Attn Microsoft: Vista Encryption Bug

[Brandon]

I have found a bug in Vista . . . a rather costly bug for me. Hopefully MS
will fix or others will avoid.

Scenario:

1. I had EFS encrypted files on a XP Pro machine. I upgraded that machine
to vista using the method where Vista moves all XP files into the
windows.old directory.

2. After upgrading, I moved my encrypted files from the windows.old
directory to the users\user\documents directory.

3. I then restored my XP encryption key which I had backed up so I could
open these files.

4. These encrypted files now opened fine using the restored cert & key from
XP.

5. I then deleted the Vista certificate and key (not the restored cert &
key) because the cert & key Vista had created during install was not needed
since I was using the cert & key from my XP install.

6. For a few days, the files opened just fine.

7. Here's the bug . . . Having worked with these files one night just fine,
I shut down my computer. The next morning when I booted up, none of the
files would open. After extensive research using efsinfo.exe, I determined
that Vista had AUTOMATICALLY changed the thumbprint associated with the
files. The EFS thumbprint was no longer associated with the restored XP
cert & key, but it was now associated with the Vista cert & key that I had
deleted several days before.

So now, I have no way of opening these files because vista automatically
changed their EFS key association to a non-existant cert.

Brandon

 

[OKuma]

Try doing a System Restore to the point just before you deleted the Vista
Certs.

I believe Vista Creates a system restore point every time you boot your
machine.

Hope this helps,

OKuma

 

[Grant]

I have found a bug in Vista . . .

Please do not mention Vista bugs here you will upset the MVPs!

 

[Guest]

Are you in a domain with a Recovery Agent? If you are, the RA can add you
back to the files as a valid user.

 

[Richard Urban]

Vista bugs and Vista inconsistencies definitely exist, and we all say so. It
is just that they are not the ones caused by user error or lack of
familiarity with the O/S.


--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Brandon]

This bug was not a user error. The steps I followed should not have caused
a problem and did not cause a problem for several days . . . then, without
warning (or user changes), Slam!

Brandon

 

[Brandon]

I wonder if that would fix it? Unfortunately, I don't have a restore point
for that time. Thanks.

Brandon

 

[Richard Urban]

I am not saying that your problem is not real.

I certainly would have gone about what you tried to accomplish in a totally
different way. No matter what anyone may say, I would never, ever try to
carry over encryption from one operating system to another. After all, it's
"MY" data, and no one is going to look after it like I will.

I would have removed the encryption from the data before trying to upgrade
the computer. Then I would have encrypted the data a second time.

But that's just me!

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Brandon]

I agree with your strategy . . . looking back, this is what I would do in
the future. But there is no reason why the steps I followed shouldn't have
worked. The certificate is not OS dependent, so it shouldn't care if it's
on XP or Vista. And Vista shouldn't have changed the thumbprint on my files
automatically. Again, I could have followed a different route, but the
route I did follow should have worked.

Brandon

 

[D. Spencer Hines]

I would have removed the encryption from the data before trying to upgrade

the computer. Then I would have encrypted the data a second time.

That sounds EXACTLY RIGHT to me.

DSH

 

[Richard Urban]

The problem may well have to do with the subtle differences in the NTFS file
system. I have found programs that worked at the structure level in Windows
XP (Partitioning programs, imaging programs etc.) do not function well in
Vista and can cause data corruption. The updated versions of these programs
work as planned. Encrypting files is definitely at the structure level.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Michal Kawecki]

Do you created recovery certificate?
http://windowshelp.microsoft.com/Windows/en-US/Help/90cdd1fe-9cbb-4adc-bccf-7d613425e15e1033.mspx

 

[Brandon]

No, because there was no reason to (theoretically) because I was never
intentionally using the deleted cert . . . Vista just switched to using it
without notice. I did have backed up the cert that should have mattered.

Brandon

Do you created recovery certificate?
http://windowshelp.microsoft.com/Windows/en-US/Help/90cdd1fe-9cbb-4adc-bccf-7d613425e15e1033.mspx
--
Michal Kawecki [Windows - Shell/User MVP]
Warsaw, PL

I agree with your strategy . . . looking back, this is what I would do in
the future. But there is no reason why the steps I followed shouldn't
have worked. The certificate is not OS dependent, so it shouldn't care if
it's on XP or Vista. And Vista shouldn't have changed the thumbprint on
my files automatically. Again, I could have followed a different route,
but the route I did follow should have worked.

Brandon

 

[Michal Kawecki]

It's always good creating an additional layer of protection.

So, check those tools:
http://www.elcomsoft.com/aefsdr.html
http://www.lostpassword.com/efs.htm
--
Michal Kawecki [Windows - Shell/User MVP]
Warsaw, PL

No, because there was no reason to (theoretically) because I was never
intentionally using the deleted cert . . . Vista just switched to
using it without notice. I did have backed up the cert that should
have mattered.

Brandon

Do you created recovery certificate?
http://windowshelp.microsoft.com/Windows/en-US/Help/90cdd1fe-9cbb-4adc-bccf-7d613425e15e1033.mspx
--
Michal Kawecki [Windows - Shell/User MVP]
Warsaw, PL

I agree with your strategy . . . looking back, this is what I would
do in the future. But there is no reason why the steps I followed
shouldn't have worked. The certificate is not OS dependent, so it
shouldn't care if it's on XP or Vista. And Vista shouldn't have
changed the thumbprint on my files automatically. Again, I could
have followed a different route, but the route I did follow should
have worked.

Brandon

message I am not saying that your problem is not real.

I certainly would have gone about what you tried to accomplish in a
totally different way. No matter what anyone may say, I would
never, ever try to carry over encryption from one operating system
to another. After all, it's "MY" data, and no one is going to look
after it like I will.

I would have removed the encryption from the data before trying to
upgrade the computer. Then I would have encrypted the data a second
time.

But that's just me!

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User


This bug was not a user error. The steps I followed should not
have caused a problem and did not cause a problem for several days
. . . then, without warning (or user changes), Slam!

Brandon

message Vista bugs and Vista inconsistencies definitely exist, and we all
say so. It is just that they are not the ones caused by user
error or lack of familiarity with the O/S.


--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User



message
I have found a bug in Vista . . .

Please do not mention Vista bugs here you will upset the MVPs!

 

[cquirke (MVP Windows shell/user)]

Please do not mention Vista bugs here you will upset the MVPs!

No, please do - with "BUG" in the subject line!
This stuff needs to come to light!

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!

 

[cquirke (MVP Windows shell/user)]

It's always good creating an additional layer of protection.

True - but if Vista claims something is possible or will work, then it
must work. If it's known not to work, then the process should pick
this up and alert on it.

This looks like a really nasty and significant problem...

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!