How to Decrypt EFS Files in Win XP Pro when OS is lost.

[andivijay]

Hi there,

Well my problem is, one of my user have formated the win XP m/c
without knowing that he had Encrypted folder with files encryped in
it. Now my problem is, he has formated his C: drive and the files are
in D: drive, and after the reinstallation of the M/c none of his files
are opening, worst case, this M/c is a standalone m/c and I dont have
a solution where i can decrypt his files for him. Please suggest me
for the action.

Vijay A

 

[Mike Brannigan [MSFT]]

Hi there,

Well my problem is, one of my user have formated the win XP m/c
without knowing that he had Encrypted folder with files encryped in
it. Now my problem is, he has formated his C: drive and the files are
in D: drive, and after the reinstallation of the M/c none of his files
are opening, worst case, this M/c is a standalone m/c and I dont have
a solution where i can decrypt his files for him. Please suggest me
for the action

If the machine was not a domain member, the user did not backup their
profile fully somewhere, they did not backup their own encryption keys,
they did not have a recovery agent and did not back up those keys - then the
files are almost certainly lost for good.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[NoNoBadDog!]

Hi there,

Well my problem is, one of my user have formated the win XP m/c
without knowing that he had Encrypted folder with files encryped in
it. Now my problem is, he has formated his C: drive and the files are
in D: drive, and after the reinstallation of the M/c none of his files
are opening, worst case, this M/c is a standalone m/c and I dont have
a solution where i can decrypt his files for him. Please suggest me
for the action.

Vijay A

--
Posted using the http://www.windowsforumz.com interface, at author's
request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Security-Admin-Decrypt-EFS-Files-Win-XP-Pro-OS-lost-ftopict424267.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1420122

Unfortunately, you can file this one under "Live and Learn". Unless he
saved his keys, or was a member of a domain with a controller that held
duplicate keys, then the user is truly screwed.

Bobby

 

[Guest]

Vijay, ignore the naysayers. EFS encryption can be bypassed with this
software:

try http://www.elcomsoft.com/aefsdr.html

Advanced EFS Data Recovery


Advanced EFS Data Recovery (or AEFSDR) is a program to recover (decrypt)
files encrypted on NTFS (EFS) partitions created in Windows 2000, Windows XP
and Windows Server 2003. Files are being decrypted even in a case when the
system is not bootable and so you cannot log on, and/or some encryption keys
have been tampered. Besides, decryption is possible even when Windows is
protected using SYSKEY. AEFSDR effectively (and instantly) decrypts the files
protected under all versions Windows Server 2003 (Standard and Enterprise),
Windows XP (including Service Packs 1 and 2) and Windows 2000 (including
Service Packs 1, 2, 3 and 4).



New in version 3.0:
Wizard has been implemented
seriously improved key decryption speed
improved file decryption speed: in 60 times for AES, in 11 times for DESX
decrypting files that are larger than 4Gb
added support for NTFS disks with MFT size other than 1024 bytes
complete support for UNICODE systems (like Chinese and Japanese)

They even have a free trial download (with obviously some limitations).
Let us know how it works out for you. Thanks.

 

[Torgeir Bakken \(MVP\)]

Hi,

Note that without the encryption keys, AEFSDR will not be able to
decrypt the files.

From AEFSDR's "Known problems and limitations" list at
http://www.elcomsoft.com/help/aefsdr/index.html?page=requirements.htm

<quote>
The program can decrypt protected files only if encryption keys
(at least, some of them) are still exist in the system and have
not been tampered.
</quote>

As the user formatted the C: drive that contained the encryption keys,
AEFSDR will not be able to help him.

Regards,
Torgeir

 

[Jupiter Jones [MVP]]

That as well as other similar programs can work very well...IF the keys are
available.
It seems from the OPs post the keys are gone so that tool will not work.

 

[Jupiter Jones [MVP]]

Without the original keys, your users data is gone for good.
See this page for ways to help prevent this in the future:
http://www3.telus.net/dandemar/encrypt.htm

 

[Robert Moir]

Vijay, ignore the naysayers.

Is "naysayers" a new word for people who actually read the post properly
before replying?

 

[andivijay]

Hi,

Note that without the encryption keys, AEFSDR will not be able
to
decrypt the files.

