File Decryption

[Guest]

Hi all,

I've recently reinstalled Windows following a terminal crash.
Unfortunately, I now can't access various documents (including My Briefcase)
as I had them encrypted on my process installation of XP.

I have searched the forums which tell me I need my encryption keys to
decrypt them. I have the 'System Files' backed up from my previous
installation. Does anyone know if the keys are in these backups and how I
would use them?

If not, is there any other way of decrypting the files.

Thanks for any help,

Matt.

 

[Guest]

I don't know whether the system files would include the keys, but I'd
certainly take a look. When you reinstall Windows, or install Windows on a
blank harddrive (which is the safer thing to do, so that you make sure that
you data isn't overwritten when Windows reinstalls), you can tell Windows to
reinstall using Automated System Recovery. I think that if you do this, and
if keys are present, Windows will reinstall the keys. You can then export the
keys to a floppy, and then reinstall the keys to the original hard drive.

 

[Vanguard \(NPI\)]

Hi all,

I've recently reinstalled Windows following a terminal crash.
Unfortunately, I now can't access various documents (including My
Briefcase)
as I had them encrypted on my process installation of XP.

I have searched the forums which tell me I need my encryption keys to
decrypt them. I have the 'System Files' backed up from my previous
installation. Does anyone know if the keys are in these backups and how I
would use them?

If not, is there any other way of decrypting the files.

Did you export the EFS certificate? If not, say bye-bye to those files. If
you had several thousand, maybe millions, of computers you might be able to
decrypt those files in a few years.

Start -> Help and Support , search on "EFS export".

How good are your backups (from where you got the old encrypted data files)?
Do you have a full backup sometime after you created the EFS certificate?
What I'm thinking is that you create a new account under the new instance of
Windows which has the same username and password as before. It's SID
(security identifier) recorded in the SAM database and registry won't be the
same but maybe that is not required. Then use your backups to recover that
old user profile to put those files under your new same-named profile path.
Then login as that old username using the same old password.

Because the SID for the *new* account with the same username will be
different than before, the NTFS permissions will list a SID that is not
defined under that new instance of Windows as the owner of those files. You
will need to remove that old SID from the security for your profile (and all
files under it) using an admin account so you can take ownership of it or
give it to the new same-named account. Even when I had the EFS certificate
to import, I could not access my encrypted files (after importing the EFS
certificate) until I added my new account (by the same old username) to the
security access list for those files. Ownership and permissions in NTFS are
tracked by the SID for the accounts or groups. When you create a new
account, even by the same username, the SID will be unique. However, that
old SID under the old instance of Windows is undefined under the new
instance of Windows. For file permissions under the Security tab, you'll
see some "S-<bunchnumbers>" account listed with full permissions and as the
owner. That's your old SID under the old instance of Windows. Remove it
and add yourself as the new owner of the file, or add a group to have
permissions to which your new account belongs.

I'm not sure that creating a new account using the same old username *AND*
the same old password (so you'll need to know the password) along with doing
a restore from backups for all files under your profile path for that new
account (%userprofile%) will work, even after fixing the NTFS permissions to
allow your new account to be owner or have full permissions. The SID for
your new same-named account will be different than before. From what I read
at:

http://support.microsoft.com/?id=322346

The SID is not involved in generating the private or public keys for the EFS
certificate (that you probably never exported). However, if you didn't do
backups then you have no old profile to restore. If you don't remember the
old password to use in the new same-named account, you have no way to
duplicate the hash that got used in generating your encryption keys. And I
don't know if the above will work or if you are capable of performing it and
maybe digging out from any pitfalls during the process, so not have an
exported copy of the EFS certificate means you lost those files.

 

[Guest]

Postscript to what I wrote previously: I think that the Automated System
Recovery option will automatically format a hard drive before restoring, so
be sure to use a blank hard drive if you try Automated System Restore.
Otherwise, you might accidentally delete your data.

 

[Torgeir Bakken \(MVP\)]

Hi all,

I've recently reinstalled Windows following a terminal crash.
Unfortunately, I now can't access various documents (including My Briefcase)
as I had them encrypted on my process installation of XP.

I have searched the forums which tell me I need my encryption keys to
decrypt them. I have the 'System Files' backed up from my previous
installation. Does anyone know if the keys are in these backups and how I
would use them?

If not, is there any other way of decrypting the files.

Hi,

That depends on what your 'System Files' backup contains.

The data can be recovered in some cases even if you didn't export the
encryption certificate:

Here is an extract from
http://www.beginningtoseethelight.org/efsrecovery/

<quote>
if you have following folders and their contents from the orginal install of
2k or xp - you can recover you efs data. knowledge of your password is also
required for this amount of data.

c:\documents and settings\foo\application data\microsoft\crypto\
- private keys

c:\documents and settings\foo\application data\microsoft\protect\
- locks your current password to your private keys

c:\documents and settings\foo\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be
madeup)

this data maybe on an unbootable system, a backup, roaming profile or
currently on the system, either in the file system or in the free space.
</quote>

 

[Guest]

Thanks all for the replies. I do have the original, non-bootable hard drive
which is still accessible. In the 'Documents and Settings' folder there are
three user folders: Matt (me), All Users and Default User. The Matt folder
is inaccessible. The All Users folder has the crypto folder but can't find
the 'protect' or 'systemcertificates' folder.

Is this enough or do I need more files? And what do I do with them once I
have them?

Sorry for so many questions - I'm a bit uneducated with file encrytion!

Thanks for your help.

Matt.

 

[Torgeir Bakken \(MVP\)]

Thanks all for the replies. I do have the original, non-bootable hard drive
which is still accessible. In the 'Documents and Settings' folder there are
three user folders: Matt (me), All Users and Default User. The Matt folder
is inaccessible. The All Users folder has the crypto folder but can't find
the 'protect' or 'systemcertificates' folder.

Is this enough or do I need more files?

You will need to get into the "Matt" folder, it is there where the
necessary data is.


Taking ownership should help:

"Access is Denied" Error Message When You Try to Open a Folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;810881

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421


Note this one from KB308421:

<quote>
If you are running Microsoft Windows XP Home Edition, you must
start the computer in safe mode, and then log on with an account
that has Administrative rights to have access to the Security tab.

And what do I do with them once I have them?

That is described here:
http://www.beginningtoseethelight.org/efsrecovery/

 

[Guest]

Hi there,

I have same problem like you with my files and nobody could find a solution.
I reinstall the fresh Win XP Pro and now i have no access to all of my files
which were encrypted before reinstalling new windows. I think we have to
forget those files.

Sami,