Re: EFS woes

From: Ron Tyles (
Date: 02/06/04

Date: Thu, 5 Feb 2004 19:23:45 -0800

Sorry, I couldn't reply to that e-mail address for some

Here is what I meant to add :

Hello ! Thanks for replying !!

I will try to clarify each point.

I changed my domain password which broke EFS 1. When I
look at these files' encryption details, I see my name
complete with domain with a 'strange' thumbprint. It is
not the same thumbprint as on my exported certificate.

The domain remained the same. In my EFS reading, being
part of a domain changes/complicates things but nothing
is explained on what differs...

At this point, I usually remember to import my
certificate. This keeps my access to my previous
encrypted files somehow. This time, I did not remember.
When I was offline ( but logged in with cached
credentials ), I put some files into an encrypted folder,
inheriting the encryption status.

I found that the next day , I couldn't access the
encrypted files ! This struck me as odd but I then
remembered to import my certificate. This did not help me
to read the file. I also could not read older encrypted

I checked my two encrypted folders and found the files to
have separate thumbprints next to my name as encryptor !
I don't recognize either !! I suspect that because the
thumbprint is not the same that I can't open the file (
some sort of certificate mis-matching, even though it's
my name and domain listed ?? ).

I haven't used the cipher.exe or esfinfo.exe commands
yet. I have been using Explorer file properties and the
certificate snap-in for MMC for all my info...

Under MMC, I see several stores and my certificate is
there in several of them ( Personal, Trusted Root,
Enterprise Trust, and Trusted People ) but only the one
I'm used to with a special thumbprint that doesn't match
the encrypted files I'm trying to recover. I don't see
any other certificates in my name... I'm not sure how to
check other profiles either, like you mentioned below...?

Needless to say, I've made myself a file recovery
certificate. On new encrypted files, I also see that
present as a Data Recovery agent... Small consolation !

I have heard about MS reccerts.exe but not sure how to
get it and what it does ? I have also looked at my
certificates and it seems that the thumbprint is an
editable item. I am now looking into that aspect.

On an interesting note, I CAN delete the encrypted
files !! I'm not sure how that happened, if it's the file
recovery certificate or not. Maybe I can fool it by
deleting a less critical file, removing encryption from
it's folder, and restoring the file from the recycle
bin ?!? Long shot, eh ?

Perhaps something really nasty hit my registry that day
while I was web-surfing. I have lost all my system
restore points from before that date. I had thought of
going back to the day I encrypted the files originally
but found I couldn't...

Anyways, thanks for sticking with me !

                                Ron Tyles

>-----Original Message-----
>not quite following the sequence of events here
>see within . . .
>"Ron Tyles" <> wrote in message
>> Any help would be appreciated !! My laptop is part of a
>> domain. I have a .pfx copy of my certificate ( exported
>> earlier ).
>OK, let us call that EFS 1
>> What happened is that I changed my password on
>> the domain,
>OK, so this broke your access to use EFS 1
>> without re-importing my certifictae. I
>> encrypted some files.
>Same domain account, right ?
>This usually would be expected to cause generation
>of new EFS cert/key pair, call it EFS 2
>> I imported my certificate
>When you went to do this, did you see both EFS 1 and 2
>in your personal certificates store before the import ?
>> and now I
>> can't decrypt my files.
>Any of your files, or only the ones encrypted with EFS 2
>> Encrypting party is myself with a
>> different thumbprint than my certificate.
>So when you use the Certificates mmc tool you only see
>one EFS type cert listed ?
>> Without a Data
>> Recovery Agent, is there any way to get the data back ?
>Depends on which files are encrypted with which EFS cert,
>and more particularly on whether you have only one of
>or both still stored in your profile's cert store
>> With reccerts.exe from Microsoft ??
>same answer - what is in the profile's cert store ?
>> Other applications
>> like Passware Kit and Advanced EFS from Elcomsoft could
>> not de-crypt any keys. The profile and the laptop is
>> intact. Will follow any suggestions !! Please e-mail !
>Have you been looking at the thumbprints with the
>tool ??
>> Thanks !!!