Re: CANNOT EFS DECRYPT AFTER A GHOST RESTORE

Cipix wrote:
I accidentally cracked my windows that was on C:

I had previously encrypted files on D:.

Now I restored C: using symantec ghost but I find out that I cannot
decrypt any files, it says "access denied"

It is true that the backup of C: was made before encrypting files
on D:
but the credentials are the same. How can I decrypt now?

Steven L Umbach wrote:
The problem is that you need your EFS private key to decrypt the
files and that was destroyed when you restored the Ghost image.
Most likely you will never be able to access those files again
unless you had previously created a backup of your EFS private key
to a password protected .pfx file stored somewhere that you can
import or if you have a copy of your user profile from a point in
time after you started using EFS. You EFS private key is stored in
your user profile in the username\application data\Microsoft\crypto
folders. If none of the above is possible you could try using a
file recovery program to see if you can find that folder on your
system drive [probably very unlikely with an image restore] or use
it to check your D drive for deleted clear text copies of your
encrypted files if any exist which could be temporary files so if
you are desperate for the files try recovering anything to see on
the D drive to see if any have data you need. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices
http://www.snapfiles.com/Shareware/system/swdatarecovery.html ---
shareware data recovery tools
http://www.snapfiles.com/Freeware/system/fwdatarecovery.html ---
freeware data recovery tools

Cipix wrote:
So do I look for a .pfx and need to know my password ?

But... what's the logic of this EFS? Why is the KEY not stored on
the very same drive where the encrypted files are... ?

Im losing hope :(

Shenan Stanley wrote
You destroyed the partition that held the encrypted key
information. You did not follow the best practices of EFS.
You have more than likely lost your data.

In the future - follow best practices and backup your key.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/

How to back up the recovery agent Encrypting File System (EFS)
private key
in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

Using Efsinfo.exe to determine information about encrypted files
http://support.microsoft.com/kb/243026/

Mike Fields wrote:
OK, I am confused now -- if he had a ghost image of
the C drive he restored, why is not all of the information
that was there restored again ?? The only time I have
ever run into an issue where restoring the partition did
not have all the information was when it was one of those
stupid applications that stored a secret "key" of some
sort OUTSIDE of the partition on the disk. A ghost
image restore of the C drive should be indistinguishable
from the original. I could see it if only certain files were
saved but not when the drive was imaged (and the OP
said it was a ghost image).

Yes.
You should read more carefully though.
The entire thread (at least this strand) is now above..
Notice in the original post - the OP made it clear...

--------
"Now I restored C: using symantec ghost but I find out that I cannot
decrypt any files, it says "access denied"

It is true that the backup of C: was made before encrypting files
on D: "
--------

So - they made a ghost image - but like most who think they will use that
method of backup - they did not do it frequently enough. The last image
they obviously had was some time before they started using EFS to encrypt
their files - thus no encryption information (keys/etc) were ever stored on
the ghost image they had and restored with.

Put more simply.. It's like making a backup of your entire system in
January (and never again), using the computer daily - adding and removing
files, receiving and sending email, etc - and then in August your hard drive
dies - but you restore your January backup.. Nothing you did from the time
you took that backup until August is there - nor should you expect it to be.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


.

Relevant Pages

  • Re: Norton Ghost 9.0
    ... Ghost recovery floppy with Ghost on it, a bootable Ghost Image DVD/CD, ... The image I use to restore will usually be the latest one, ... From DVD I just put the first DVD of a Ghost bootable DVD ... I run a separate restore using another data backup program to update ...
    (microsoft.public.windowsxp.general)
  • RE: Computer Freeze prevents Backup
    ... which included Ghost, and my life became a nightmare, starting with an evil ... Recovery Disc unable to install the required Drivers. ... be the same as the Sonic Backup My PC. ... As for System Restore: if you also have Norton Antivirus, ...
    (microsoft.public.windows.mediacenter)
  • Re: Computer problem, need help
    ... Having a backup is often the only solution. ... system restore for software failures ... I found the only one to be 100% reliable was Ghost 2003. ... has problems with SATA drives and perhaps problems with partitioned ...
    (soc.retirement)
  • Re: Backup - Restore and Disk Image Program
    ... require much more than ghost or any backup system I know of. ... You can clone drives, create drive images and even backups. ... If you are running an AD domain, be very careful about trying to restore ...
    (microsoft.public.windows.server.general)
  • Re: CANNOT EFS DECRYPT AFTER A GHOST RESTORE
    ... I had previously encrypted files on D:. ... using symantec ghost but I find out that I cannot ... It is true that the backup of C: ... system drive [probably very unlikely with an image restore] or use ...
    (microsoft.public.windowsxp.security_admin)