Re: EFS encrypt files: Changed PW now can't access... :-(



Assuming the EFS certificate AND private key are in the user's profile you
need to change the user account password back to what it was before they
reset it. You can use the mmc snapin for certificates for user while logged
on as the user to see if the user EFS certificate and private key exist.
Look in the certificates/personal folder and if there is a certificate for
EFS is needs to show that the private key is present. You can also check the
properties/advanced for the file to see if a Recovery Agent exists. You can
NOT copy the file to another file system in an attempt to decrypt the files.
The only way to decrypt the files are with a private key for the user or RA
and knowing the correct password for either. --- Steve


<jryder.10@xxxxxxxxx> wrote in message
news:1152122922.678581.144620@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hey all, here's another EFS question, hopefully someone can solve this,
I REALLY need to get these files decrypted:

1st: Friend of mine at work was trying to PW protect some .xls files
and accidentally used XPpro's EFS.
2nd: While away someone logged off one of the admin accounts and
couldn't remember the password, so they created another admin rights
account and changed the password for the account they couldn't figure
out.
3rd: Once they changed the PW for the account, the EFS hash of course,
doesn't match up with the new PW and now the files cannot be decrypted.
4th: I tried searching for an X.509 certificate but could not find one
at all! I then tried logging in as the default admin account, and
trying to add it as the recovery agent, but it didn't work either.
5th: I tried a program called "Advanced EFS Data Recovery" which is
supposed to be able to find EFS keys and or use SYS-startup keys,
provided that you have the original password before the PW was changed
on the account.
6th: I have the original PW from the changed account! And when I tried
searching for any X.509 Cert / SYSkey, the program didn't find any
master keys and was unable to attempt to decrypt the files etc.

I've read somewhere on google that you could move said EFS files to
a Non NFTS OS like Win98 and the file encryption wouldn't be able to be
transferred since the OS doesn't even support EFS etc.... What are your
thoughts on this?

Secondly, again, when I tried searching for any pertinent X.509 certs /
keys, I couldn't find anything on the computer at all!? Is that common?
I know he didn't create a backup, but there should be some kind of cert
file that I could use to decrypt them?

ANY help would be much appreciated!

Thanks,



.



Relevant Pages

  • Re: EFS Disabling
    ... >> I had to reinstall XP on a computer and so I copied my EFS ... They have the same account names ... > You must have exported your EFS security certificate (onto a floppy ... > claiming that if you included your profile in your backups that there ...
    (microsoft.public.security)
  • Re: Protecting Directories
    ... If you do, then only your account, and an optionally ... If you select to use EFS, then you should be certain that you ... For this your machine needs a smart card ... an issueing authority for the certificate on the card. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Certificates, Keys, Mobile Users, Intended Usage
    ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
    (microsoft.public.win2000.security)
  • Re: Can a Windows service find a certificate ?
    ... If you wish to use a certificate and its corresponding private key you will ... the service account). ... Or beter: Which user can install ...
    (microsoft.public.platformsdk.security)
  • Re: XP Encryption Fudge-up. Trying to help my father-in-law
    ... He needs the original certificate and private key ... He should have exported his EFS certificate and ...
    (microsoft.public.security)