Re: decrypting a file question

• Previous message: Steven L Umbach: "Re: Certificate Authority Deleted"
• In reply to: douglas martin: "decrypting a file question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 30 May 2005 14:52:14 -0500

EFS has a way of biting people when it comes to accessing their own files.
The EFS "private" key that is used to decrypt files is stored in the user
profile of the user account that encrypted the file and the Recovery Agent
profile that was in effect at the time that the files were encrypted/
Windows 2000 requires a Recovery Agent which can be the built in local
administrator account for the local computer or the built in administrator
account for the domain. For a domain the built in administrator account EFS
recovery certificate would probably be on the first domain controller for
the domain.

I am not sure exactly all what you reconfigured but that may help give you
somewhere to look. You can use the tool efsinfo to find the user and RA's
that can decrypt a file and the thumbprint info for the certificates that
will be helpful in tracking them down if they exist. The mmc snapin for
certificates for user can be used to view the certificates on a computer for
a user in the personal/certificates folder. The EFS or Recovery Agent
certificate needs to show that "you have the private key that corresponds
with this certificate" on the general page of the certificate in order to be
able to decrypt the EFS certificate. If you find a Recovery Agent you can
either back/restore the EFS files to the computer where the RA lives or
export the RA certificate AND private key to a password protected .pfx file
to import to the computer where the EFS files are.

Normally users have problems when the reinstall the operating system as
profiles can be erased or associated with the wrong computer operating
system ID. If you have a backup of the users profiles that encrypted the
files you probably still have a copy of the EFS private key though it can
not be restored via normal means. If that is the case and you know the user
password then you may be able to recover the EFS files with the help of
Microsoft support [around $245] or the use of a program such as the one from
Elcomsoft that sells for $99. Elcomsoft does have a free trial download that
you can use but it will only recover very small files, but it should let you
know if the private keys are found or not. The first link below is to
Elcomsoft and the other two may provide info to lead you to a solution. ---
Steve

http://www.elcomsoft.com/aefsdr.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223316 --- EFS
best practices.
http://support.microsoft.com/default.aspx?scid=kb;en-us;259732&sd=tech ---
info on Recovery Agent

"douglas martin" <dsmrtn-supt@pacbell.net> wrote in message
news:Oj7VQLTZFHA.4088@TK2MSFTNGP15.phx.gbl...
> I'm guessing I'm "sol" here but I just have to ask.
>
> A long while back I selected a folder to encrypt using the checkbox on the
> folders properties box in the advanced form. It worked just fine. I
> never
> did do anything about creating any certificates or agents or anything as
> backup. I'm just an applications guy who needs a lan setup to do what I
> do,
> so I learned enough AD, DNS, Exchange and so forth to make it all more or
> less work. I do backups fairly well, and my systyem seems safe enough.
>
> Recently I upgraded my W2K PDC to be a W2K3 SBS PDC. I ran DCPROMO a
> little
> prematurely (on hind sight), and I neglected to remove the encryption
> settings on this folder. This server is now just a member server in my
> new
> LAN with a new PDC.
>
> My files and such are all still there. And I can get to all of them, just
> can't access the encrypted ones.
>
> Is there an administractive "backdoor" that will gain me access?
>
> regards,
>
> doug
>
>

• Previous message: Steven L Umbach: "Re: Certificate Authority Deleted"
• In reply to: douglas martin: "decrypting a file question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]