Re: EFS Disabling
From: *Vanguard* (no-email_at_no-spam.invalid)
Date: 02/22/04
- Next message: hakim soso: "open proxy?"
- Previous message: *Vanguard*: "Re: EFS Disabling"
- In reply to: *Vanguard*: "Re: EFS Disabling"
- Next in thread: Scott: "Re: EFS Disabling"
- Reply: Scott: "Re: EFS Disabling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 22 Feb 2004 00:07:28 -0600
"*Vanguard*" said in news:oqadnZ7x0Ngt3qXdRVn-gw@comcast.com:
> "scott" said in news:13aef01c3f8e0$e6725080$a101280a@phx.gbl:
>> I had to reinstall XP on a computer and so I copied my EFS
>> files onto a disk and then put them back on. Only problem
>> is I can't access them now. I can't turn off the
>> encryption on them, and I can't use the cipher command on
>> them either.
>>
>> I am the admin on the computer (since it's my computer)
>> but I don't know how to use the recovery agent or
>> understand anything about EFS.
>>
>> Anyone know how to remove EFS from files if you are the
>> admin on the computer?
>
> Each time you create a user account, a new SID (security identifier)
> gets assigned to it. It is unlikely that the same SID is defined
> under different instances of Windows NT/2000/XP. Besides the SID, I
> also suspect some crypto key is assigned to that newly created
> account: there is a "%userprofile%\Application
> Data\Microsoft\Crypto\RSA\S-1-5-..." subdirectory in your profile
> directory. You encrypted your files under "JoeDoe" under one
> instance of Windows with whatever SID and crypto key got assigned to
> it under that instance of Windows. Now you're trying to access those
> same files under a *different* but same-named "JoeDoe" account under
> a different instance of Windows. They have the same account names
> but each "JoeDoe" account is different and unique from each other.
>
> You must have exported your EFS security certificate (onto a floppy
> or other removable media) so you could then import it under your new
> account (whether it uses the same name or not). Under Windows 2000,
> the "Administrator" named admin account was designated as a recovery
> agent so you could use that account to remove the EFS and then let
> the user read the files (who could then apply EFS for new encryption
> under that "new" same-named account). I think the SID for
> "Administrator" is the same for all installs of Windows 2000/XP
> (i.e., there is a standard SID for "Administrator"). However, I
> don't know if that means you can move EFS-protected files from one
> instance of Windows 2000/XP and recover them using "Administrator"
> under a different instance of Windows 2000/XP. That would seem a
> huge security breach, and why I suspect there is also some additional
> crypto key assigned uniquely to each account, even to the
> Administrator account, which would not be the same for standard
> accounts, like Administrator, that get assigned a standard SID value.
> Under Windows XP, *no* recovery agent is assigned when you use EFS.
> You have to designate a recovery agent.
>
> Unless you exported the EFS security certificate for your account or
> for a recovery agent account, if one was assigned, you won't be able
> to read those files ever again. I've heard ramblings from some users
> claiming that if you included your profile in your backups that there
> are subdirectories under your profile path that would let you access
> your old EFS-protected files (i.e., you use your old profile against
> your old EFS-protected files). I don't know how that would work.
> Just having the old profile around or using it to overwrite your new
> profile won't update the registry to match the SID and/or crypto keys
> that were used before but, hey, who knows.
>
> Besides the scenario you have discovered (in which you really need to
> have exported the EFS security certificate to later access those
> EFS-protected files under a different instance of Windows 2000/XP),
> they may also become inaccessible if you reset your password.
>
> EFS, Credentials, and Private Keys from Certificates Are Unavailable
> After a Password Is Reset
> http://support.microsoft.com/?kbid=290260
>
> Since this KB article mentions the requirement of having the original
> profile directory, maybe that's what the other posters were talking
> about when discussing how to recover from not being able to access
> EFS-protected files. You would have your old RSA crypto keys under
> your old profile but you would also need to know the account's
> password in use at the time you could last successfully access the
> EFS-protected files.
>
> However, this article probably won't help you since you now have a
> totally new instance of Windows XP. Or do you? Did you do a fresh
> install (i.e., delete and/or format the partition), or did you do a
> repair install (i.e., install atop an existing install of Windows
> XP)? If you did a repair install then maybe the old profile still
> exists. In that case, you might be able specify the same old
> password (last used when you could access the EFS-protected files)
> and slide the old profile in place of your current and new profile.
> There is another link inside that KB article that discusses how to
> recover EFS-protected files.
>
> I got a feeling that unless you exported your EFS security certificate
> before wiping out your old Windows install that those files are now
> just garbage content.
By the way, under Windows XP (but not for Windows 2000), if no default
recovery agent has been yet defined, the KB article's mention of using
secpol.msc to export the recovery agent's certificate won't work because
there won't be a recovery agent to list. Even if you want to export the
recovery agent's certificate, you should still export your own certificate
which can be done using:
certmgr.msc (Certificate Manager) -> Personal -> Certificates.
or,
Internet Options -> Content -> Certificates, highlight yours, Export.
When you export the certificate, be sure to select the option to export the
private key. The public key is the one used to encrypt the EFS-protected
files and you must have the matching private key for that public key to
actually access them. Exporting the private key of the certificate requires
you password protect the exported .pkx file (so no one but you can use that
exported certificate). However, do NOT select the option to delete the
private key since, I believe according to its description, that the private
key under that instance of Windows gets deleted and you won't be able to
access your EFS-protected files (until you import that certificate).
When you export a security certificate, the account name for which is was
assigned gets included in that certificate (called the "Issuer"). If you
export it and then import it later under a same-named account then they
match in their names. If you use a new account name to import the security
certificate created under a differently named account, they won't match. If
you then want them to match, you'll have to import the certificate to
whatever account you want access to those files, remove EFS protection,
reapply EFS protection (so its certificate designates the new account name),
and export that certificate.
-- ____________________________________________________________ *** Post replies to newsgroup. E-mail is not accepted. *** ____________________________________________________________
- Next message: hakim soso: "open proxy?"
- Previous message: *Vanguard*: "Re: EFS Disabling"
- In reply to: *Vanguard*: "Re: EFS Disabling"
- Next in thread: Scott: "Re: EFS Disabling"
- Reply: Scott: "Re: EFS Disabling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
