EFS encrypt files: Changed PW now can't access... :-(

J

jryder.10

Hey all, here's another EFS question, hopefully someone can solve this,
I REALLY need to get these files decrypted:

1st: Friend of mine at work was trying to PW protect some .xls files
and accidentally used XPpro's EFS.
2nd: While away someone logged off one of the admin accounts and
couldn't remember the password, so they created another admin rights
account and changed the password for the account they couldn't figure
out.
3rd: Once they changed the PW for the account, the EFS hash of course,
doesn't match up with the new PW and now the files cannot be decrypted.
4th: I tried searching for an X.509 certificate but could not find one
at all! I then tried logging in as the default admin account, and
trying to add it as the recovery agent, but it didn't work either.
5th: I tried a program called "Advanced EFS Data Recovery" which is
supposed to be able to find EFS keys and or use SYS-startup keys,
provided that you have the original password before the PW was changed
on the account.
6th: I have the original PW from the changed account! And when I tried
searching for any X.509 Cert / SYSkey, the program didn't find any
master keys and was unable to attempt to decrypt the files etc.

I've read somewhere on google that you could move said EFS files to
a Non NFTS OS like Win98 and the file encryption wouldn't be able to be
transferred since the OS doesn't even support EFS etc.... What are your
thoughts on this?

Secondly, again, when I tried searching for any pertinent X.509 certs /
keys, I couldn't find anything on the computer at all!? Is that common?
I know he didn't create a backup, but there should be some kind of cert
file that I could use to decrypt them?

ANY help would be much appreciated!

Thanks,
 
N

Nepatsfan

(e-mail address removed),
Hey all, here's another EFS question, hopefully someone can
solve this, I REALLY need to get these files decrypted:

1st: Friend of mine at work was trying to PW protect some
.xls files and accidentally used XPpro's EFS.
2nd: While away someone logged off one of the admin accounts
and couldn't remember the password, so they created another
admin rights account and changed the password for the
account they couldn't figure out.
3rd: Once they changed the PW for the account, the EFS hash
of course, doesn't match up with the new PW and now the
files cannot be decrypted. 4th: I tried searching for an
X.509 certificate but could not find one at all! I then
tried logging in as the default admin account, and trying to
add it as the recovery agent, but it didn't work either.
5th: I tried a program called "Advanced EFS Data Recovery"
which is supposed to be able to find EFS keys and or use
SYS-startup keys, provided that you have the original
password before the PW was changed on the account. 6th: I
have the original PW from the changed account! And when I
tried searching for any X.509 Cert / SYSkey, the program
didn't find any master keys and was unable to attempt to
decrypt the files etc.

I've read somewhere on google that you could move said
EFS files to a Non NFTS OS like Win98 and the file
encryption wouldn't be able to be transferred since the OS
doesn't even support EFS etc.... What are your thoughts on
this?

Secondly, again, when I tried searching for any pertinent
X.509 certs / keys, I couldn't find anything on the computer
at all!? Is that common? I know he didn't create a backup,
but there should be some kind of cert file that I could use
to decrypt them?

ANY help would be much appreciated!

Thanks,

Did you try changing the password on your friend's account back
to the old password?

EFS, Credentials, and Private Keys from Certificates Are
Unavailable After a Password Is Reset
http://support.microsoft.com/default.aspx?scid=kb;en-us;290260&sd=tech

Good luck

Nepatsfan
 
S

Steven L Umbach

Assuming the EFS certificate AND private key are in the user's profile you
need to change the user account password back to what it was before they
reset it. You can use the mmc snapin for certificates for user while logged
on as the user to see if the user EFS certificate and private key exist.
Look in the certificates/personal folder and if there is a certificate for
EFS is needs to show that the private key is present. You can also check the
properties/advanced for the file to see if a Recovery Agent exists. You can
NOT copy the file to another file system in an attempt to decrypt the files.
The only way to decrypt the files are with a private key for the user or RA
and knowing the correct password for either. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top