From AEFSDR's "Known problems and limitations" list at
http://www.elcomsoft.com/help/aefsdr/index.html?page=requirements.htm

<quote>
The program can decrypt protected files only if encryption
keys
(at least, some of them) are still exist in the system and
have
not been tampered.
</quote>

As the user formatted the C: drive that contained the
encryption keys,
AEFSDR will not be able to help him.

Regards,
Torgeir




--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Hi all,

Great thinkers around, nice to hear ya all, but as mentioned by our
good friend Torgeir Bakken, the AEFSDR 3.0 didnt work, truly for the
reasons mentioned below, and ohh i m searching the net like anything
for pulling this thing on...

Thanks for the replies guys, do write up if ya guys can pull on a
solution for this one...

Vijay A

 

[Guest]

I am feeling your pain currently. Do not depend on Norton Ghost to save your
butt on this one since I am in your shoes after attempting to restore the
image with the original .cer and .pfx files which would have made this
simple.

The resource guide for XP leads the beginner to believe that these keys can
be recovered, but it sounds as though this definitely not the case and this
makes sense since I have been attempting to generate working certs for
several hours to no avail.

 

[Steven L Umbach]

The Ghost image should work if the proper certificates are in the image. Pfx
files are the one that contain the EFS private key which is what is needed
to decrypt EFS files for the appropriate user or as a Recovery Agent. Pfx
files are also password protect the EFS private key. You can use efsinfo to
see what users and RA [if any] can decrypt the file and see the thumbprint
information of the certificates which can be helpful to make sure you have
the proper EFS certificate AND private key. The .cer files will not decrypt
any EFS file as they contain only the certificate and the public key. ---
Steve

http://support.microsoft.com/?kbid=243026 --- works the same for XP Pro
also.

 

[Guest]

Well actually the image is corrupted from movement. Is there a way to peel
these out with some tool? Oddly enough the image was a dual boot of WIN 2K
and XP Pro and the WIN 2K will boot, while the WIN XP hangs at the welcome
screen forever.

Depending on NG I did not use ASR (stupid on my part) and I am fearful of
using console recovery tool since if I replace system files, I figured it may
wipe out my original security settings as well. (I have never had good luck
with recovery console since I do not know how to use it well. I wished that
MS had put the cipher command in it though as it would help right now.
--
truth

The Ghost image should work if the proper certificates are in the image. Pfx
files are the one that contain the EFS private key which is what is needed
to decrypt EFS files for the appropriate user or as a Recovery Agent. Pfx
files are also password protect the EFS private key. You can use efsinfo to
see what users and RA [if any] can decrypt the file and see the thumbprint
information of the certificates which can be helpful to make sure you have
the proper EFS certificate AND private key. The .cer files will not decrypt
any EFS file as they contain only the certificate and the public key. ---
Steve

http://support.microsoft.com/?kbid=243026 --- works the same for XP Pro
also.

 

[Steven L Umbach]

Well actually the image is corrupted from movement. Is there a way to
peel
these out with some tool? Oddly enough the image was a dual boot of WIN
2K
and XP Pro and the WIN 2K will boot, while the WIN XP hangs at the welcome
screen forever.

Depending on NG I did not use ASR (stupid on my part) and I am fearful of
using console recovery tool since if I replace system files, I figured it
may
wipe out my original security settings as well. (I have never had good
luck
with recovery console since I do not know how to use it well. I wished
that
MS had put the cipher command in it though as it would help right now.
--
truth

The Ghost image should work if the proper certificates are in the image.
Pfx
files are the one that contain the EFS private key which is what is
needed
to decrypt EFS files for the appropriate user or as a Recovery Agent. Pfx
files are also password protect the EFS private key. You can use efsinfo
to
see what users and RA [if any] can decrypt the file and see the
thumbprint
information of the certificates which can be helpful to make sure you
have
the proper EFS certificate AND private key. The .cer files will not
decrypt
any EFS file as they contain only the certificate and the public
y. ---
Steve

http://support.microsoft.com/?kbid=243026 --- works the same for XP Pro
also.

I am feeling your pain currently. Do not depend on Norton Ghost to save
your
butt on this one since I am in your shoes after attempting to restore
the
image with the original .cer and .pfx files which would have made this
simple.

