Recover Default EFS Security Certificate From Old Drive???

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
recently because the 'system' files became corrupted after I loaded the new
Norton 2005 AV. It would not boot to any restore points or any safe modes -
complained 'corrupted config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned a system-wide EFS
Recovery Agent -
which means it used a default EFS certificate to encrypt the folder (I
assume). Of course I can not access that folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat the old drive (I just reassigned it as a "slave" to the new drive).
The old
'ownership' references still shows up since I have only changed ownership on
a few of the folders that I had to recover immediately. The encrypted folder
in question I have NOT taken ownership on (yet).

Can any of you MVP gurus or XP experts give me a clue or some guidance on
how I might recover that old certificate (assuming it is possible)? Where
would that
default EFS certificate be stored on the old drive, and how could I access
it currently? Or is there a default Administrator Recovery Agent certificate
stored somewhere?

thanks for any help

John
6 answers Last reply
More about recover default security certificate drive
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    If you did not backup your personal encryption certificate and associated
    private key, you are not going to be able to recover the encrypted files.
    Your only hope is to perform a "repair install" on that existing Windows XP
    installation. There is no way to recover your certificates if you cannot
    logon on to that installation using your correct user name and password.

    How to Perform a Windows XP Repair Install
    http://www.michaelstevenstech.com/XPrepairinstall.htm

    [Courtesy of MS-MVP Michael Stevens]

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Be Smart! Protect Your PC!
    http://www.microsoft.com/athome/security/protect/default.mspx

    ------------------------------------------------------------------------------

    "John" wrote:

    | I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
    | recently because the 'system' files became corrupted after I loaded the new
    | Norton 2005 AV. It would not boot to any restore points or any safe modes -
    | complained 'corrupted config/system file(s).'
    |
    | Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
    | the old drive as a "slave" to the new one so I could recover some critical
    | data files (which worked just fine). However, I had (1) folder that was
    | encrypted on the old drive and I never had assigned a system-wide EFS
    | Recovery Agent -
    | which means it used a default EFS certificate to encrypt the folder (I
    | assume). Of course I can not access that folder currently.
    |
    | Is there ANY way to get at that certificate from the old drive? I did NOT
    | reformat the old drive (I just reassigned it as a "slave" to the new drive).
    | The old
    | 'ownership' references still shows up since I have only changed ownership on
    | a few of the folders that I had to recover immediately. The encrypted folder
    | in question I have NOT taken ownership on (yet).
    |
    | Can any of you MVP gurus or XP experts give me a clue or some guidance on
    | how I might recover that old certificate (assuming it is possible)? Where
    | would that
    | default EFS certificate be stored on the old drive, and how could I access
    | it currently? Or is there a default Administrator Recovery Agent certificate
    | stored somewhere?
    |
    | thanks for any help
    |
    | John
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
    news:eTmApExJFHA.1392@TK2MSFTNGP10.phx.gbl...
    > If you did not backup your personal encryption certificate and associated
    > private key, you are not going to be able to recover the encrypted files.
    > Your only hope is to perform a "repair install" on that existing Windows
    > XP
    > installation. There is no way to recover your certificates if you cannot
    > logon on to that installation using your correct user name and password.

    What about Recovery Console - which I *think* allows one to log on as
    'Administrator'? Any way to do it there? I note the various 'attrib'
    commands available do not seem include a decrypt option for 'e' (encrypyted)
    folders/files? Is there some other way in Recovery Console that you know of?

    Thanks much Carey

    John
    >
    > How to Perform a Windows XP Repair Install
    > http://www.michaelstevenstech.com/XPrepairinstall.htm
    >
    > [Courtesy of MS-MVP Michael Stevens]
    >
    > --
    > Carey Frisch
    > Microsoft MVP
    > Windows XP - Shell/User
    > Microsoft Newsgroups
    >
    > Be Smart! Protect Your PC!
    > http://www.microsoft.com/athome/security/protect/default.mspx
    >
    > ------------------------------------------------------------------------------
    >
    > "John" wrote:
    >
    > | I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
    > | recently because the 'system' files became corrupted after I loaded the
    > new
    > | Norton 2005 AV. It would not boot to any restore points or any safe
    > modes -
    > | complained 'corrupted config/system file(s).'
    > |
    > | Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    > assigned
    > | the old drive as a "slave" to the new one so I could recover some
    > critical
    > | data files (which worked just fine). However, I had (1) folder that was
    > | encrypted on the old drive and I never had assigned a system-wide EFS
    > | Recovery Agent -
    > | which means it used a default EFS certificate to encrypt the folder (I
    > | assume). Of course I can not access that folder currently.
    > |
    > | Is there ANY way to get at that certificate from the old drive? I did
    > NOT
    > | reformat the old drive (I just reassigned it as a "slave" to the new
    > drive).
    > | The old
    > | 'ownership' references still shows up since I have only changed
    > ownership on
    > | a few of the folders that I had to recover immediately. The encrypted
    > folder
    > | in question I have NOT taken ownership on (yet).
    > |
    > | Can any of you MVP gurus or XP experts give me a clue or some guidance
    > on
    > | how I might recover that old certificate (assuming it is possible)?
    > Where
    > | would that
    > | default EFS certificate be stored on the old drive, and how could I
    > access
    > | it currently? Or is there a default Administrator Recovery Agent
    > certificate
    > | stored somewhere?
    > |
    > | thanks for any help
    > |
    > | John
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    If the Repair Option is not Available
    http://www.michaelstevenstech.com/repair_install_warning.htm

