Questions About Recovering EFS Security Certificate

[John]

I have a hard drive (w/ XP Pro SP2) that refused to boot up recently because
the 'system' files became corrupted after I loaded the new Norton 2005 AV.
It would not even boot to any restore points or any safe modes - 'corrupted
config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned an EFS Recovery Agent -
which means it used the default Adminstrator certificate (I assume). Of
course I can not access that one folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat it (I just reassigned it as a "slave" to the new drive). The old
'ownership' still shows up since I have only changed ownership on a few of
the folders that I had to recover. The encrypted folder in question I have
NOT taken ownership on yet.

Can any of you MVP gurus give me a clue or some guidance on how I might
recover that old certificate (assuming it is possible)? Where would that
default EFS certificate be stored on the old drive, and how could I access
it currently?

thanks
John

 

[Tom]

I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
because the 'system' files became corrupted after I loaded the new Norton
2005 AV. It would not even boot to any restore points or any safe modes -
'corrupted config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I
assigned the old drive as a "slave" to the new one so I could recover some
critical data files (which worked just fine). However, I had (1) folder
that was encrypted on the old drive and I never had assigned an EFS
Recovery Agent - which means it used the default Adminstrator certificate
(I assume). Of course I can not access that one folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat it (I just reassigned it as a "slave" to the new drive). The old
'ownership' still shows up since I have only changed ownership on a few of
the folders that I had to recover. The encrypted folder in question I have
NOT taken ownership on yet.

Can any of you MVP gurus give me a clue or some guidance on how I might
recover that old certificate (assuming it is possible)? Where would that
default EFS certificate be stored on the old drive, and how could I access
it currently?

thanks
John

Unless you backed up the key to that encryption, you can kiss that folder
goodbye, as there is no way to retrieve the info from it without it.

 

[John]

Unless you backed up the key to that encryption, you can kiss that folder
goodbye, as there is no way to retrieve the info from it without it.

Really... not even when you have the original drive?? I would assume - if I
could ever get that drive to boot again - that the info would still be
there, and including the default EFS certificate the system was using under
that user. No??

And if so it would seem there should be some way to recover the embedded EFS
certificate the system was using.

Or perhaps I am using poor logic or misunderstand how the EFS certificate
system works??

John

 

[Tom]

Really... not even when you have the original drive?? I would assume - if
I could ever get that drive to boot again - that the info would still be
there, and including the default EFS certificate the system was using
under that user. No??

And if so it would seem there should be some way to recover the embedded
EFS certificate the system was using.

Or perhaps I am using poor logic or misunderstand how the EFS certificate
system works??

John

It's possible that you didn't backup, or make a key; open Help and Support,
and type EFS in the search box, and read the related links in the left
column.

 

[Kerry Brown]

Yes... thanks Tom. No I did not backup the key to floppy as I should have

(unfortunately), and in fact had forgotten that I still even had that one
encrypted folder (has old email in it that I'd love to get back). Where I
REALLY screwed up was failing to set up a system-wide Recovery Agent and
keeping that certificate on floppy. Dumb oversight on my part.

But really my question was related to WHERE that EFS certificate and
associated key would be stored on my old drive. It would seem it has to be
stored somewhere, and associated under the user that originally encrypted
any folders/files (has a specific thumbprint).

Am I all wet here for some reason? I really didn't see anything in the
HELP or knowledge base that gave me much direction in finding where the
system specifically stores those certificates, or if there might be a way
to recover them since I still have the old drive available to me.

John

If you could recover a certificate that way then anyone that had physical
access to the computer could access encrypted files. It can only be done by
exporting the key for a reason. I know of no way to recover your data.

Kerry

 

[John]

John

If you could recover a certificate that way then anyone that had physical
access to the computer could access encrypted files. It can only be done
by exporting the key for a reason. I know of no way to recover your data.

Well... actually they would have to know the user's password I assume (which
I have of course). But, apparently there is no way to recover the EFS
certificate short of getting that drive to boot up again (apparently).

thanks

John

 

[Kerry Brown]

Well... actually they would have to know the user's password I assume
(which I have of course). But, apparently there is no way to recover the
EFS certificate short of getting that drive to boot up again (apparently).

If they have administrator status and the certificate was available in your
profile they wouldn't need the password. That's why EFS works as it does. If
someone could access the computer and get the certificate it wouldn't be
hard to use a brute force attack on the encrypted file.

I actually did the same thing as you a few years back. I was experimenting
with efs and for some reason encrypted my PST file. I promptly forgot it was
encrypted. Some time later I bought a new computer and transferred all my
data and wiped the old computer before selling it. Went into Outlook, tried
to import the old data and bingo, I was hooped. Luckily I had a complete
backup of the old computer. It took some time, had to restore the old
system, do a repair install, unencrypt the file, then rebuild the new
computer again. Doing this once is enough to make sure the first thing after
using efs you always export the cert.

Kerry

 

[Kerry Brown]

If they have administrator status and the certificate was available in
your profile they wouldn't need the password. That's why EFS works as it
does. If someone could access the computer and get the certificate it
wouldn't be hard to use a brute force attack on the encrypted file.


Kerry

John

I may have been in error with this post. See this link for more details:

http://www.beginningtoseethelight.org/efsrecovery/

I haven't tried this but it does look like the procedure may work in your
case. I found the link on one of the other XP newsgroups.

Kerry