EFS Key Restoration from backup file

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

Dont ask, I realy don't know but it look like that I cannot open my
encrypted files.
This is to say that the assicated user key of the account with the problem
are misplaced or lost.

Q1) If the key is not lost but missplaced, who can I locate it and place it
back at the right place?

Q2) If the key is lost, I have a data and system backup of my machine using
the "Backup" program. How can I locate and extract from the backup the
missing key?

I am open to question. The problem arise when I tried to configure two
machines with same name and password for users on a same local network with a
simple router between then.

Thank answering ASAP I am leaving country in 10 days.
16 answers Last reply
More about restoration backup file
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    NewComrMSNETFam wrote:

    > Hi,
    >
    > Dont ask, I realy don't know but it look like that I cannot open my
    > encrypted files.
    > This is to say that the assicated user key of the account with the problem
    > are misplaced or lost.
    >
    > Q1) If the key is not lost but missplaced, who can I locate it and place it
    > back at the right place?
    >
    > Q2) If the key is lost, I have a data and system backup of my machine using
    > the "Backup" program. How can I locate and extract from the backup the
    > missing key?
    Hi

    If you can restore the user profile folders for the user that
    encrypted the files and if you remember the password for the user
    when the backup was taken, you might be able to save the files.

    Take a look at this site for more details:

    http://www.beginningtoseethelight.org/efsrecovery/


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I'm wanting to understand the same issues. Many, many people lose their
    encrypted files, partly because Microsoft's explanation is so poor.

    The web site you referenced is very poorly written and formatted. Doesn't
    Micrososoft have anything better? I notice that that web site is mentioned a lot.

    Thanks, Michael

    ___________________________

    Torgeir Bakken (MVP) wrote:
    > NewComrMSNETFam wrote:
    >
    >> Hi,
    >>
    >> Dont ask, I realy don't know but it look like that I cannot open my
    >> encrypted files.
    >> This is to say that the assicated user key of the account with the
    >> problem are misplaced or lost.
    >>
    >> Q1) If the key is not lost but missplaced, who can I locate it and
    >> place it back at the right place?
    >> Q2) If the key is lost, I have a data and system backup of my machine
    >> using the "Backup" program. How can I locate and extract from the
    >> backup the missing key?
    >
    > Hi
    >
    > If you can restore the user profile folders for the user that
    > encrypted the files and if you remember the password for the user
    > when the backup was taken, you might be able to save the files.
    >
    > Take a look at this site for more details:
    >
    > http://www.beginningtoseethelight.org/efsrecovery/
    >
    >
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I have compared my admin account with the one that has key problem.

    In the crypto directory I have and extra directory named:DSS with
    sub-directory with keys.

    Q3) Any clue on why this extra directory and If the system would try to
    use the DSS key to decipher?

    It could be and explanation. Now if this is the reason, how I get the
    system to go back using my RSA keys which are there after all, unless those
    have beed also changed, again for some unexplained reasons.

    Please, for people how like this discussion, first try answering my
    questions: Q1..Q3 then will go further.

    Thanks.


    "M. Jennings" wrote:

    > I'm wanting to understand the same issues. Many, many people lose their
    > encrypted files, partly because Microsoft's explanation is so poor.
    >
    > The web site you referenced is very poorly written and formatted. Doesn't
    > Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >
    > Thanks, Michael
    >
    > ___________________________
    >
    > Torgeir Bakken (MVP) wrote:
    > > NewComrMSNETFam wrote:
    > >
    > >> Hi,
    > >>
    > >> Dont ask, I realy don't know but it look like that I cannot open my
    > >> encrypted files.
    > >> This is to say that the assicated user key of the account with the
    > >> problem are misplaced or lost.
    > >>
    > >> Q1) If the key is not lost but missplaced, who can I locate it and
    > >> place it back at the right place?
    > >> Q2) If the key is lost, I have a data and system backup of my machine
    > >> using the "Backup" program. How can I locate and extract from the
    > >> backup the missing key?
    > >
    > > Hi
    > >
    > > If you can restore the user profile folders for the user that
    > > encrypted the files and if you remember the password for the user
    > > when the backup was taken, you might be able to save the files.
    > >
    > > Take a look at this site for more details:
    > >
    > > http://www.beginningtoseethelight.org/efsrecovery/
    > >
    > >
    > >
    > >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    M. Jennings wrote:

    > I'm wanting to understand the same issues. Many, many people lose their
    > encrypted files, partly because Microsoft's explanation is so poor.
    >
    > The web site you referenced is very poorly written and formatted.
    > Doesn't Micrososoft have anything better?
    Hi

    From http://www.beginningtoseethelight.org/efsrecovery/

    "02. microsoft have a recovery program (reccerts.exe) only
    available via payed support"

    reccerts.exe will do approximately the same job as the manual
    procedure described at that web page.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I have found the cause, now how do I solve that!

