De-crypting a File -- User ID changed!!

[Jim Y.]

Hi there,

Running Win XP SP2.

I am trying to un-encrypt a file I created. Here's what I believe the
problem is:

(Assume user's name is John Smith)

User ID was the first name of user; I created the file as user ID 'John'
and then encrypted it.
I then renamed my user account to initials of the user, 'js'.

Now I cannot un-encrypt the file as user 'js', as per KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;250494 -- In
fact I can't do anything with it; copy move, open, etc.

From KB article: "To resolve this behavior, the file must be decrypted
by the user who encrypted the file, or by the designated Recovery
agent."

Who is a designated Recovery agent, the XP Administrator account?

User ID 'js' (formerly 'John') is in the Administrator's group, but
still no luck.

Ok, should I temporarily rename the User ID back to 'John' and then
un-encrypt? Will renaming the user account back to the original ID
satisfy the decryption check?

I ask, because I don't want to exasperate the situation by a
trial-and-error situation.

Help, please. Thanks.

Jim

 

[Rick \Nutcase\ Rogers]

Hi Jim,

An encrypted file can only be recovered by the user account that created it.
As the SID is the same, renaming the account should not affect your ability.
Creating a new account and copying it would. A Recovery Agent is something
created by the user account, and is not the administrator. I would try
renaming the account back, though that shouldn't be an issue. You should
search Help & Support on encryption before you mess with it anymore, as it
is pretty strong stuff, and you can permanently lose data if you do not take
proper precautions.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Guest]

I just tried this on a WXPsp2 PRO (workgroup) and I saw not problem:
1. Log on as "John" and encrypt two files.
2. Change name of account to "js."
3. Log on as "js" and decrypt both files.
(Note: the username in the profile path is still listed as "John.")

What did you do that's different from above?
(BTW: a non-domain WXP does not have a recovery agent by default.)

Thanks.
Pat

 

[Rock]

Hi there,

Running Win XP SP2.

I am trying to un-encrypt a file I created. Here's what I believe the
problem is:

(Assume user's name is John Smith)

User ID was the first name of user; I created the file as user ID 'John'
and then encrypted it.
I then renamed my user account to initials of the user, 'js'.

Now I cannot un-encrypt the file as user 'js', as per KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;250494 -- In
fact I can't do anything with it; copy move, open, etc.

From KB article: "To resolve this behavior, the file must be decrypted
by the user who encrypted the file, or by the designated Recovery agent."

Who is a designated Recovery agent, the XP Administrator account?

User ID 'js' (formerly 'John') is in the Administrator's group, but
still no luck.

Ok, should I temporarily rename the User ID back to 'John' and then
un-encrypt? Will renaming the user account back to the original ID
satisfy the decryption check?

I ask, because I don't want to exasperate the situation by a
trial-and-error situation.

Help, please. Thanks.

Jim

The designated Recovery Agent is the Recovery Agent you created, if you
did so, which you should do when using the EFS to make sure you don't
run into this kind of problem. There is no default recovery agent.
Another option was to export the encryption key and store it in a safe
place. If you have not done either of these then it's possible you
won't be able to recover that file. It won't hurt to change the account
name back, you won't do any more damage than has been done already, but
it might not help either.

Do you have an image of the system before you made the change to the
account name? If so restoring that might work.

 

[Jim Y.]

I got a new computer.

On the old computer, the files were owned by 'js'. I backed up
everything on an external HD, then connected the HD to the new computer,
and restored.

However, the new computer account was 'John', so I restored as 'John'
(on first boot of a new computer, XP setup prompts you for the primary
user and not thinking I entered the name and not the user ID I desired).
Wanting the new computer to have the same setup as the old one, I
realized the user IDs were different, and I changed them, not thinking
about the handful of encrypted files.

I partitioned the new computer drive, so the data (My Documents, etc)
would reside on drive D. As I was moving the structure (using TweakUI)
from C:\Documents and Settings.... I got errors on the encrypted files.

Good news though (just realized this)! I still have the old computer and
just un-encrypted the original set of files, so I can copy them over in
un-encrypted form. I will reconnect the external drive (USB) to the old
computer and try to un-encrypt them there too, as I cannot open them
from the new computer, and they were created from the old computer.

However the original problem, in principle, still exists. On the new
computer, I will try renaming the user back to 'John', un-encrypt, and
then rename the user back to 'js'. I will post my results.

I'll not mess with encryption again ;-)

Thanks for the help and I'll let you know what happens.

Jim

 

[Jim Y.]

My files are back. I ended up un-encrypting them from the old computer
and on the external drive too. I copied them back to the new computer
un-encrypted, which is how they will stay.

As far as renaming the user ID back, decrypting, then renaming back, I
may try that at a later time on some test files, just so I understand
how it works.

Thanks again for your help.

Jim

 

[Rick \Nutcase\ Rogers]

Hi,

It's not working because the SID is different on the other machine. Simply
using an account with the same name is not sufficient. Every account on any
machine is assigned a different security descriptor (SID), they are not
interchangeable, nor does using a backup tool allow you to migrate them from
one machine to another.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Rock]

My files are back. I ended up un-encrypting them from the old computer
and on the external drive too. I copied them back to the new computer
un-encrypted, which is how they will stay.

As far as renaming the user ID back, decrypting, then renaming back, I
may try that at a later time on some test files, just so I understand
how it works.

Thanks again for your help.

Jim

My guess is, given what you did, renaming John won't work. The new
installation with the new account of John has a different SID from that
of js, and when you copied js to John it may have kept the new SID but
the files were encrypted under the SID from js. That's different from
renaming js to John which should keep the SID. You were lucky you still
had the original computer.