Encrypted files got me crazy!!!!!!!

  • Thread starter Thread starter Dan H. Rubinsky
  • Start date Start date
D

Dan H. Rubinsky

This is the second time I ask the same question. PLEASE I
need help on this!!!!!!!!
I have a WinXp Pro software installed in an AMD PC
Athlon2400+ with 525 RAM and 3 Hard disks on it (80 G,
40G, 20G...this last partitioned). Fact is that I encrypt
some folders in one of the Disks and then I moved them to
another. Now I can't read them. Each time I whant to I see
only garbish encrypted types on them. I've done all what
MS tells to decrypt but the files and folders seems to be
NOT encrypted (the squares are unchecked). One thing that
entrigues me is that when I go to Properties of the
folders or files (Security tab) I can see this:
Administrator.....
Creator Owner.....
S-1-5-21-1614895754-920026266-500........ ??????????? This
I don't know what is
System......
Users(....)............
I need all those encoded files but don't know what to do.
What I did is encrypt some important folders including My
Documents, Temp in System and to more I usually use for
securoity documents.
I know you can help in in this. Thanks a lot for that.
I usually don't ask for help in this forum or service,
thatfore I ask you if you can send your response to my
account mail. Thanks again.
Daniel
(e-mail address removed)
..
 
Dan,

Those files appear to have been encrypted by the local Administrator
user--you'll most likely need to use the local Administrator account to read
those files. Otherwise, you might be able to move the files from a hard
drive using NTFS (NT File System) to a drive that uses FAT (File Allocated
Table). If I recall correctly, a hard drive using FAT file system does not
support file encryption--it just might remove the encryption when you save
it to a drive without NTFS--just a throught.

Best of luck,

Todd


This is the second time I ask the same question. PLEASE I
need help on this!!!!!!!!
I have a WinXp Pro software installed in an AMD PC
Athlon2400+ with 525 RAM and 3 Hard disks on it (80 G,
40G, 20G...this last partitioned). Fact is that I encrypt
some folders in one of the Disks and then I moved them to
another. Now I can't read them. Each time I whant to I see
only garbish encrypted types on them. I've done all what
MS tells to decrypt but the files and folders seems to be
NOT encrypted (the squares are unchecked). One thing that
entrigues me is that when I go to Properties of the
folders or files (Security tab) I can see this:
Administrator.....
Creator Owner.....
S-1-5-21-1614895754-920026266-500........ ??????????? This
I don't know what is
System......
Users(....)............
I need all those encoded files but don't know what to do.
What I did is encrypt some important folders including My
Documents, Temp in System and to more I usually use for
securoity documents.
I know you can help in in this. Thanks a lot for that.
I usually don't ask for help in this forum or service,
thatfore I ask you if you can send your response to my
account mail. Thanks again.
Daniel
(e-mail address removed)
..
 
FAT filesystem does not support EFS, but moving
EFS encrypted files to a FAT storage area will not
remove the encrypting unless done by an account
that can decrypt the files.
 
How did you move them ?
What filesystem exists where they now are ?
Have you tried moving them back the say way
you moved them over ?

What you are seeing is due to the files not being
recognized as encrypted, so they are just being
opened, yielding junk. There is a bit in the file
headers that is supposed to indicate the file is
EFS encrypted, and this apparent has been cleared.
I do not know how to zap it back to on.

Perhaps some MS person in here will say.
 
Roger,

Wasn't sure on the NTFS and FAT encryption. Thanks for the clarification.

Best regards,

Todd

FAT filesystem does not support EFS, but moving
EFS encrypted files to a FAT storage area will not
remove the encrypting unless done by an account
that can decrypt the files.
 
BTW, I forgot this..... I'm the owner of the PC, the
administrator and only user of it. ALL my drives are with
NTFS format and the way I move the encrypted files is just
seecting the folder and moving them from one drive to
another.... There was no hidden file (ALL the PC is with
the hidden option disable) visible. After I moved the
folders I certified if the files where there...They
where!! But now I can't read them....
ALso.... each time I am doing a backup of the folders with
some encrypted files Nero denies the copy.... yes, I know
also that I must decrypt first to backup.... BUT I
CANT'T... Hope someone can help on this....perhaps
Microsoft.... Thanks in advance.....

Dan
 
BTW, I forgot this..... I'm the owner of the PC, the
administrator and only user of it. ALL my drives are with
NTFS format and the way I move the encrypted files is just
seecting the folder and moving them from one drive to
another.... There was no hidden file (ALL the PC is with
the hidden option disable) visible. After I moved the
folders I certified if the files where there...They
where!! But now I can't read them....
ALso.... each time I am doing a backup of the folders with
some encrypted files Nero denies the copy.... yes, I know
also that I must decrypt first to backup.... BUT I
CANT'T... Hope someone can help on this....perhaps
Microsoft.... Thanks in advance.....

Dan
 
BTW, I forgot this..... I'm the owner of the PC, the
administrator and only user of it. ALL my drives are with
NTFS format and the way I move the encrypted files is just
seecting the folder and moving them from one drive to
another.... There was no hidden file (ALL the PC is with
the hidden option disable) visible. After I moved the
folders I certified if the files where there...They
where!! But now I can't read them....
ALso.... each time I am doing a backup of the folders with
some encrypted files Nero denies the copy.... yes, I know
also that I must decrypt first to backup.... BUT I
CANT'T... Hope someone can help on this....perhaps
Microsoft.... Thanks in advance.....

