Help Needed on Recovering Encrypted files

[Guest]

Hi,

This is my friend's computer and she installed Microsoft Security Base
analyzer program and made some changes based on its recommendation like
changing the password etc(honestly she does not know the others)

After restarting it was in a no boot situation in any mode.
I mean we could not logon to any mode including safe mode with command prompt.
Even in the default administrator account.

when we logon we got the error message "The local policy of this system does
not allow you to log on interactively."

We tried to follow the article 307545 in recovery console but we could not
get through the password and it did not accept any of the administrator
password that we typed in.

So we did a parallel installation of xp and then tried renamed the files
System,Sam,security,software and default in c:\windows\system32\config
folder and then collected the restore points from c:\system volume
information folder and manually restored the computer to May 17.

Now we can logon to that Old xp after restoring to may 17 using the new
installation.
Now when we logged in it asked the password (and normally when you do a
system restore it does not change the password , I mean the latest password
must be used even if it was restored to a date after which the password was
changed)
we had to type the old password that she had before installing MS base
security analyzer.

Now we cannot access any of the encrypted files nor decrypt them.
when we access any of the picture files we get the message no preview
available.

Any suggestions is appreciated..

with regards
Gopi

 

[Rhonda Lea Kirk]

Hi,

This is my friend's computer and she installed Microsoft Security Base
analyzer program and made some changes based on its recommendation
like changing the password etc(honestly she does not know the others)

If I were you, I'd repost this question here:

microsoft.public.security.baseline_analyzer

--
Rhonda Lea Kirk

Insisting on perfect safety is for people
without the balls to live in the real world.
Mary Shafer Iliff

 

[Vanguard]

Now we cannot access any of the encrypted files nor decrypt them.
when we access any of the picture files we get the message no preview
available.

Did you ever export the EFS certificate after enabling/using EFS (the
cert gets created on the first use of EFS)? Did you designate an
alternate recovery agent so they had a cert that would work against your
encrypted files? Windows 2000 includes the Administrator account by
default but Windows XP does not so you have to add one.

 

[Guest]

Thanks for the reply.
When I encrypt a file from a user account I should be able to access those
files from that same user account,right?
That was the reason why I did not designate an recovery agent.
I am not sure if changing the password will have any effect.

I could see the certificate for this folder in Internet
options->content->certificates.
I tried to export that to desktop and then tried to import that from another
user account and I still cannot access that folders.

I am not all the familiar with encryption concepts so if you can provide any
links or explain that would be helpful..

What I dont understand is that when we normally encrypt a file from a user
account and then access that same file from that same user account you should
not be any trouble I guess even after doing a system restore or changing the
password

thanks
Gopi

 

[Vanguard]

Thanks for the reply.
When I encrypt a file from a user account I should be able to access
those
files from that same user account,right?

Only if you use the account that was created under the instance of
Windows where you used EFS. If you move those files to some other host,
it doesn't matter that you have an account over there with the same
username and password. That is not what identifies an account. The SID
(security identifier) that is generated when you create an account is
what identifies your account, not the login credentials. The SID for an
account on another host, or even on the same host (if you delete the
account and create another using the same username and password), will
be different. The SID is recorded in the SAM database, so there is a
way to get around EFS if you know the login credentials for that
SID-identified account (I'd have to Google to go find it again) but it
is a convoluted procedure and only works under limited scenarios.

That was the reason why I did not designate an recovery agent.
I am not sure if changing the password will have any effect.

I could see the certificate for this folder in Internet
options->content->certificates.
I tried to export that to desktop and then tried to import that from
another
user account and I still cannot access that folders.

You created a *new* EFS cert. Each one is unique even if you delete it
and recreate it under the same account. While the cert is tied to the
SID for the account, there is still some randomness when it creates its
key strings. That's why you need the EFS cert that was created and USED
so you can import THAT cert and not some new one that you create.

I haven't analyzed the KB 307545 article that you mentioned to see if it
works in your case. I didn't see it mention copying the old
%userprofile% folder from the old install of Windows to overlay it atop
the %userprofile% for the same-named account with same password on the
new install of Windows. Some protect info is stored under your profile
path (in the crypo and protect subfolders).

Articles like
http://www.beginningtoseethelight.org/efsrecovery/index.php give an idea
of how to perform EFS recovery (but I haven't tried their procedure
since I haven't lost my EFS key or didn't care about the files that got
lost because they were backed up in non-EFS format but with a password
on the backups).