EFS key lost after reboot??

[Guest]

I used Encrypted File System on my profile and my documents. Windows were
encrypting my data for about 90 minutes. Everything was OK (files were
encrypted, showing green color in Explorer) until next reboot. Then I was
unable to login, there was a disk activity for few hours, then no activity at
all. With other users I can logon. After I managed to login back with my
account (I deleted encrypted wallpaper) I found that I can't open encrypted
files. In mmc my certificate is there, it says "you have a private key
matching the certificate", but I can't export the key (one dialog later it
says "private key not found"). After this point, until the next reboot, all
requests to encrypt/decrypt files just hang and the requesting application
must be killed.

I found three files in <profile>\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-2052111302-630328440-682003330-1003, two
of them encrypted. I restored the encrypted ones from backup (encrypted ones
kept elsewhere), but nothing changed.

Anyone has an idea how private key can get "half-lost" this way? Any idea
how to recover from this situation?

 

[Kelvin Yiu [MS]]

EFS does not support encryption of the user profile because the private
decryption key is stored in the user profile. If that decryption key is
encrypted by EFS, how can EFS decrypt it?

The only way to recover your files is via the Data Recovery Agent mechanism.
What version of Windows are you using?

 

[Guest]

I'm using WinXP. By default there is no recovery agent in XP I'm afraid (and
I didn't create any) . There are few strange things. Decryption key should
be marked as system file so it can't get encrypted, I guess (if not, it is a
serious design flaw). The other thing is that utility called Advanced EFS
Data Recovery v2.1 can actually find the private key and use it (to preview
first 512 bytes of the file). So I think that the key must be somewhere on
the system. Do you have any idea where the key may be? I mean location, file
name etc. Maybe I can still find it on the disk, in some older backup etc. I
can also save settings from AEFSDR, I believe it contains the key in binary
form - if I knew the format of correct private key files, maybe I can extract
it?

 

[Torgeir Bakken \(MVP\)]

I'm using WinXP. By default there is no recovery agent in XP I'm afraid (and
I didn't create any) . There are few strange things. Decryption key should
be marked as system file so it can't get encrypted, I guess (if not, it is a
serious design flaw). The other thing is that utility called Advanced EFS
Data Recovery v2.1 can actually find the private key and use it (to preview
first 512 bytes of the file). So I think that the key must be somewhere on
the system. Do you have any idea where the key may be? I mean location, file
name etc. Maybe I can still find it on the disk, in some older backup etc.

Hi

Take a look at this site for more details:

http://www.beginningtoseethelight.org/efsrecovery/