EFS can't decrypt

[Mike Wegner]

I have a folder that I decrypted about a year ago and suddenly I
can't access any of the files in it. Sure enough I can't decrypt it either.
I never made a recovery key using cypher, however after running efsinfo I
get:

C:\>EFSINFO /R /U /C dir h:\lanosrep
h:\
lanosrep: Encrypted
Users who can decrypt:
MY_DOMAIN\stanss [CN="Smith, Stan"]
Certificate thumbprint: 9CDE D879 78AB B60B 99B9 8B41 FE44 B78B AFBC
6AA0
Recovery Agents:
MY_DOMAIN\Administrator [OU=EFS File Encryption Certificate, L=EFS,
CN=Admin
istrator]
Certificate thumbprint: DE87 6F62 7BAA A9DC D597 FAB9 5D9F 259E E488
FE9A

From that info I think I should be able to decrypt since I am "Stan Smith"
and I also have tried from the domain admin account . I have logged onto
both the local
machine and the server with both accounts but am not able to decrypt. Any
idea's out there?

 

[Carey Frisch [MVP]]

Before you encrypt anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prod
technol/winxppro/deploy/CryptFS.asp

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------


| I have a folder that I decrypted about a year ago and suddenly I
| can't access any of the files in it. Sure enough I can't decrypt it either.
| I never made a recovery key using cypher, however after running efsinfo I
| get:
|
| C:\>EFSINFO /R /U /C dir h:\lanosrep
| h:\
| lanosrep: Encrypted
| Users who can decrypt:
| MY_DOMAIN\stanss [CN="Smith, Stan"]
| Certificate thumbprint: 9CDE D879 78AB B60B 99B9 8B41 FE44 B78B AFBC
| 6AA0
| Recovery Agents:
| MY_DOMAIN\Administrator [OU=EFS File Encryption Certificate, L=EFS,
| CN=Admin
| istrator]
| Certificate thumbprint: DE87 6F62 7BAA A9DC D597 FAB9 5D9F 259E E488
| FE9A
|
| From that info I think I should be able to decrypt since I am "Stan Smith"
| and I also have tried from the domain admin account . I have logged onto
| both the local
| machine and the server with both accounts but am not able to decrypt. Any
| idea's out there?

 

[Drew Cooper [MSFT]]

Try logging on to the 1st DC in the domain* as the domain administrator.
Open the administrator's certificates mmc snapin and look in the Personal
store for en EFS recovery certificate. If you find it, try to export it
with its private key. If this worked, you will be able to decrypt your
data. You can take the .pfx file you just created to the machine that has
your files, import it (just start the .pfx file to star the import wizard),
and decrypt.

If you didn't find that certificate and couldn't export the private key see
if any of these describe what happened to you:
- Did you reinstall the operating system on the machine where you can't
decrypt? If so your data is as gone.
- Was your password reset sometime between encrypting the files and now? If
so you can decrypt your data again if you change your password to whatever
it was before being reset. If not the data is lost.
- Were there profile-loading problems on the machine? Do you see more than
one user profile that starts with your username? If so, you may be able to
copy files from your old application data directory to your new one.

If none of that was possible/described your situation, the data is lost. I
hope something worked, though.
Either way, all of the info Carey posted is good to know if you're going to
use EFS.




* I don't know why we can't call them "PDCs" any more. Now it's "the 1st DC
in the domain".

 

[Roger Abell [MVP]]

Try logging on to the 1st DC in the domain* as the domain administrator.
Open the administrator's certificates mmc snapin and look in the Personal

* I don't know why we can't call them "PDCs" any more. Now it's "the 1st DC
in the domain".

Surely you are jesting, right Drew ??
I have seen far too many folks speak of their W2k AD PDC and
BDC, and then on asking where their FSMOs are, discover that
they are even using PDC/BDC without regard to anything except
which one they consider to be the main AD DC !!! Yeh, right.

 

[Drew Cooper [MSFT]]

Well seize my FSMOs, Roger - no offense intended!

I realize that it's not NT4-land any more. But there are still distinctions
between the 1st DC and the others in terms of default settings. I'd be
happy if I had a TLA for the concept. I suppose I could use "1DC" (1st) or
"DDC" (default) or "FDC" (first). Nobody would know what I meant, though.

I've used far too many words now to explain that I wish I could use fewer.
I give up.

 

[Roger Abell [MVP]]

All in jest Drew. And, yes, I have seen lost DRA certs after
they have "recycled" that first promoted DC.
I sometimes am amazed at how long it takes for an old term
(PDC) to die off, but then I remember that there are many just
now moving to AD
--ra

Well seize my FSMOs, Roger - no offense intended!

I realize that it's not NT4-land any more. But there are still distinctions
between the 1st DC and the others in terms of default settings. I'd be
happy if I had a TLA for the concept. I suppose I could use "1DC" (1st) or
"DDC" (default) or "FDC" (first). Nobody would know what I meant, though.

I've used far too many words now to explain that I wish I could use fewer.
I give up.