File Encryption

[Marli]

I have a fairly aggrivating problem regarding XP's file
encryption and I was wondering if someone here could help
me out. Basically, I turned on my computer one day and
out of the blue, it just wouldn't boot, it kept
saying "Windows cannot load because the following file is
missing or corrupted: C:\Windows\System32\Config\System".
So, immediately I removed my hard drive and put it in
another PC and copied all my data off (which was all ok),
only I couldn't move or open any of my encrypted files
(obviously). Since I hadn't backed up any of my security
certificates, I was slightly worried about what to do. I
basically ran the XP setup off the CD and chose to
recover my windows instead of a fresh install. When I
finally got it to work though, only some of my settings
survived (for example my Administrator account had the
correct password and welcome screen image, but all my
other user accounts had disappeared. When I added them
again, they too appeared with some correct settings like
welcome screen image, but everything else was basically
gone, all my other local settings had disappeared, along
with my security certificates). I was basically wondering
since I haven't reformatted or removed any data or
anything besides the windows repair, if it was possible
to somehow recover the security settings (or
certificates, etc.) after windows has "repaired" itself
because I really need to access my encrypted files.
Thanks.

 

[martie]

When u encrypted your files were you logged in as
administrator or somebody else ? -- If you have'nt backed
up the key/certificate i think you might be in trouble as
the Encryption/Decryption key is derived from the SID
value which represents the account logged in a the time...

Let me know how you go please.

martie.

 

[martie]

http://www3.telus.net/dandemar/encrypt.htm

This URL might help you..

 

[Marli]

Thanks for the help. I wasn't logged into Administrator
at the time I made the files encrypted, I was in another
account (which is a shame because my Administrator
account appears to be the only account whose security
information survived intact). I am getting somewhere on
the problem though. Being the person I am, I wasn't just
going to sit there and look at all these encrypted files,
I just decided that if I can't get into them the nice
way, I would just damn well have to break the encryption
myself somehow (which was obviously a stupid idea at the
time). Anyway, while I was looking around for a way to
break EFS, I came accross the program Advanced EFS Data
Recovery (of which there was a link to on the site you
gave me). It was interesting because it appears that all
my certificate and security information is intact (the
program allows you to search your hard drives for EFS
related files, encryption keys, etc). The only problem is
that I now have the files that contain the security
information I need, but I'm not sure what to do with
them. It's impossible to import them back into the
certificate repository (the files don't even have a file
extension, I assume they are just raw security files).
AEFSDR however allows you to unlock the files if you know
the username and password of the account that created
them (which of course I know). I can then unencrypt the
files with the now available private keys, only I'm using
the trial version which means only the first 512 bytes
get decrypted (it worked too, for the part that got
unencrypted). So basically, all my files are garunteed
ok, the only way I can get them though is to either pay
$60 US ($120 AUD or something ) for a full version of
AEFSDR to unencrypt the rest of each file or find out
exactly what this program does with these raw security
files and find a work around myself.

Geez, well there you go. I hope this helps someone in the
future somehow, I think I'm just lucky I didn't
completely reformat my computer though.

 

[Drew Cooper [MSFT]]

Elcomsoft reverse-engineered DPAPI, the mechanism used to protect the EFS
private key. There's no Microsoft documentation for what they did. I have
never seen external documentation. If you're a coder you could probably do
the same thing Elcomsoft did (or see what their tool is doing).

Microsoft does offer this architectural overview of DPAPI:
http://msdn.microsoft.com/library/d...-us/dnsecure/html/windataprotection-dpapi.asp