    Here it is: Using the admin account I have change the password of my non
    admin account. Now, knowing my old password can I revert by simply changing
    it back to orignal value? The user-id and machine id ... hasen't changed.

    How about that?


    "Torgeir Bakken (MVP)" wrote:

    > M. Jennings wrote:
    >
    > > I'm wanting to understand the same issues. Many, many people lose their
    > > encrypted files, partly because Microsoft's explanation is so poor.
    > >
    > > The web site you referenced is very poorly written and formatted.
    > > Doesn't Micrososoft have anything better?
    > Hi
    >
    > From http://www.beginningtoseethelight.org/efsrecovery/
    >
    > "02. microsoft have a recovery program (reccerts.exe) only
    > available via payed support"
    >
    > reccerts.exe will do approximately the same job as the manual
    > procedure described at that web page.
    >
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
    >
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I works, putting back from the admin account with same account type and
    password made the encrypted files available.

    Since special, since that means that no key where actually recomputed
    and-or building those keys doesn't invole a random activity.

    That's a special one!

    Thanks anyway.

    Chears!



    "NewComrMSNETFam" wrote:

    > I have found the cause, now how do I solve that!
    >
    > Here it is: Using the admin account I have change the password of my non
    > admin account. Now, knowing my old password can I revert by simply changing
    > it back to orignal value? The user-id and machine id ... hasen't changed.
    >
    > How about that?
    >
    >
    > "Torgeir Bakken (MVP)" wrote:
    >
    > > M. Jennings wrote:
    > >
    > > > I'm wanting to understand the same issues. Many, many people lose their
    > > > encrypted files, partly because Microsoft's explanation is so poor.
    > > >
    > > > The web site you referenced is very poorly written and formatted.
    > > > Doesn't Micrososoft have anything better?
    > > Hi
    > >
    > > From http://www.beginningtoseethelight.org/efsrecovery/
    > >
    > > "02. microsoft have a recovery program (reccerts.exe) only
    > > available via payed support"
    > >
    > > reccerts.exe will do approximately the same job as the manual
    > > procedure described at that web page.
    > >
    > >
    > >
    > > --
    > > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > > Administration scripting examples and an ONLINE version of
    > > the 1328 page Scripting Guide:
    > > http://www.microsoft.com/technet/scriptcenter/default.mspx
    > >
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> ha scritto nel
    messaggio news:u1itFx$KFHA.2136@TK2MSFTNGP14.phx.gbl...
    >
    > The web site you referenced is very poorly written and formatted. Doesn't
    > Micrososoft have anything better? I notice that that web site is mentioned
    > a lot.
    >

    >> http://www.beginningtoseethelight.org/efsrecovery/
    >>
    It's not a Microsoft's site...!
    And, more, what matters most? A fairly written website or a full of info
    site?
    Speaking of well formatted text, we *should* start writing on newsgroups in
    *html* then...perhaps using emoticons...god bless us...

    Stefano
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Here's a Microsoft site with information about EFS:

    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

    Thanks.
    Pat

    "M. Jennings" wrote:

    > I'm wanting to understand the same issues. Many, many people lose their
    > encrypted files, partly because Microsoft's explanation is so poor.
    >
    > The web site you referenced is very poorly written and formatted. Doesn't
    > Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >
    > Thanks, Michael
    >
    > ___________________________
    >
    > Torgeir Bakken (MVP) wrote:
    > > NewComrMSNETFam wrote:
    > >
    > >> Hi,
    > >>
    > >> Dont ask, I realy don't know but it look like that I cannot open my
    > >> encrypted files.
    > >> This is to say that the assicated user key of the account with the
    > >> problem are misplaced or lost.
    > >>
    > >> Q1) If the key is not lost but missplaced, who can I locate it and
    > >> place it back at the right place?
    > >> Q2) If the key is lost, I have a data and system backup of my machine
    > >> using the "Backup" program. How can I locate and extract from the
    > >> backup the missing key?
    > >
    > > Hi
    > >
    > > If you can restore the user profile folders for the user that
    > > encrypted the files and if you remember the password for the user
    > > when the backup was taken, you might be able to save the files.
    > >
    > > Take a look at this site for more details:
    > >
    > > http://www.beginningtoseethelight.org/efsrecovery/
    > >
    > >
    > >
    > >
    >
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Now that you can access your files again, it would be a good time to back up
    your EFS certificate/key. If you have WXP with SP2 installed, run "cipher
    /x" at a command line to create a .pfx file. Store that file on a floppy in
    a safe place. If you ever need to recover files, just run or double-click
    that .pfx file. It will automatically import your certificate/key to your
    Personal Certificates store.

