Re: EFS woes

From: Ron Tyles (
Date: 02/06/04

Date: Thu, 5 Feb 2004 19:23:45 -0800

Sorry, I couldn't reply to that e-mail address for some

Here is what I meant to add :

Hello ! Thanks for replying !!

I will try to clarify each point.

I changed my domain password which broke EFS 1. When I
look at these files' encryption details, I see my name
complete with domain with a 'strange' thumbprint. It is
not the same thumbprint as on my exported certificate.

The domain remained the same. In my EFS reading, being
part of a domain changes/complicates things but nothing
is explained on what differs...

At this point, I usually remember to import my
certificate. This keeps my access to my previous
encrypted files somehow. This time, I did not remember.
When I was offline ( but logged in with cached
credentials ), I put some files into an encrypted folder,
inheriting the encryption status.

I found that the next day , I couldn't access the
encrypted files ! This struck me as odd but I then
remembered to import my certificate. This did not help me
to read the file. I also could not read older encrypted

I checked my two encrypted folders and found the files to
have separate thumbprints next to my name as encryptor !
I don't recognize either !! I suspect that because the
thumbprint is not the same that I can't open the file (
some sort of certificate mis-matching, even though it's
my name and domain listed ?? ).

I haven't used the cipher.exe or esfinfo.exe commands
yet. I have been using Explorer file properties and the
certificate snap-in for MMC for all my info...

Under MMC, I see several stores and my certificate is
there in several of them ( Personal, Trusted Root,
Enterprise Trust, and Trusted People ) but only the one
I'm used to with a special thumbprint that doesn't match
the encrypted files I'm trying to recover. I don't see
any other certificates in my name... I'm not sure how to
check other profiles either, like you mentioned below...?

Needless to say, I've made myself a file recovery
certificate. On new encrypted files, I also see that
present as a Data Recovery agent... Small consolation !

I have heard about MS reccerts.exe but not sure how to
get it and what it does ? I have also looked at my
certificates and it seems that the thumbprint is an
editable item. I am now looking into that aspect.

On an interesting note, I CAN delete the encrypted
files !! I'm not sure how that happened, if it's the file
recovery certificate or not. Maybe I can fool it by
deleting a less critical file, removing encryption from
it's folder, and restoring the file from the recycle
bin ?!? Long shot, eh ?

Perhaps something really nasty hit my registry that day
while I was web-surfing. I have lost all my system
restore points from before that date. I had thought of
going back to the day I encrypted the files originally
but found I couldn't...

Anyways, thanks for sticking with me !

                                Ron Tyles

>-----Original Message-----
>not quite following the sequence of events here
>see within . . .
>"Ron Tyles" <> wrote in message
>> Any help would be appreciated !! My laptop is part of a
>> domain. I have a .pfx copy of my certificate ( exported
>> earlier ).
>OK, let us call that EFS 1
>> What happened is that I changed my password on
>> the domain,
>OK, so this broke your access to use EFS 1
>> without re-importing my certifictae. I
>> encrypted some files.
>Same domain account, right ?
>This usually would be expected to cause generation
>of new EFS cert/key pair, call it EFS 2
>> I imported my certificate
>When you went to do this, did you see both EFS 1 and 2
>in your personal certificates store before the import ?
>> and now I
>> can't decrypt my files.
>Any of your files, or only the ones encrypted with EFS 2
>> Encrypting party is myself with a
>> different thumbprint than my certificate.
>So when you use the Certificates mmc tool you only see
>one EFS type cert listed ?
>> Without a Data
>> Recovery Agent, is there any way to get the data back ?
>Depends on which files are encrypted with which EFS cert,
>and more particularly on whether you have only one of
>or both still stored in your profile's cert store
>> With reccerts.exe from Microsoft ??
>same answer - what is in the profile's cert store ?
>> Other applications
>> like Passware Kit and Advanced EFS from Elcomsoft could
>> not de-crypt any keys. The profile and the laptop is
>> intact. Will follow any suggestions !! Please e-mail !
>Have you been looking at the thumbprints with the
>tool ??
>> Thanks !!!

Relevant Pages

  • RE: Relative Security Provided by Cached Domain Credentials?
    ... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
  • Re: What am I doing wrong?
    ... > after I make the EFS work. ... Then I've exported my encryption certificate to a file on a diskette. ... > certificate into a file on a floppy, and I did select the "Yes, export ...
  • Re: About EFS and local certificate that I want to export
    ... You need to get your head around how EFS works. ... EFS is local file encryption. ... the file is transferred to/from the server in the clear. ... you added the incorrect EFS certificate in step 4. ...
  • Re: EFS Recover Agents Unable to decrypt files
    ... Permissions were checked to make sure that the EFS RA had full ... The EFS RA imported it's EFS RA certificate from storage in a secure ... I tried to decrypt the file after only importing the ... a special recovery key is created with the encryption process. ...
  • Re: EFS Decryption - Lost Certificate
    ... the older certificate's thumbprint matches the thumbprint in the ... When I double click on that certificate, ... General Tab it says "You have a private key that corresponds to this ... didn't make a backup of the encryption certificate, ...