Re: EFS decryption problem solved!! FYI stuff inside.

From: Matt Scarborough (vexversa@verizon.net)
Date: 02/28/03

Next message: Chris: "Re: HOW DO I STOP POP UP ADS?"
Previous message: Lori: "Re: shared folder/file in a simple MS network."
In reply to: Daniel Billingsley: "EFS decryption problem solved!! FYI stuff inside."
Next in thread: Daniel Billingsley: "Re: EFS decryption problem solved!! FYI stuff inside."
Reply: Daniel Billingsley: "Re: EFS decryption problem solved!! FYI stuff inside."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Matt Scarborough <vexversa@verizon.net>
Date: Fri, 28 Feb 2003 05:14:25 +0000

On Mon, 24 Feb 2003 10:49:43 -0500, Daniel Billingsley wrote
<epbeaxB3CHA.1624@TK2MSFTNGP12.phx.gbl>

> The solution in the end was to use efsinfo to view the encryption
> certificate "thumbprint" for the file in question, then find the profile
> from the backups which had the corresponding certificate intact. There is a
> file matching the thumbprint in the application settings under the path
> Microsoft\SystemCertificates\My\Certificates.

Thanks for the info. For others who need a program that does this automatically
(searches a drive for the necessary key bits), see Elcomsoft's Advanced EFS Data
Recovery
http://www.elcomsoft.com/aefsdr.html
Functionality is limited on Windows XP, but the Windows 2000 recovery is a real eye
opener.

FWIW, there are no new vulnerabilities here. It is hardly an "attack" when the
"attacker" has physical access (especially to backup media) and/or is asked to enter
the syskey mode 2 password or insert the mode 3 floppy.

To mitigate against programs or methods like AEFSDR, this still applies
http://www.microsoft.com/technet/security/news/efs.asp
as does taking advantage of the EFS/DPAPI improvements in Windows XP.

Matt Scarborough 2003-02-28

Next message: Chris: "Re: HOW DO I STOP POP UP ADS?"
Previous message: Lori: "Re: shared folder/file in a simple MS network."
In reply to: Daniel Billingsley: "EFS decryption problem solved!! FYI stuff inside."
Next in thread: Daniel Billingsley: "Re: EFS decryption problem solved!! FYI stuff inside."
Reply: Daniel Billingsley: "Re: EFS decryption problem solved!! FYI stuff inside."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: updates after format
... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
(microsoft.public.windows.mediacenter)
Re: Need help configuring Wireless Connection profile
... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
(microsoft.public.windowsxp.general)
Re: Windows Update repeats
... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
(microsoft.public.windowsupdate)
Re: sfc /scannow wont run
... or upgrade installs but I definitely know retail versions do. ... If you have Windows XP Pro installed then do not purchase a Windows XP Home ... This behavior can occur if the certificate for VeriSign time stamping ...
(microsoft.public.windowsxp.help_and_support)
RE: Double authentication (User & Machine) with VPN SSL
... If you've got Windows and IIS, ... server machine using the typical IPSec policy and normal IPSec certs. ... Double authentication with VPN SSL ... - our users will soon have a certificate in a USB token; ...
(Security-Basics)