A different kind of EFS problem

From: Matt Kizerian (matt_kizerian_at_hotmail.com)
Date: 10/29/03

• Next message: Steven L Umbach: "Re: windows cannot open the local policy database - error unknown"
• Previous message: Steven L Umbach: "Re: Unable to logon interactively"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 28 Oct 2003 15:19:53 -0800

I'm having problems getting access to my EFS encrypted files. This,
however, is different than most of the threads I've seen. Here's the
scoop:

Apple iTunes tosted my Win2000 box. I tried repairing, etc. witht the
CD to no avail. I then read something suggesting to do a repair
install so as to keep my file system intact.

So, I got my system back, BUT none of my files (encrypted in My
Documents) will decrypt. All of my user profiles are just as I left
them; I didn't have to set up any new users or anything, so I assume
my Admin SID didn't change during the reinstall.

To make things even more weird, I used CIPHER in the My Docs directory
and several (but not all) of the directories decrypted. When I tried
it with files, only "older" files would decrypt. It seems that I can
decrypt files and directories that were saved up to 2-3 months after I
got my system. After that, nada.

This is the first time I've had any problems with Win2k. I've never
had to reinstall/restore/repair and I've used the Admin account for
most of my stuff (that's not very smart, I know...)

I did notice that there are two Admin certificates for File Recovery
in the Current User Personal Store, and one for Encrypt File System.
They all have different dates, but are within a week of one another
and date back to when I originally got my system. One of these File
Recovery certs is also found in the Encrypted Data Recovery
Certificates under Public Key Policies in Local Security Settings.

Does anyone have any clues? This is mainly my wife's computer and,
needless to say with 2.5 years worth of data "tosted" I'm in the dog
house BIG time on this one.

---

• Next message: Steven L Umbach: "Re: windows cannot open the local policy database - error unknown"
• Previous message: Steven L Umbach: "Re: Unable to logon interactively"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Co-Administrator ... the encrypting certs or the recovery cert. ... and the admin is also ... same with the EFS certificate/key of the administrator account. ... The EFS encrypted files are no longer readable by the Administrator ... (microsoft.public.windows.server.sbs) decrypting files without the sam db ... Is there any way to decrypt the encrypted files if I no longer have the same ... Many of the xp bruteforce crackers seem to rely on the key/database file, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ... (Security-Basics) cant copy encrypted files ... Is there any way to copy or decrypt encrypted files if I've got the ... another machine running XP. ... either in ubuntu or through the network from the client machine running XP. ... I can't run the cipher command to decrypt the files since I can't log on to ... (microsoft.public.windowsxp.general) Re: lsass.exe in CPU loop when logging in ... This will identify all encrypted files on your local drive. ... GUID for a name under the Protect directory). ... cannot decrypt files that were encrypted earlier. ... lsass.exe to take over the system for several minutes after logon. ... (microsoft.public.windowsxp.security_admin) Re: Format and Reinstall ... Do you have a backup copy of the C: ... may be possible to decrypt the files, based on a KB article on the MS site. ... > access the encrypted files. ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)