    Thanks.
    Pat

    "NewComrMSNETFam" wrote:

    > I works, putting back from the admin account with same account type and
    > password made the encrypted files available.
    >
    > Since special, since that means that no key where actually recomputed
    > and-or building those keys doesn't invole a random activity.
    >
    > That's a special one!
    >
    > Thanks anyway.
    >
    > Chears!
    >
    >
    >
    > "NewComrMSNETFam" wrote:
    >
    > > I have found the cause, now how do I solve that!
    > >
    > > Here it is: Using the admin account I have change the password of my non
    > > admin account. Now, knowing my old password can I revert by simply changing
    > > it back to orignal value? The user-id and machine id ... hasen't changed.
    > >
    > > How about that?
    > >
    > >
    > > "Torgeir Bakken (MVP)" wrote:
    > >
    > > > M. Jennings wrote:
    > > >
    > > > > I'm wanting to understand the same issues. Many, many people lose their
    > > > > encrypted files, partly because Microsoft's explanation is so poor.
    > > > >
    > > > > The web site you referenced is very poorly written and formatted.
    > > > > Doesn't Micrososoft have anything better?
    > > > Hi
    > > >
    > > > From http://www.beginningtoseethelight.org/efsrecovery/
    > > >
    > > > "02. microsoft have a recovery program (reccerts.exe) only
    > > > available via payed support"
    > > >
    > > > reccerts.exe will do approximately the same job as the manual
    > > > procedure described at that web page.
    > > >
    > > >
    > > >
    > > > --
    > > > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > > > Administration scripting examples and an ONLINE version of
    > > > the 1328 page Scripting Guide:
    > > > http://www.microsoft.com/technet/scriptcenter/default.mspx
    > > >
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pat,

    Thanks for your reply.

    If you read all of Microsoft's documentation carefully, you will find that the
    explanation just is not there. There are plenty of "overviews" that cover the
    same information.

    Only if I can move the files between different accounts on different
    stand-alone computers will I know I understand how EFS works. I have been
    unable to do that.

    I deleted my personal certificate, but the files in a test directory are still
    automatically decrypted. This also shows that I don't understand EFS.

    I need to be able to change my logon password without losing my encrypted files.

    I don't understand why they say "Recovery Certificate", when supposedly the
    Recovery Certificate does not include the private key. With no private key, it
    is impossible to decrypt files.

    Pat, do a search on EFS in the newsgroups. People are having a very difficult
    time with encryption. They are losing files. It is easy to encrypt, and
    difficult to know how the encryption works.

    Two people have advised me to use non-Microsoft products. People are directing
    other people to poorly written and formatted non-Microsoft web pages.

    Part of the confusion is obvious from the fact that there are so many web
    Microsoft web pages devoted to the same incomplete explanations. EFS is
    different between Windows 2000 and Windows XP, but often the web pages refer
    to both seemingly indiscriminately. Those who did the writing were confused
    about the differences between EFS when connected to a domain, and EFS on a
    stand-alone computer.

