EFS & Virus Infection & Unable to login

[Adam]

Hello,
I'm fixing a computer at my work. The computer has been infected with
lots of viruses and malware. Most of the viruses have been removed by
plugging the hard drive into another computer and removing them that way.

Unfortunately, one of the users has used EFS to encrypt lots of important
documents. I am unable to login at all, as soon as the welcome screens quits
after successful username and password have been entered the system hangs and
does not complete loading.

The installation of windows is not important to me but the documents are. My
questions are:



Is it somehow possible to export the Recovery Agent without being logged in
as that user (i.e. from the recovery console)?

Can I do a repair install without compromising EFS and becoming locked out
from the files?

Are there any software out there designed to brute force the EFS technology?

Is there a way to restore the registry to a basic state (i.e. to that of
when it was installed) but keep the SID the same for the user account?




I know its a few questions but I've ran into lots of problems with this
computer and have tried lots of different methods to extract the information.

Thanks,
Adam

 

[Adam]

Anybody??

 

[Patrick Keenan]

Hello,
I'm fixing a computer at my work. The computer has been infected with
lots of viruses and malware. Most of the viruses have been removed by
plugging the hard drive into another computer and removing them that way.

Unfortunately, one of the users has used EFS to encrypt lots of important
documents. I am unable to login at all, as soon as the welcome screens
quits
after successful username and password have been entered the system hangs
and
does not complete loading.

The installation of windows is not important to me but the documents are.
My
questions are:



Is it somehow possible to export the Recovery Agent without being logged
in
as that user (i.e. from the recovery console)?

I think you mean export the credentials, and since you log in as the
Administrator from the recovery console, the answer would be no.

Can I do a repair install without compromising EFS and becoming locked out
from the files?

It's unlikely, and risky at best. If you want to try this, try it on a
clone.

Are there any software out there designed to brute force the EFS
technology?

I know of none.

Is there a way to restore the registry to a basic state (i.e. to that of
when it was installed) but keep the SID the same for the user account?

Perhaps, but I wouldn't try it on the original disk. See below.

I know its a few questions but I've ran into lots of problems with this
computer and have tried lots of different methods to extract the
information.

Thanks,
Adam

You seem to consider the documents to be of value, and understand that
there are many risks with EFS, that can easily lead to permanent data loss.

So, the thing to do is to protect the original and work from a clone.
Find a suitable hard disk that you can clone this original disk to - perhaps
make an image file on hard disk as you may be trying this more than once.
If you don't have it, clone using something like the Acronis TrueImage trial
version. This will give you a couple of weeks for effort.

Make an image file from the original and set the disk aside somewhere safe.
Use that image file to create a clone on another disk, and work on the copy.
If you find a process that doesn't work, you can safely start over without
having to fear that you have lost the data. This is a much more relaxing,
or at least less tense, scenario.

The cloning process shouldn't take you very long, and is quick if you also
have a USB2 drive adapter, about $20. The cloning process will also give
you a spot to think.

You may even find that part of the problem is a disk error that the new disk
helps overcome, though such an error may also damage the credentials you
need.

Once cloned, try getting into the account in Safe Mode, and then using
msconfig to turn everything that isn't needed to just boot OFF, including
services. Then try restarting in regular mode.

You can also at this point safely attempt manual registry swaps, as adapted
from this KB article:
http://support.microsoft.com/kb/307545

You can perform the swaps hosting the drive in another system using the USB2
drive adapter, you don't need to boot to the Recovery Console.

And this way, if the attempts don't work, you haven't damaged the data, only
lost a bit of time. You can go back and try again.

HTH, and good luck.
-pk

 

[Twayne]

Hello,

I'm fixing a computer at my work. The computer has been infected
with lots of viruses and malware. Most of the viruses have been
removed by plugging the hard drive into another computer and removing
them that way.

Unfortunately, one of the users has used EFS to encrypt lots of
important documents. I am unable to login at all, as soon as the
welcome screens quits after successful username and password have
been entered the system hangs and does not complete loading.

The installation of windows is not important to me but the documents
are. My questions are:

And my question is, why didn't you or someone export the keys needed to
recover those files in the very beginning? They may well be gone now so
hope for good backups in your company IT.

Is it somehow possible to export the Recovery Agent without being
logged in as that user (i.e. from the recovery console)?

No. Not now.

Can I do a repair install without compromising EFS and becoming
locked out from the files?

No. Not without the keys disk.

Are there any software out there designed to brute force the EFS
technology?

No. That's why it's such a reliable encryption and why it's so
important to export the keys and assign an agent.

Is there a way to restore the registry to a basic state (i.e. to that
of when it was installed) but keep the SID the same for the user
account?

No, don't think so. I know a lot of people who tried but AFAIK it just
can not be done. Unless possibly you know the SIDS? But then even the
keys are encrypted too, so not sure it'd do any good even if you could.

Certainly, since this is a work computer, there are backups somewhere,
right? If not I'd find another company to work for or get real smart
real fast if you don't get fired first.