Re: How to decrypt EFS-protected restored files?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/10/04

• Next message: Holly: ".dll"
• Previous message: lynnette: "Re: please help urgent"
• In reply to: *Vanguard*: "How to decrypt EFS-protected restored files?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 09 May 2004 23:01:13 GMT

I have never tried exactly what you are doing using Image Explorer or Ghost [which I
use]. It is my understanding that some backup programs do not backup efs files
properly but then again you are talking about an image which I believe probably
should work.

The procedure is to either restore the files to a computer where the recovery agent
is or import the backup certificate and private key from a .pfx file onto the
computer where the files reside making sure to use the same logon name and password
that was used at the time when the files were encrypted. The private key also must be
included in the backup you made to the floppy. The link below roughly explains the
procedure. I also like to use efsinfo to view who can decrypt the files viewing the
thumbprints to match with the certificate/private key you imported. It may also be
worthwhile to try to decrypt with the cipher command to see what happens.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B242296

You also might try getting the operating system working from the image file. I know
you said that the hardware is different, but you might have some luck anyhow if you
can restore the image and then do an upgrade install of the operating system booting
from the install cdrom which just may get things working. Good luck. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292175 --- note you select
the repair option after the EULA.

"*Vanguard*" <no-email@reply-to-newsgroup.invalid> wrote in message
news:%23umEPsJNEHA.3988@TK2MSFTNGP09.phx.gbl...
> I had a directory configured to use EFS (so anything put under it got
> encrypted). I export my EFS certificate to a floppy. My system crashed and
> a disk image wouldn't work (because of changes in the hardware). However, I
> could still use the ImageExplorer that comes with DriveImage to peruse the
> contents of the image files to extract files out of them. So I've tried the
> following:
>
> - Extracted the files from disk image. Cannot view them because of the EFS
> protection. Imported the EFS certificate used when the files got encrypted.
> It was imported under the Personal store for certificates. Could not open
> the files.
>
> - Deleted the EFS certificate and re-imported it but this time left the
> option selected to have Windows XP automatically determine under which
> certificate store to place the certificate. It imported it to the Trusted
> People certificate store. Still couldn't access the encrypted files.
>
> - Figuring that EFS had not yet been implemented on my new install and that
> maybe the imported EFS certificate would not get exercised until EFS was
> used, I right-clicked on a folder and had it encrypted. Then I copied the
> files to under this directory figuring that the certificate might also have
> to be imported before moving the files into an EFS-protected directory.
> Still cannot access the file contents.
>
> I've read several KB articles and the included help but it really never
> describes the steps in restoring EFS-protected files, the order of importing
> the EFS certificate (before or after the files have been restored to the new
> instance of Windows), or if importing the EFS certificate after restoring
> the files (or before) would allow access to them (or if I also need to
> actually implement EFS to have it utilize the imported certificate). I see
> mention of how use EFS, export certificates, manage them, import them, and
> some vague inferences in using them against encrypted files but no real
> instructions. After a few hours, I've exhausted what I could come up for a
> procedure to decrypt these files. Any ideas?
>
>
> --
> ____________________________________________________________
> *** Post replies to newsgroup. Share with others.
> *** Email: domain = ".com" and append "=NEWS=" to Subject.
> ____________________________________________________________
>

---

• Next message: Holly: ".dll"
• Previous message: lynnette: "Re: please help urgent"
• In reply to: *Vanguard*: "How to decrypt EFS-protected restored files?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: EFS Recover Agents Unable to decrypt files ... > should be able to decrypt the files as the DRA. ... I tried to decrypt the file after only importing ... >> EFS RA certificate but this failed. ... (microsoft.public.win2000.file_system) Re: How to decrypt EFS-protected restored files? ... Searching www.google.com and/or www.microsoft.com/support for EFS recovery ... agent might help you find more articles if the ones above didn't help you. ... I export my EFS certificate to a floppy. ... or if importing the EFS certificate after restoring ... (microsoft.public.security) Re: File Encryption ... After you imported the cert and then opened the previously EFS ... file it was reencrypted with the account's main EFS cert? ... EFS certificate to the same USB drive. ... logged in as a different user (even after importing the EFS certificate). ... (microsoft.public.security) Re: How to recover encrypted file ... If you don't have a backup of the certificate, ... You've just demonstrated that EFS ... > But I only removed the certificate from internet explorer. ... and in Windows help. ... (microsoft.public.windows.server.general) EFS-encrypted files recovery ... A user re-instal windows XP and forgot to backup the EFS ... the Folders on drive D: ... Certificates only Certificate for Encrypt proposes are ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)