Access Denied to Encrypted Folders

[WJB]

Hi,

I'm running Norton 360 on Vista Ultimate. N360 complained that my account
had a weak password so I fixed it by changing my password to a strong one.
Now I cannot access any of my encrypted folders. I tried changing my password
back just to decrypt the folders, still no success. When I did encrypt the
folders Vista didn't ask me for an encryption password so I assume it used my
account password for this purpose. Any idea how I can resolve this?

Thanks

 

[Derik]

try and take control of the folder. if u do not know how to do this ask
and i will tell you how.

 

[Rick Rogers]

Hi,

Encryption does not use your password, it uses an encryption certificate
created when you first encrypt a folder. I'm not sure what affect Norton360
may have had on the system when you changed the password, but simply doing
so should not have had any affect on accessing the encrypted folders. Have
you made any other changes to your user account?

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
My thoughts http://rick-mvp.blogspot.com

 

[WJB]

Thanks, Derik. I'm not sure I know what "take control of the folder means"?
I'm the administrator on this computer; doesn't this mean I have full control
over all its folders?

 

[WJB]

Thanks, Rick. Without actually knowing this, I did notice that after I
encrypted the folders, I was asked to backup an encryption certificate, which
I did. Later, I changed my password to the strong password after being
prompted by N360. When I couldn't open or unencrypt any file in an encrypted
folder, I changed my password back, thinking that that was the issue. I was
prompted again to backup the encryption key, which I backed up to a different
file. However, I have tried re-importing (restoring) back both encyrption
keys with no success.

Another question that comes to mind is: can you have multiple encryption
keys in effect with Windows selecting whichever one was used to enrypt a
particular folder? I'm concerned that I have encrypted some folders BEFORE
changing to the strong password, and some after, with an encryption key
backup in between.

Thanks for explaining this to me. However, I'm still stuck!

 

[Derik]

not necessarily. to take control of a folder means to make yourself the
creator/owner of it. and the creator/owner of a folder can deny the
administrator rights to the folder.

 

[WJB]

Derik & Rick,

I took control of the files. I was the creator/owner on most of them anyway,
but I am now on all of them. However, I read in the on-line help that even
creator/owner rights won't make encrypted folders or files accessible without
the correct encryption key. So I again restored/imported all backed up pfx
files and checked the Cert manager to make sure they're there. However, still
no access. Important: When backing up and restoring the .pfx keys, I accepted
the defaults since I didn't really know any better to change anything.

I'm not sure I understand how this all works. In understand that the
encryption key is not related to the Windows account password, but Windows
did change it on me, I'm guessing that it happened when I changed my password
to a strong one. That is the only security-related action I've taken in the
last month. If Windows picks encryption keys on its own and changes them on
itw own, how can a user guarantee that files encrypted today are accessible
tomorrow?

One other thing. Before I changed the password, I made a full system backup.
Is there a way I can restore specific files only. The backup set is referred
to as a WindowsImageBackup and is made up of a couple of .vhd files and a
number of .xml files. Can I verify somehow that the files I'm looking for are
in that backup without risking a restore that overwrites my computer? If not,
is my only option to get a spare drive and replace it in my system then
restore to it so I can retrieve the files?

Finally, are there any good articles you can recommend for these two topics:
Encryption and Certificates, and Full System Backup and Restore. The online
help doesn't provide much information. For example, if I perform a full
system backup, is there a way I can create a minimal system bootable CD that
I can use to boot the system and restore the complete image backup?

Thank you both very much for your help.

 

[Rick Rogers]

Hi,

Unfortunately, I've no idea what N360 might've done to your system. Just
changing the password should not have required that a new encryption
certificate be backed up. Are you certain N360 didn't have you create a new
account altogether? Vista does not change the key once created, so something
else is causing it to happen.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
My thoughts http://rick-mvp.blogspot.com

 

[WJB]

Thanks, Brink. Didn't work, however. It displayed two dialog boxes:

1. Windows cannot create the Compressed (zipped) Folder here. Do you want it
to be placed on the desktop instead?

Answer Yes.

2. File not found or no read permission.

Doesn't it need to unencrypt the files before it can compress them?

 

[WJB]

Here's a piece of data that might shed some light on this. Might also mean
bad news for me.

If you change one user's password from another (as in changing my user
password having logged in as the Admin), Vista displays the Change xxx's
password window with the statement:

You are changing the password for xxx. If you do this, xxx will lose all
EFS-encrypted files, personal certificates, and stored passwords for Web
sites and network resources.

To avoid losing data in the future, ask xxx to make a password reset floppy
disk.

In all the confusion, I might have actually done that while trying to create
a strong password, because at one point, I remember now, Vista wouldn't log
me in, so I logged in as a different (administrator) user to reset my
password. It seems strange that you would lose all EFS-encrypted files,
personal certificates, and stored passwords for Web sites and network
resources in situation like this. Worse still, I created and installed a
Recovery Certificate using the cipher command line tool, but that didn't work
either. I'm guessing that at this point, these files are actually kaput;
unless somebody has any other thoughts.

 

[Rick Rogers]

Hi,

Yep, that'd do it all right. That's why the warning is there. The backed up
certificate though, should allow you to still access them.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
My thoughts http://rick-mvp.blogspot.com

 

[WJB]

You would've thought so. The backed up certificate was not much help either
nor was the EFS key Recovery certificate, which when run via the cipher /u
command line program, reported all these files as "could not decrypt". Quite
disappointing. I'll try Brink's suggestion with this Advanced AEFS Data
Recovery program and see how it does. I'll post a note to report the result,
success or failure.

 

[WJB]

Thanks, Brink. I'll give it a try and report back.

 

[WJB]

The utility worked very nicely. Thank you both very much for your help in
resolving this.

 

[WJB]

One other question if you know the answer. It's a question I had included
before but it got buried in trying to resolve the main issue. And that is
concerning a full system backup and restore.

1. Can specific files be restored from a full system backup performed from
within Vista's backup facility?
2. Having a full system backup, and assuming a hard drive crash and a new
replacement drive installed. How does one invoke a full system restore
without having any software (not even Windows) on the drive? Is there a way
to create a bootable CD with minimal capability to boot the system and
perform the restore?
3. Finally, when I try to perform a backup, I can see any external USB
drives connected to my computer, but I cannot see any network drives, which
is really my preferred backup drive since it is a much larger capacity. How
can I make Vista see these network drives from within the Backup utility
given that Windows Explorer can see and access it with no problem?

Thanks

 

[WJB]

Thanks, Shawn. These are very helpful and there seems to be quite a few more.
I'll add these tutorials to me search list.

Thanks again for all your help.