Mail Removed)...
> "Patrick Keenan" <(E-Mail Removed)> wrote in message
> news:e%(E-Mail Removed)...
>> "Bill Fuller" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I have a laptop with a failed video card. This card was specific to the
>>>laptop and no longer available, so I am unable to log on. However, the
>>>hard drive is fine, including system files, etc.
>>>
>>>
>>>
>>> Unfortunately, I have some encrypted files in my documents folder that I
>>> forgot were encrypted and I am unable to decrypt them without logging
>>> on. I did not back up the certs and keys prior to the video failure.
>>>
>>>
>>>
>>> Is there any way to get the security stuff I need off the drive and
>>> decrypt these files?
>>
>> The short answer is no, unless you log on.
>>
>>> (I tried, for example, copying the Windows files to one of the boot
>>> partitions in a dual boot VM machine where one of the boot partitions
>>> was loaded with a generic copy of Windows XP, hoping to be able to log
>>> on there. however, startup failed (driver incompatibility, no doubt).
>>
>> You must not attempt to re-install windows or make any changes to the OS.
>> This will almost certainly prevent you from ever regaining access.
>>
>> I would suggest that you step back, try to find someone somewhere with
>> the same system, install your drive there, and decrypt the files.
>> That's about your only chance for recovery.
>
> Bummer. It is a five year old Toshiba laptop and I have looked everywhere
> for one... or the card. No luck, so far. Sure would be nice if I could
> copy security files and use my original password.
>

Copying the files is no great problem but unless you have the
certificates, you won't be able to decrypt the files on a different
machine.

Bill Fuller wrote:
> I have a laptop with a failed video card. This card was specific to the
> laptop and no longer available, so I am unable to log on. However, the hard
> drive is fine, including system files, etc.
>
> Unfortunately, I have some encrypted files in my documents folder that I
> forgot were encrypted and I am unable to decrypt them without logging on. I
> did not back up the certs and keys prior to the video failure.
>
> Is there any way to get the security stuff I need off the drive and decrypt
> these files? (I tried, for example, copying the Windows files to one of the
> boot partitions in a dual boot VM machine where one of the boot partitions
> was loaded with a generic copy of Windows XP, hoping to be able to log on
> there. however, startup failed (driver incompatibility, no doubt).
>

There are tools available that will do all the hard work of such a
recovery process. Elcomsoft has made some tools for this.

"Bill Fuller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a laptop with a failed video card. This card was specific to
>the laptop and no longer available, so I am unable to log on.
>However, the hard drive is fine, including system files, etc.
>
> Unfortunately, I have some encrypted files in my documents folder
> that I forgot were encrypted and I am unable to decrypt them without
> logging on. I did not back up the certs and keys prior to the video
> failure.
>
> Is there any way to get the security stuff I need off the drive and
> decrypt these files? (I tried, for example, copying the Windows
> files to one of the boot partitions in a dual boot VM machine where
> one of the boot partitions was loaded with a generic copy of Windows
> XP, hoping to be able to log on there. however, startup failed
> (driver incompatibility, no doubt).


You had a failed laptop. We're supposed to guess what you have now?
If it is the same hardware, just move over the hard drive to your new
system. If the hardware is different, you could still try moving over
the hard drive and do a Repair (inplace) install of Windows to get it
to recognize the new hardware provided either Windows or you have all
the drivers for the new hardware. Then you boot using your old hard
drive, export the EFS certificate, and retrieve the contents of your
EFS-protocted files (and put encrypt them with something like
Truecrypt that doesn't rely on any external certs).

"VanguardLH" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Bill Fuller" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I have a laptop with a failed video card. This card was specific to
>>the laptop and no longer available, so I am unable to log on.
>>However, the hard drive is fine, including system files, etc.
>>
>> Unfortunately, I have some encrypted files in my documents folder
>> that I forgot were encrypted and I am unable to decrypt them
>> without logging on. I did not back up the certs and keys prior to
>> the video failure.
>>
>> Is there any way to get the security stuff I need off the drive and
>> decrypt these files? (I tried, for example, copying the Windows
>> files to one of the boot partitions in a dual boot VM machine where
>> one of the boot partitions was loaded with a generic copy of
>> Windows XP, hoping to be able to log on there. however, startup
>> failed (driver incompatibility, no doubt).
>
>
> You had a failed laptop. We're supposed to guess what you have now?
> If it is the same hardware, just move over the hard drive to your
> new system. If the hardware is different, you could still try
> moving over the hard drive and do a Repair (inplace) install of
> Windows to get it to recognize the new hardware provided either
> Windows or you have all the drivers for the new hardware. Then you
> boot using your old hard drive, export the EFS certificate, and
> retrieve the contents of your EFS-protocted files (and put encrypt
> them with something like Truecrypt that doesn't rely on any external
> certs).
>


By the way, before trying to change the old hard drive by doing a
Repair install on it, add it as a slave drive and save an image of the
drive or partitions.

"Pegasus (MVP)" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>
> Copying the files is no great problem but unless you have the
> certificates, you won't be able to decrypt the files on a different
> machine.
>

There does seem to be a brute force way of doing this from the intact hard
drive described here:

http://www.beginningtoseethelight.org/efsrecovery/

However, it appears to be out of date. For example, locating the folder
"c:\documents and settings\foo\application data\microsoft\crypto\" for
private keys does not exist on my machine. I did find "c:\documents and
settings\foo\application data\microsoft\credentials\", which appears to be
the same. Also, all references to folders and files under "hklm\sam\sam\"
were noneexistant. This folder is empty.

"Bill Fuller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Pegasus (MVP)" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>>
>> Copying the files is no great problem but unless you have the
>> certificates, you won't be able to decrypt the files on a different
>> machine.
>>
>
> There does seem to be a brute force way of doing this from the intact hard
> drive described here:
>
> http://www.beginningtoseethelight.org/efsrecovery/
>
> However, it appears to be out of date. For example, locating the folder
> "c:\documents and settings\foo\application data\microsoft\crypto\" for
> private keys does not exist on my machine. I did find "c:\documents and
> settings\foo\application data\microsoft\credentials\", which appears to be
> the same. Also, all references to folders and files under "hklm\sam\sam\"
> were noneexistant. This folder is empty.
>
Correction to above, I did find the missing files on the non-bootable drive.

What is salient about the link above is the following quote:

if you have following folders and their contents from the orginal install of
2k or xp - you can recover you efs data. knowledge of your password is also
required for this amount of data.

c:\documents and settings\foo\application data\microsoft\crypto\
- private keys

c:\documents and settings\foo\application data\microsoft\protect\
- locks your current password to your private keys

c:\documents and settings\foo\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be
madeup)

this data maybe on an unbootable system, a backup, roaming profile or
currently on the system, either in the file system or in the free space.