    Michael

    _________________________

    Pat Hoffer [MSFT] wrote:
    > Here's a Microsoft site with information about EFS:
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    >
    > Thanks.
    > Pat
    >
    > "M. Jennings" wrote:
    >
    >
    >>I'm wanting to understand the same issues. Many, many people lose their
    >>encrypted files, partly because Microsoft's explanation is so poor.
    >>
    >>The web site you referenced is very poorly written and formatted. Doesn't
    >>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >>
    >>Thanks, Michael
    >>
    >>___________________________
    >>
    >>Torgeir Bakken (MVP) wrote:
    >>
    >>>NewComrMSNETFam wrote:
    >>>
    >>>
    >>>>Hi,
    >>>>
    >>>>Dont ask, I realy don't know but it look like that I cannot open my
    >>>>encrypted files.
    >>>>This is to say that the assicated user key of the account with the
    >>>>problem are misplaced or lost.
    >>>>
    >>>>Q1) If the key is not lost but missplaced, who can I locate it and
    >>>>place it back at the right place?
    >>>>Q2) If the key is lost, I have a data and system backup of my machine
    >>>>using the "Backup" program. How can I locate and extract from the
    >>>>backup the missing key?
    >>>
    >>>Hi
    >>>
    >>>If you can restore the user profile folders for the user that
    >>>encrypted the files and if you remember the password for the user
    >>>when the backup was taken, you might be able to save the files.
    >>>
    >>>Take a look at this site for more details:
    >>>
    >>>http://www.beginningtoseethelight.org/efsrecovery/
    >>>
    >>>
    >>>
    >>>
    >>
  11. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Yes, the data is very domain-oriented, theoretical, and lengthy (and needs to
    be addressed). The KB articles tend to be more specific, so I thought those
    might be helpful to look through. EFS was designed with a domain environment
    in mind. Domains have the default EFS recovery policy (a File Recovery
    certificate and key stored on the DC), that can be used to recover users'
    encrypted files when issues arise. That is why there is so much
    documentation in that direction.

    The reality is that many non-domain users are using EFS, also. The best
    "recovery policy" for non-domain users is to back up their EFS
    certificates/keys. This has not been well-addressed in documentation, which
    is why I keep promoting "cipher /x" on this newsgroup. (WS2003 actually
    shipped with a backup UI for this.)

    You said you can still decrypt your files even though you have deleted your
    EFS certificate. EFS keeps your private key in cache until you log off. Try
    logging off and then on again, and you should get access denied to those
    files. As for moving encrypted files between standalone machines, EFS was
    not designed in WinXP to do that. (Win2K was a different story.)

    The "password change" issue was caused by another Windows component that
    encrypts your EFS private key with your password to keep it secure. When you
    log on and then access an encrypted file, this component decrypts your EFS
    key (using your password) and hands it to EFS. In a domain environment, the
    component had to be able to reach the DC to confirm that the new password is
    correct before it can decrypt your key. This caused a problem for domain
    users who were disconnected from their networks when they tried to access
    encrypted files for the first time after a password change. This issue has
    been fixed in the service packs for WinXP and in SP4 for Win2K.

    The bottom line is that if you back up your EFS certificate/key, your bases
    are covered. Do this: encrypt a new file (EFS will create a new certificate
    since you've deleted the original), run "cipher /x" at command line to create
    a .pfx file, delete your new EFS certificate, log off and on, try to open the
    new file (you shouldn't), run or double-click the .pfx file to import the
    certificate (select to make the key exportable), and try to open the new file
    again (you should).

    That's probably more than you ever wanted to know, but I hope it helps.
    Thanks for your comments regarding the documentation. I'll pass that on.

    Thanks.
    Pat

    "M. Jennings" wrote:

