EFS: disaster recovery/decryption? Possible?


O

OutlookSucks

Normally I find most answers on the WEB ... newsgroups always seem to be in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was as her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was compared to
another MAILBOX.PST. We have never had reason to use EFS before, so this is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
mailbox.pst. ASAP. MMMMMMM - any thoughts on this?

Best of luck,
Dog House Dwelling,
bread and water only,
Ed aka General Crazy
 
Ad

Advertisements

K

Karl Levinson [x y] mvp

The outlook isn't good... but the best article on the subject is at
www.beginningtoseethelight.org Calling Microsoft using the phone numbers at
www.microsoft.com/support might help [think it's around $290]


OutlookSucks said:
Normally I find most answers on the WEB ... newsgroups always seem to be in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was as her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was compared to
another MAILBOX.PST. We have never had reason to use EFS before, so this is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
mailbox.pst. ASAP. MMMMMMM - any thoughts on this?

Best of luck,
Dog House Dwelling,
bread and water only,
Ed aka General Crazy
 
S

Shawn Rabourn \(MS\)

Microsoft PSS has tools you can try.

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.



Karl Levinson [x y] mvp said:
The outlook isn't good... but the best article on the subject is at
www.beginningtoseethelight.org Calling Microsoft using the phone numbers at
www.microsoft.com/support might help [think it's around $290]


OutlookSucks said:
Normally I find most answers on the WEB ... newsgroups always seem to be in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was as her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was
compared
to
another MAILBOX.PST. We have never had reason to use EFS before, so
this
is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
mailbox.pst. ASAP. MMMMMMM - any thoughts on this?

Best of luck,
Dog House Dwelling,
bread and water only,
Ed aka General Crazy
 
D

Drew Cooper [MSFT]

Shawn - Does PSS do data recovery from reformatted, reinstalled volumes?
That would need to happen before anything else. And it's really unlikely
that anyone will be able to find the keys at all.

--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Shawn Rabourn (MS) said:
Microsoft PSS has tools you can try.

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.



Karl Levinson [x y] mvp said:
The outlook isn't good... but the best article on the subject is at
www.beginningtoseethelight.org Calling Microsoft using the phone
numbers
at
www.microsoft.com/support might help [think it's around $290]


OutlookSucks said:
Normally I find most answers on the WEB ... newsgroups always seem to
be
in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was
as
her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was
compared
to
another MAILBOX.PST. We have never had reason to use EFS before, so
this
is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
mailbox.pst. ASAP. MMMMMMM - any thoughts on this?

Best of luck,
Dog House Dwelling,
bread and water only,
Ed aka General Crazy
 
B

Brian Komar

Normally I find most answers on the WEB ... newsgroups always seem to be in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was as her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was compared to
another MAILBOX.PST. We have never had reason to use EFS before, so this is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
Sorry to be the sender of bad news, but unless you have a certificate in
your user store that has the same thumbprint and the private key, you
are not able to open the files.

To check, open Certificates console focused on the current user, expand
Personal and expand certificates. One of the certificates in the store
must have either of the two thumbprints. (look on the details tab)

Having formatted,and reinstalled, you are probably out of luck

Brian
 
Ad

Advertisements

B

Brian Komar

Normally I find most answers on the WEB ... newsgroups always seem to be in
such CHAOS it is almost impossible to follow threads - but here I am, the
whipped dog ... caving. So here goes ... really need help w/this one.

Here's the situation I'm in ... small home office ... Windows 2000, SP2,
updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
Accidentally compressing a folder ... encryption was selected instead
<distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
encrypted files are intact, not accessible. Before realizing EFS had hold
of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
[OS/PROG difficulties] and apparently lost private/public keys for EFS to
decrypt the files. Doing some reading ... Win2K RK to the rescue.
EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
this instance, it would be nice 2 stuff the thumbprint into the current
certificate as the local or domain administrator to recover data. Our data
isn't of national security - ask my other half and she'd SWEAR it was as her
email & address books are inaccessable.

<sample recovered info>
mailbox.pst: Encrypted
<Local User>
Users who can decrypt:
PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
E225

<Domain Admin> MYSELF
Recovery Agents:
PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
1A33

Although listed as the RA, I constantly get "access denied" when attempting
to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
the ownership & access properties, all OK. WWW search for info, tips &
tricks lead to some info. Followed some other directions to discover keys,
certs and whatever else to decrypt the files. I seem to recall the SAM
changes during every installation <for obvious reasons> there is a
possibility recovery is not possible. CAVE DWELLING seems to be a
reasonable resort 'cuz the other half is on the warpath!

Testing an EFS after market tool to see if it was in fact legit in it's
claims to recover EFS files said it could repair the file - trial version
returns 512 bytes of the file ... of which was garbage as it was compared to
another MAILBOX.PST. We have never had reason to use EFS before, so this is
an entirely new situation. Reading the security stuff posted here revealed
just about all the same info I have found on the WWW with some distressing
info relating to NON RECOVERABLE.

There are a total of 4 files I need to recover of the most important is
Sorry to be the sender of bad news, but unless you have a certificate in
your user store that has the same thumbprint and the private key, you
are not able to open the files.

To check, open Certificates console focused on the current user, expand
Personal and expand certificates. One of the certificates in the store
must have either of the two thumbprints. (look on the details tab)

Having formatted,and reinstalled, you are probably out of luck

Brian
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top