Re: decrypt files after lost pub/priv keys - possible?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/31/03

• Next message: kef: "Account Lock Outs"
• Previous message: Steven L Umbach: "Re: Page File"
• Next in thread: Generally Crazy: "Re: decrypt files after lost pub/priv keys - possible?"
• Reply: Generally Crazy: "Re: decrypt files after lost pub/priv keys - possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 31 Dec 2003 18:15:05 GMT

Drive C that contained your operating system and user profiles also contained the EFS
private keys needed to decrypt those files. The EFS private keys are stored in the
users and recovery agent's [local administrator by fefault] profiles and unless you
have copies of those profiles in a backup from a time after those file were
encrypted, then those files are lost. --- Steve

"Generally Crazy" <generalcrazy@verizon.net> wrote in message
news:f7mIb.20139$E17.5@nwrddc02.gnilink.net...
>
> Normally I find most answers on the WEB ... newsgroups always seem to be in
> such CHAOS it is almost impossible to follow threads - but here I am, the
> whipped dog ... caving. So here goes ... really need help w/this one.
>
> Here's the situation I'm in ... small home office ... Windows 2000, SP2,
> updated to SP4 ... networked to NT server 4.0 (sp6a) domain controller.
> Accidentally compressing a folder ... encryption was selected instead
> <distracted> . 2 drives "C:" and "D:" email was stored on "D:" so the
> encrypted files are intact, not accessible. Before realizing EFS had hold
> of the folder, "C:" disk was reformatted with NTFS to reinstall win2K
> [OS/PROG difficulties] and apparently lost private/public keys for EFS to
> decrypt the files. Doing some reading ... Win2K RK to the rescue.
> EFSINFO.EXE recovered thumbprints. True, security is always an issue. In
> this instance, it would be nice 2 stuff the thumbprint into the current
> certificate as the local or domain administrator to recover data. Our data
> isn't of national security - ask my other half and she'd SWEAR it was as her
> email & address books are inaccessible.
>
> <sample recovered info>
> mailbox.pst: Encrypted
> <Local User>
> Users who can decrypt:
> PAKRATS.NET\deb (CN=deb,L=EFS,OU=EFS File Encryption Certificate)
> Certificate thumbprint: 1F2B 647D 4F2A FFCE 7350 6265 27DD BBE4 91BF
> E225
>
> <Domain Admin> MYSELF
> Recovery Agents:
> PAKRATS.NET\ed (OU=EFS File Encryption Certificate, L=EFS, CN=ed)
> Certificate thumbprint: 76FF 6958 F092 784D B916 41F0 BFDB C72D 8849
> 1A33
>
> Although listed as the RA, I constantly get "access denied" when attempting
> to decrypt via Windows Explorer and DOS window using cipher.exe. Checked
> the ownership & access properties, all OK. WWW search for info, tips &
> tricks lead to some info. Followed some other directions to discover keys,
> certs and whatever else to decrypt the files. I seem to recall the SAM
> changes during every installation <for obvious reasons> there is a
> possibility recovery is not possible. CAVE DWELLING seems to be a
> reasonable resort 'cuz the other half is on the warpath!
>
> Testing an EFS after market tool to see if it was in fact legit in it's
> claims to recover EFS files said it could repair the file - trial version
> returns 512 bytes of the file ... of which was garbage as it was compared to
> another MAILBOX.PST. We have never had reason to use EFS before, so this is
> an entirely new situation. Reading the security stuff posted here revealed
> just about all the same info I have found on the WWW with some distressing
> info relating to NON RECOVERABLE.
>
> There are a total of 4 files I need to recover of the most important is
> mailbox.pst. ASAP. MMMMMMM - any thoughts on this?
>
> Dog House Dwelling, bread and water only,
>
>
> Ed <aka General Crazy>
>
>
>
>
>

---

• Next message: kef: "Account Lock Outs"
• Previous message: Steven L Umbach: "Re: Page File"
• Next in thread: Generally Crazy: "Re: decrypt files after lost pub/priv keys - possible?"
• Reply: Generally Crazy: "Re: decrypt files after lost pub/priv keys - possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: cant decrypt EFS encrypted files ... There is a myth on the net that doing just that will decrypt the data. ... If it were that simple EFS would be worthless. ... >> Contact Microsoft if you can restore the profile. ... >>> this I soon discovered that is possible to create Recovery Agent ... (microsoft.public.windowsxp.security_admin) Re: Offline files problem - some files lost from View Offline File ... I'm not an EFS expert, ... > documentation and look for recovery agent. ... > Windows Vista - Offline Files / CSC Feature ... >> Neither my local or my network administrator account can decrypt the ... (microsoft.public.windows.file_system) Re: Offline files problem - some files lost from View Offline File ... I'm not an EFS expert, ... documentation and look for recovery agent. ... I've also turned off encryption on the offline ... > Neither my local or my network administrator account can decrypt the ... (microsoft.public.windows.file_system) Re: Recovering EFS from a Backup ... You should log on to the account that originally encrypted the files. ... should be able to decrypt the files. ... also consider backing up your EFS certificate and keys. ... You can then import them for data recovery should a need arise in future. ... (microsoft.public.windowsxp.security_admin) Re: EFS decryption under XP ... It can be decrypted by a russian tool called "Advanced EFS ... and if syskey has been used only if the syskey key is ... available to decrypt the private keys). ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)