Cannot get EFS recovery agent function to work!

[kgstrong]

I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
encrypted some files before I knew anything about EFS - now a program
that uses some of the files cannot access them. The files were encrypted
under my "power user" account. The certificate that Win2k used to
encrypt them is enabled for "All Purposes" including Encrypted File
System, and File Recovery. As Administrator, I cannot import this
certificate for the Recovery Agent - says it is not enabled for file
recovery.

My Recovery Agent certificate (issued by Administrator to Administrator,
has a different thumbprint and is for File Recovery only.

Does EFS recovery agent's certificate thumbprint have to match the
certificate the files were encrypted with in order to recover these files?

Ken

 

[David Cross [MS]]

Yes. for more info:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

 

[Steven L Umbach]

Yes the thumbprints need to match for either the user or Recovery Agent. If
you have a stand alone computer and the RA is the built in administrator
account [which it would be by default] then logon as that account and try to
decrypt the files. The utility efsinfo can display information on the
recovery agent. You can use the certificates mmc snapin for user to view
certificate information and the certificate will need to show that it has
the matching private key for the certificate. If you reinstalled the
operating system [other than an upgrade install] at some point the original
user and RA certificate/private key would have been destroyed. The EFS
certificate and private key for a user/RA are stored in the user's/RA's
profile folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
practices

 

[kgstrong]

I did reinstall Win2k from scratch a while back; then restored the rest
of my files from a backup. The certificate that the files were
encrypted with no longer exists on my system.

However, I was able to decrypt the files using a program called Advanced
EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
lesson in what NOT to do.

Thanks for the help.
Ken Strong

Yes the thumbprints need to match for either the user or Recovery Agent. If
you have a stand alone computer and the RA is the built in administrator
account [which it would be by default] then logon as that account and try to
decrypt the files. The utility efsinfo can display information on the
recovery agent. You can use the certificates mmc snapin for user to view
certificate information and the certificate will need to show that it has
the matching private key for the certificate. If you reinstalled the
operating system [other than an upgrade install] at some point the original
user and RA certificate/private key would have been destroyed. The EFS
certificate and private key for a user/RA are stored in the user's/RA's
profile folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
practices

I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
encrypted some files before I knew anything about EFS - now a program that
uses some of the files cannot access them. The files were encrypted under
my "power user" account. The certificate that Win2k used to encrypt them
is enabled for "All Purposes" including Encrypted File System, and File
Recovery. As Administrator, I cannot import this certificate for the
Recovery Agent - says it is not enabled for file recovery.

My Recovery Agent certificate (issued by Administrator to Administrator,
has a different thumbprint and is for File Recovery only.

Does EFS recovery agent's certificate thumbprint have to match the
certificate the files were encrypted with in order to recover these files?

Ken

 

[Steven L Umbach]

Glad you got it to work but the EFS private key that was used to encrypt the
files must have been available - possibly from a restore of the user's
profile from a backup?? --- Steve

I did reinstall Win2k from scratch a while back; then restored the rest of
my files from a backup. The certificate that the files were encrypted with
no longer exists on my system.

However, I was able to decrypt the files using a program called Advanced
EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
lesson in what NOT to do.

Thanks for the help.
Ken Strong

Yes the thumbprints need to match for either the user or Recovery Agent.
If you have a stand alone computer and the RA is the built in
administrator account [which it would be by default] then logon as that
account and try to decrypt the files. The utility efsinfo can display
information on the recovery agent. You can use the certificates mmc
snapin for user to view certificate information and the certificate will
need to show that it has the matching private key for the certificate. If
you reinstalled the operating system [other than an upgrade install] at
some point the original user and RA certificate/private key would have
been destroyed. The EFS certificate and private key for a user/RA are
stored in the user's/RA's profile folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices

I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
encrypted some files before I knew anything about EFS - now a program
that uses some of the files cannot access them. The files were encrypted
under my "power user" account. The certificate that Win2k used to
encrypt them is enabled for "All Purposes" including Encrypted File
System, and File Recovery. As Administrator, I cannot import this
certificate for the Recovery Agent - says it is not enabled for file
recovery.

My Recovery Agent certificate (issued by Administrator to Administrator,
has a different thumbprint and is for File Recovery only.

Does EFS recovery agent's certificate thumbprint have to match the
certificate the files were encrypted with in order to recover these
files?

Ken

 

[cuppachino]

Can someone please confirm that as long as I know the password for the
user account which encrypted the files, I will be able decrypt them?

I have lost the user profile (temp files, application data, local
settings, etc.) but I have NOT forgotten the password, and I'm able to
log in. However, I'm now unable to decrypt the EFS data files.

Any suggestions will be appreciated.

 

[Steven L Umbach]

The user profile is where the EFS private key is stored and thus your EFS
private key is gone. If you have backed the EFS private key to a .pfx file
then you could try to import it back into the user profile while logged on
as that user and try to decrypt the files. For Windows 2000 a Recovery Agent
is required which would be the built in administrator account for a non
domain computer and possibly "the" domain administrator account for the
domain. The Efsinfo utility will show if and who the RA is for an EFS file
and thumprint info. --- Steve