EFS woes

R

Ron Tyles

Any help would be appreciated !! My laptop is part of a
domain. I have a .pfx copy of my certificate ( exported
earlier ). What happened is that I changed my password on
the domain, without re-importing my certifictae. I
encrypted some files. I imported my certificate and now I
can't decrypt my files. Encrypting party is myself with a
different thumbprint than my certificate. Without a Data
Recovery Agent, is there any way to get the data back ?
With reccerts.exe from Microsoft ?? Other applications
like Passware Kit and Advanced EFS from Elcomsoft could
not de-crypt any keys. The profile and the laptop is
intact. Will follow any suggestions !! Please e-mail !
Thanks !!!
 
R

Roger Abell

not quite following the sequence of events here
see within . . .

Ron Tyles said:
Any help would be appreciated !! My laptop is part of a
domain. I have a .pfx copy of my certificate ( exported
earlier ).
Click to expand...
OK, let us call that EFS 1
What happened is that I changed my password on
the domain,
Click to expand...
OK, so this broke your access to use EFS 1
without re-importing my certifictae. I
encrypted some files.
Click to expand...
Same domain account, right ?
This usually would be expected to cause generation
of new EFS cert/key pair, call it EFS 2
I imported my certificate
Click to expand...
When you went to do this, did you see both EFS 1 and 2
in your personal certificates store before the import ?
and now I
can't decrypt my files.
Click to expand...
Any of your files, or only the ones encrypted with EFS 2
Encrypting party is myself with a
different thumbprint than my certificate.
Click to expand...
So when you use the Certificates mmc tool you only see
one EFS type cert listed ?
Without a Data
Recovery Agent, is there any way to get the data back ?
Click to expand...
Depends on which files are encrypted with which EFS cert,
and more particularly on whether you have only one of them
or both still stored in your profile's cert store
With reccerts.exe from Microsoft ??
Click to expand...
same answer - what is in the profile's cert store ?
Other applications
like Passware Kit and Advanced EFS from Elcomsoft could
not de-crypt any keys. The profile and the laptop is
intact. Will follow any suggestions !! Please e-mail !
Click to expand...

Have you been looking at the thumbprints with the EFSinfo.exe
tool ??
 
R

Ron Tyles

Sorry, I couldn't reply to that e-mail address for some
reason.

Here is what I meant to add :

Hello ! Thanks for replying !!

I will try to clarify each point.

I changed my domain password which broke EFS 1. When I
look at these files' encryption details, I see my name
complete with domain with a 'strange' thumbprint. It is
not the same thumbprint as on my exported certificate.

The domain remained the same. In my EFS reading, being
part of a domain changes/complicates things but nothing
is explained on what differs...

At this point, I usually remember to import my
certificate. This keeps my access to my previous
encrypted files somehow. This time, I did not remember.
When I was offline ( but logged in with cached
credentials ), I put some files into an encrypted folder,
inheriting the encryption status.

I found that the next day , I couldn't access the
encrypted files ! This struck me as odd but I then
remembered to import my certificate. This did not help me
to read the file. I also could not read older encrypted
files.

I checked my two encrypted folders and found the files to
have separate thumbprints next to my name as encryptor !
I don't recognize either !! I suspect that because the
thumbprint is not the same that I can't open the file (
some sort of certificate mis-matching, even though it's
my name and domain listed ?? ).

I haven't used the cipher.exe or esfinfo.exe commands
yet. I have been using Explorer file properties and the
certificate snap-in for MMC for all my info...

Under MMC, I see several stores and my certificate is
there in several of them ( Personal, Trusted Root,
Enterprise Trust, and Trusted People ) but only the one
I'm used to with a special thumbprint that doesn't match
the encrypted files I'm trying to recover. I don't see
any other certificates in my name... I'm not sure how to
check other profiles either, like you mentioned below...?

Needless to say, I've made myself a file recovery
certificate. On new encrypted files, I also see that
present as a Data Recovery agent... Small consolation !

I have heard about MS reccerts.exe but not sure how to
get it and what it does ? I have also looked at my
certificates and it seems that the thumbprint is an
editable item. I am now looking into that aspect.

On an interesting note, I CAN delete the encrypted
files !! I'm not sure how that happened, if it's the file
recovery certificate or not. Maybe I can fool it by
deleting a less critical file, removing encryption from
it's folder, and restoring the file from the recycle
bin ?!? Long shot, eh ?

Perhaps something really nasty hit my registry that day
while I was web-surfing. I have lost all my system
restore points from before that date. I had thought of
going back to the day I encrypted the files originally
but found I couldn't...

Anyways, thanks for sticking with me !


Ron Tyles
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Changing computers with EFS documents 1
Help with EFS 1
Cannot decrypt EFS-encrypted file even though I loaded the previously-used encryption certificate 2
EFS Data Recovery 1
New EFS tool available - EFS Certificate Configuration Updater 14
EFS Trouble - External Drive 2
EFS file recovery from backup after clean install 1
EFS can't decrypt 5

Top