Recovering encrypted file from dead drive

  • Thread starter Thread starter Richard
  • Start date Start date
R

Richard

Have a problem recoverying an encrypted file from a WinXP Pro hard drive
that will no longer boot. Have been using your "encrypted file system
recovery" method for guidance, and have been able to recover the file using
Backup, as well as recover the 3 suggested directories, Crypto, Protect, and
SystemCertificates. Exported the profilelist entry and changed its key to
the target machine SID as well as replacing the machine SID in its value
portion with the target value after converting it to the byte form. Imported
that entry ok. Replaced the 3 directories and rebooted. However, the machine
SID does not change to the new value, which is evident after attempting to
decrypt, since the old machine SID shows up in RSA directory, although
empty. It is interesting to note that the 3rd group of 4 bytes in the
machine SID happens to be the correct value. The first 2 are not and do not
change.

I assume that it does not decrypt because the target machine SID that is
being used by XP is not correct. If this is true, how can I force it to use
the correct machine SID? If not, can you point out what I might be doing
wrong or point me in a better direction?

Thanks for all this great information. I am supprised that I have gotten
this far.
 
Richard said:
Have a problem recoverying an encrypted file from a WinXP Pro hard drive
that will no longer boot. Have been using your "encrypted file system
recovery" method for guidance, and have been able to recover the file using
Backup, as well as recover the 3 suggested directories, Crypto, Protect, and
SystemCertificates. Exported the profilelist entry and changed its key to
the target machine SID as well as replacing the machine SID in its value
portion with the target value after converting it to the byte form. Imported
that entry ok. Replaced the 3 directories and rebooted. However, the machine
SID does not change to the new value, which is evident after attempting to
decrypt, since the old machine SID shows up in RSA directory, although
empty. It is interesting to note that the 3rd group of 4 bytes in the
machine SID happens to be the correct value. The first 2 are not and do not
change.

I assume that it does not decrypt because the target machine SID that is
being used by XP is not correct. If this is true, how can I force it to use
the correct machine SID? If not, can you point out what I might be doing
wrong or point me in a better direction?

Thanks for all this great information. I am supprised that I have gotten
this far.
Click to expand...

Hi

If you have access to the user profile folders for the user that encrypted the
files and you remember the password for that user, you might be able to save
the files. Take a look at this site:

http://www.beginningtoseethelight.org/efsrecovery/
 
Back
Top