The resource guide for XP leads the beginner to believe that these keys
can
be recovered, but it sounds as though this definitely not the case and
this
makes sense since I have been attempting to generate working certs for
several hours to no avail.
--
truth

:

Hi there,

Well my problem is, one of my user have formated the win XP m/c
without knowing that he had Encrypted folder with files encryped in
it. Now my problem is, he has formated his C: drive and the files are
in D: drive, and after the reinstallation of the M/c none of his files
are opening, worst case, this M/c is a standalone m/c and I dont have
a solution where i can decrypt his files for him. Please suggest me
for the action.

Vijay A

--
Posted using the http://www.windowsforumz.com interface, at author's
request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Security-Admin-Decrypt-EFS-Files-Win-XP-Pro-OS-lost-ftopict424267.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1420122

 

[Steven L Umbach]

Too bad about the image being corrupt. Maybe trying to boot into Safe Mode
would be worth a try for the XP Pro operating system or a "upgrade/repair
install of it. If you can access the files in the XP Pro by booting to
Windows 2000 you might be able to recover the EFS private key from the XP
Pro install [it would be in the user's profile] but not by normal methods.
Microsoft paid support may be able to help or there is a program from
Elcomsoft may help. Elcomsoft has a free trial version that is limited in
that it can only recover very small files but it is very useful because it
can let you know if you can recover the EFS private key but you have the
added complication in that Windows 2000 will not be able to decrypt files
encrypted on XP Pro because of the stronger encryption method that XP Pro
uses. --- Steve

http://www.elcomsoft.com/aefsdr.html --- Elcomsoft link

Well actually the image is corrupted from movement. Is there a way to
peel
these out with some tool? Oddly enough the image was a dual boot of WIN
2K
and XP Pro and the WIN 2K will boot, while the WIN XP hangs at the welcome
screen forever.

Depending on NG I did not use ASR (stupid on my part) and I am fearful of
using console recovery tool since if I replace system files, I figured it
may
wipe out my original security settings as well. (I have never had good
luck
with recovery console since I do not know how to use it well. I wished
that
MS had put the cipher command in it though as it would help right now.
--
truth

The Ghost image should work if the proper certificates are in the image.
Pfx
files are the one that contain the EFS private key which is what is
needed
to decrypt EFS files for the appropriate user or as a Recovery Agent. Pfx
files are also password protect the EFS private key. You can use efsinfo
to
see what users and RA [if any] can decrypt the file and see the
thumbprint
information of the certificates which can be helpful to make sure you
have
the proper EFS certificate AND private key. The .cer files will not
decrypt
any EFS file as they contain only the certificate and the public
y. ---
Steve

http://support.microsoft.com/?kbid=243026 --- works the same for XP Pro
also.

I am feeling your pain currently. Do not depend on Norton Ghost to save
your
butt on this one since I am in your shoes after attempting to restore
the
image with the original .cer and .pfx files which would have made this
simple.

The resource guide for XP leads the beginner to believe that these keys
can
be recovered, but it sounds as though this definitely not the case and
this
makes sense since I have been attempting to generate working certs for
several hours to no avail.
--
truth

:

Hi there,

Well my problem is, one of my user have formated the win XP m/c
without knowing that he had Encrypted folder with files encryped in
it. Now my problem is, he has formated his C: drive and the files are
in D: drive, and after the reinstallation of the M/c none of his files
are opening, worst case, this M/c is a standalone m/c and I dont have
a solution where i can decrypt his files for him. Please suggest me
for the action.

Vijay A

--
Posted using the http://www.windowsforumz.com interface, at author's
request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Security-Admin-Decrypt-EFS-Files-Win-XP-Pro-OS-lost-ftopict424267.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1420122

 

[Michael Kinder]

I had this very thing happen to me and I have downloaded a trial version of
Elcomsoft EFS decrytpion program mentioned in this thread.

I don't know what the problem was that the person who said that this program
didn't work was getting. It was able to decrypt the first 512 bytes of the
files that were encrytped on my computer(that's all the trial version will
decrypt).

Is this what he was running into and it just was not decrypting the rest of
the files or was he getting a different error?

I was going to buy the program, but I would hate to spend the $99 to find
out all I'm getting is the first 512 bytes.

 

[Steven L Umbach]

The program will not work if the user or RA EFS private key is not found on
the computer. If it is found and you can enter the correct user password to
unlock it then you should have access to the files that can be decrypted by
that EFS private key. The trial version lets you know that and from your
description I would say you have a very good change of recovering your
files. Be sure to email them if you have any further questions. --- Steve