    "Recovery Console SP2 revision"
    http://www.michaelstevenstech.com/xpfaq.html#21

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Be Smart! Protect Your PC!
    http://www.microsoft.com/athome/security/protect/default.mspx

    ------------------------------------------------------------------------------

    "John" wrote:

    | What about Recovery Console - which I *think* allows one to log on as
    | 'Administrator'? Any way to do it there? I note the various 'attrib'
    | commands available do not seem include a decrypt option for 'e' (encrypyted)
    | folders/files? Is there some other way in Recovery Console that you know of?
    |
    | Thanks much Carey
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    John wrote:

    > I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
    > recently because the 'system' files became corrupted after I loaded the new
    > Norton 2005 AV. It would not boot to any restore points or any safe modes -
    > complained 'corrupted config/system file(s).'
    >
    > Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
    > the old drive as a "slave" to the new one so I could recover some critical
    > data files (which worked just fine). However, I had (1) folder that was
    > encrypted on the old drive and I never had assigned a system-wide EFS
    > Recovery Agent -
    > which means it used a default EFS certificate to encrypt the folder (I
    > assume). Of course I can not access that folder currently.
    >
    > Is there ANY way to get at that certificate from the old drive? I did NOT
    > reformat the old drive (I just reassigned it as a "slave" to the new drive).
    > The old
    > 'ownership' references still shows up since I have only changed ownership on
    > a few of the folders that I had to recover immediately. The encrypted folder
    > in question I have NOT taken ownership on (yet).
    >
    > Can any of you MVP gurus or XP experts give me a clue or some guidance on
    > how I might recover that old certificate (assuming it is possible)? Where
    > would that
    > default EFS certificate be stored on the old drive, and how could I access
    > it currently? Or is there a default Administrator Recovery Agent certificate
    > stored somewhere?
    Hi

    As you have access to the user profile folders for the user that
    encrypted the files and if you remember the password for the user
    that encrypted the data, you might be able to save the files.

    Take a look at this site for more details:

    http://www.beginningtoseethelight.org/efsrecovery/


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Carey Frisch [MVP] wrote:

    > If you did not backup your personal encryption certificate and associated
    > private key, you are not going to be able to recover the encrypted files.
    > Your only hope is to perform a "repair install" on that existing Windows XP
    > installation. There is no way to recover your certificates if you cannot
    > logon on to that installation using your correct user name and password.
    Hi Carey,

    What you state above is not correct, there are some other cases where
    you will be able to recover the encryption certificate without needing
    to logon to the original installation.

    Take a look at this site for more details:

    http://www.beginningtoseethelight.org/efsrecovery/


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:%23FRGrm%23JFHA.2796@tk2msftngp13.phx.gbl...
    > John wrote:
    >
    >> I have a hard drive (w/ XP Pro SP2) that refused to boot into Windows
    >> recently because the 'system' files became corrupted after I loaded the
    >> new Norton 2005 AV. It would not boot to any restore points or any safe
    >> modes - complained 'corrupted config/system file(s).'
    >>
    >> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    >> assigned the old drive as a "slave" to the new one so I could recover
    >> some critical
    >> data files (which worked just fine). However, I had (1) folder that was
    >> encrypted on the old drive and I never had assigned a system-wide EFS
    >> Recovery Agent -
    >> which means it used a default EFS certificate to encrypt the folder (I
    >> assume). Of course I can not access that folder currently.
    >>
    >> Is there ANY way to get at that certificate from the old drive? I did NOT
    >> reformat the old drive (I just reassigned it as a "slave" to the new
    >> drive). The old
    >> 'ownership' references still shows up since I have only changed ownership
    >> on a few of the folders that I had to recover immediately. The encrypted
    >> folder in question I have NOT taken ownership on (yet).
    >>
    >> Can any of you MVP gurus or XP experts give me a clue or some guidance on
    >> how I might recover that old certificate (assuming it is possible)? Where
    >> would that
    >> default EFS certificate be stored on the old drive, and how could I
    >> access it currently? Or is there a default Administrator Recovery Agent
    >> certificate stored somewhere?
    > Hi
    >
    > As you have access to the user profile folders for the user that
    > encrypted the files and if you remember the password for the user
    > that encrypted the data, you might be able to save the files.
    >
    > Take a look at this site for more details:
    >
    > http://www.beginningtoseethelight.org/efsrecovery/

    Thanks Torgier - very good site. I have found the files in question in
    Recovery console, but - so far - have not been able to get the key in
    question to work on the new system. The thumbprint on the key I recovered
    matches the encrypted folder I had, but I am having trouble getting the file
    to export to the new system. I think portions of the user profile may have
    been corrupted or lost - which is why the old drive would not boot to
    windows in the first place. I have not tried the hex editor procedure yet -
    will report back if that works.

    THANKS very much for the great link.

    John
Ask a new question

Read More

Security Certificate Windows XP