EFS - Lost Certificate, Access is denied

[Thomas Bandt]

Hello everybody.

I have a "little" problem here. In 2005 I encrypted some
important files on my notebook, and of course I did a
backup of the certificate.

By switching to a new desktop pc I imported the cert and
copied the files - successfully.

Yesterday, after more than 6 months of happiness, I got
an "Access is denied" error message for every encrypted
file on my machine.

Oops, I thought, and deleted the two existing certs
whithout thinking a bit (ouch!!!!), and imported the
original cert which I thought was beeing in use for
encryption.

But with no success. In the meanwhile I know, that Windows
was using another cert for encryption (I think the second
which I deleted ...), I don't know why the hell it was
using this, but the fingerprint of the cert I get in
"Encryption Details" dialog is not the fingerprint of my
original cert.

And no: I didn't log in as Administrator before, so there
is also no recovery agent :-(.

Now the final question is: are the files lost? Or is there
any chance to rebuild the right cert (I've seen that, if no
cert is available it always creates a new with a random
fingerprint) or another way to get the data back?

I did not reinstall the system, and I did not change the
Useraccount ...

Thanks for every answer.

Regards

Thomas

 

[Thomas Bandt]

Is there for sure no way to get the data back?

Regards

 

[Jupiter Jones [MVP]]

Thomas;
You can not recreate the certificate, you MUST have the original.
Your only hope at recovering the data is to somehow restore the originals.

Also see:
http://www3.telus.net/dandemar/encrypt.htm

 

[Steven L Umbach]

About the best you can do in your situation is to try an find the deleted
certificates\private keys with a file recovery program and try to recover
them to the proper folder. The private keys are in the user profile under
documents and settings\username\application data\Microsoft\crypto\RSA
folder. If you have a backup of your user profile for that computer/specific
operating system install from a time when those certificates/private keys
existed you could also try recovering them from that backup and copy to your
user profile.

Steve

http://www.snapfiles.com/Freeware/system/fwdatarecovery.html --- freeware
data recovery tools
http://www.snapfiles.com/Shareware/system/swdatarecovery.html ---
shareware data recovery tools

 

[Thomas Bandt]

About the best you can do in your situation is to try an find the deleted
certificates\private keys with a file recovery program and try to recover
them to the proper folder. The private keys are in the user profile under
documents and settings\username\application data\Microsoft\crypto\RSA
folder. If you have a backup of your user profile for that computer/specific
operating system install from a time when those certificates/private keys
existed you could also try recovering them from that backup and copy to your
user profile.

Thanks - I took a look in my RSA folder - there are a lot of files
in it.

Then I created a new cert and deleted it, the file which was created
for that file still is in the RSA folder.

So I think the old/original one should also be there, or? How can
I find out what the right is and how can I restore it?

Regards, Thomas

 

[Steven L Umbach]

If you were able to recover deleted files from the RSA folder and restore it
to the user profile but could not decrypt files what I would try is to
download the free trial version of EFS recovery from Elcomsoft. If the
needed private keys are there it will find them but you will need to enter
the password for the user that was in effect at the time that private key
was used. If all that works it will decrypt a little bit of the files to
show it can be done but then you would need to purchase the full version to
decrypt the files.

Steve

http://www.elcomsoft.com/aefsdr.html --- Elcomsoft EFS recovery program

 

[Thomas Bandt]

If you were able to recover deleted files from the RSA folder and restore it
to the user profile but could not decrypt files what I would try is to
download the free trial version of EFS recovery from Elcomsoft. If the
needed private keys are there it will find them but you will need to enter
the password for the user that was in effect at the time that private key
was used. If all that works it will decrypt a little bit of the files to
show it can be done but then you would need to purchase the full version to
decrypt the files.

I just tried it a few days ago, with no success. I think I found the
right file in the meanwhile, its name is like

6b80d4b283f2cc5a44695e19f25926fd_16604508-3ce1-459a-8475-83b746dcc398

No chance to recover the cert with it? Or am I wrong?

Regards

 

[Steven L Umbach]

I should have mentioned that actual folder where the private keys are
located is a subfolder of the RSA folder that shows the user's SID. Anyhow
your best bet is to use the EFS recovery program from Elcomsoft. It will
find the private keys if they are there. You can also email them if you have
a question about recovering EFS files with their program explaining exactly
what happened in your case.

Steve