Dan
 
It sounds like an old non-EFS compliant utility was used to transfer the
files from drive X to drive Y. If this was the case, the files are
garbage - the encryption bit was either lost or mixed in with the data to
give you the problem you are experiencing.
How did the files get copied from drive X to drive Y? Software and version.
I have also seen this happen when an non-authorized (being not the
designated recovery agent or the account that encrypted the files) copied
the files to a FAT12/16/32 formatted disk - again the encryption bit is lost
and/or mixed in creating garbage.
Either way the files are toast and forever lost, even with copying back, and
the files are corrupted - unless you have a backup of the files before they
were copied from the original location you are out of luck. NTFS file
encryption does exactly what it is suppose to do - if it was as easy as
copying them from NTFS to FAT to break the encryption, then it would be
worth the development time MS spent on it.
 
BTW, I forgot this..... I'm the owner of the PC, the
administrator and only user of it. ALL my drives are with
NTFS format and the way I move the encrypted files is just
seecting the folder and moving them from one drive to
another.... There was no hidden file (ALL the PC is with
the hidden option disable) visible. After I moved the
folders I certified if the files where there...They
where!! But now I can't read them....
ALso.... each time I am doing a backup of the folders with
some encrypted files Nero denies the copy.... yes, I know
also that I must decrypt first to backup.... BUT I
CANT'T... Hope someone can help on this....perhaps
Microsoft.... Thanks in advance.....
 
I suggested he try a couple tools - cipher and efsinfo, but he did not report back.
Cipher would tell him right away if they were still encrypted or not. Maybe he could
talk to NASA about leasing some of there computers for a couple decades? --- Steve
 
Steven L Umbach said:
I suggested he try a couple tools - cipher and efsinfo, but he did not report back.
Cipher would tell him right away if they were still encrypted or not. Maybe he could
talk to NASA about leasing some of there computers for a couple ecades? --- Steve
Click to expand...

Not bad ideas, but when he said he is seeing garbage
that sort of tells me anything he tries within Windows
is not going to believe these to be EFS files.

PS - he would probably only need a fairly short computer
time contract with the NSA
 
They've already decrypted his files, but they won't admit it. The RIAA
also probably already has them off his Kazaa server.
 
Hello Dan,

I have a few questions in regards to your problem -

1. You said you moved them and then certified the files were there. Just
to make sure, did you move them and then check right away or is it possible
you waited a couple of days? I want to make sure no other changes were
made to the system in between moving them and checking them. The following
KB could be your problem if you had uninstalled SP1 on Windows XP -

329741 EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/?id=329741

2. You state you see the following in the Security tab -

S-1-5-21-1614895754-920026266-500........ ??????????? This I don't know
what is

This is the Local Administrator account. Have you logged in as the local
admin and tried to view these files?

3. Can you encrypt other files at this point and view them correctly? It
is possible that the DLL's that handle the cryptography have been
corrupted. Try registering the following files and/or restoring them from
SP1, the Winxp CD or the listed updates, depending on what you have
currently installed -

Crypt32.dll
Cryptdlg.dll
Cryptnet.dll
Cryptsvc.dll

The following hotfix is the most recent for Crypt32.dll and Cryptnet.dll
after SP1 -

329433 A Revoked Certificate Is Selected If a Certification Authority in the
http://support.microsoft.com/?id=329433

And the following items are post SP1 also but are older than the above KB
and only updates Crypt32.dll -

821248 Contents of the CRL Distribution Points Field of a Digital
Certificate
http://support.microsoft.com/?id=821248

329115 MS02-050: Certificate Validation Flaw Might Permit Identity Spoofing
http://support.microsoft.com/?id=329115

4. Since the Encryption tag is not checked, the file system does not
consider these encrypted files. It looks like the issue is with the header
information on the data and we may not be able to recover it. Do you have
a backup or a previous restore point that you could go back to?

Best regards,
--
Shain Wray
Microsoft PSS Security Team

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
 
Hi Shain,

You mentioned in your item 4
4. Since the Encryption tag is not checked, the file system does not
consider these encrypted files. It looks like the issue is with the header
information on the data and we may not be able to recover it. Do you have
a backup or a previous restore point that you could go back to?
Click to expand...

So, is it safe to believe that when the bit has become cleared that there
is no normal-user accessible way to get it set back on (short of some hex
poking) ?
 
Hello Roger,

As far as I know a hex editor probably will not do this. What needs to be
done is to talk with a data recovery specialist, make sure you have the
private key from the system and see if they can help out. Microsoft does
not have any tools to do this.

Best regards,
--
Shain Wray
Microsoft PSS Security Team

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
 
Shain,

Thanks for the reply. I was hoping there may be a tool,
as we seem to see this situation too frequently, though
most ofter from such as Partition Magic resizing.

Thanks,
Roger
 
Hello Roger,

True, I will let our development group know about this request. I am sure
they have heard it before and one more will not hurt.

Best regards,
--
Shain Wray
Microsoft PSS Security Team

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
 
Cheers, and yes, I am sure some of the team that
stops through here has seen such posts.
 
Back
Top