    > Pat,
    >
    > Thanks for your reply.
    >
    > If you read all of Microsoft's documentation carefully, you will find that the
    > explanation just is not there. There are plenty of "overviews" that cover the
    > same information.
    >
    > Only if I can move the files between different accounts on different
    > stand-alone computers will I know I understand how EFS works. I have been
    > unable to do that.
    >
    > I deleted my personal certificate, but the files in a test directory are still
    > automatically decrypted. This also shows that I don't understand EFS.
    >
    > I need to be able to change my logon password without losing my encrypted files.
    >
    > I don't understand why they say "Recovery Certificate", when supposedly the
    > Recovery Certificate does not include the private key. With no private key, it
    > is impossible to decrypt files.
    >
    > Pat, do a search on EFS in the newsgroups. People are having a very difficult
    > time with encryption. They are losing files. It is easy to encrypt, and
    > difficult to know how the encryption works.
    >
    > Two people have advised me to use non-Microsoft products. People are directing
    > other people to poorly written and formatted non-Microsoft web pages.
    >
    > Part of the confusion is obvious from the fact that there are so many web
    > Microsoft web pages devoted to the same incomplete explanations. EFS is
    > different between Windows 2000 and Windows XP, but often the web pages refer
    > to both seemingly indiscriminately. Those who did the writing were confused
    > about the differences between EFS when connected to a domain, and EFS on a
    > stand-alone computer.
    >
    > Michael
    >
    > _________________________
    >
    > Pat Hoffer [MSFT] wrote:
    > > Here's a Microsoft site with information about EFS:
    > >
    > > http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    > >
    > > Thanks.
    > > Pat
    > >
    > > "M. Jennings" wrote:
    > >
    > >
    > >>I'm wanting to understand the same issues. Many, many people lose their
    > >>encrypted files, partly because Microsoft's explanation is so poor.
    > >>
    > >>The web site you referenced is very poorly written and formatted. Doesn't
    > >>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    > >>
    > >>Thanks, Michael
    > >>
    > >>___________________________
    > >>
    > >>Torgeir Bakken (MVP) wrote:
    > >>
    > >>>NewComrMSNETFam wrote:
    > >>>
    > >>>
    > >>>>Hi,
    > >>>>
    > >>>>Dont ask, I realy don't know but it look like that I cannot open my
    > >>>>encrypted files.
    > >>>>This is to say that the assicated user key of the account with the
    > >>>>problem are misplaced or lost.
    > >>>>
    > >>>>Q1) If the key is not lost but missplaced, who can I locate it and
    > >>>>place it back at the right place?
    > >>>>Q2) If the key is lost, I have a data and system backup of my machine
    > >>>>using the "Backup" program. How can I locate and extract from the
    > >>>>backup the missing key?
    > >>>
    > >>>Hi
    > >>>
    > >>>If you can restore the user profile folders for the user that
    > >>>encrypted the files and if you remember the password for the user
    > >>>when the backup was taken, you might be able to save the files.
    > >>>
    > >>>Take a look at this site for more details:
    > >>>
    > >>>http://www.beginningtoseethelight.org/efsrecovery/
    > >>>
    > >>>
    > >>>
    > >>>
    > >>
    >
  12. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    No relation to the author of the page, but it is very well written and
    informative - perhaps you should be contacting a PC technician instead of
    trying to be a do-it-yourselfer, as a moderate amount of technical
    understanding is required to troubleshoot issues such as these.

    --
    Star Fleet Admiral Q @ your service!
    "Google is your Friend!"
    www.google.com

    ***********************************************

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:u1itFx$KFHA.2136@TK2MSFTNGP14.phx.gbl...
    > I'm wanting to understand the same issues. Many, many people lose their
    > encrypted files, partly because Microsoft's explanation is so poor.
    >
    > The web site you referenced is very poorly written and formatted. Doesn't
    > Micrososoft have anything better? I notice that that web site is mentioned
    a lot.
    >
    > Thanks, Michael
    >
    > ___________________________
    >
    > Torgeir Bakken (MVP) wrote:
    > > NewComrMSNETFam wrote:
    > >
    > >> Hi,
    > >>
    > >> Dont ask, I realy don't know but it look like that I cannot open my
    > >> encrypted files.
    > >> This is to say that the assicated user key of the account with the
    > >> problem are misplaced or lost.
    > >>
    > >> Q1) If the key is not lost but missplaced, who can I locate it and
    > >> place it back at the right place?
    > >> Q2) If the key is lost, I have a data and system backup of my machine
    > >> using the "Backup" program. How can I locate and extract from the
    > >> backup the missing key?
    > >
    > > Hi
    > >
    > > If you can restore the user profile folders for the user that
    > > encrypted the files and if you remember the password for the user
    > > when the backup was taken, you might be able to save the files.
    > >
    > > Take a look at this site for more details:
    > >
    > > http://www.beginningtoseethelight.org/efsrecovery/
    > >
    > >
    > >
    > >
  13. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pat,

    First, I want to say that your reply is very, very much appreciated.

    You said below: "As for moving encrypted files between standalone machines,
    EFS was not designed in WinXP to do that. (Win2K was a different story.)"

    Wow! There is nothing in the documentation that hints at this!

    Do I understand you correctly? There is no way whatsoever to decrypt an EFS
    encrypted file on a computer other than the one on which it was encrypted,
    unless the computer is attached to a domain?

    This means that the encrypted data is, basically, owned by Windows 2003?

    Do I understand correctly that Microsoft made a change between EFS in Windows
    2000 and EFS in Windows 2003/XP, without adequately notifying users?

    You said, 'The reality is that many non-domain users are using EFS, also. The
    best "recovery policy" for non-domain users is to back up their EFS
    certificates/keys. This has not been well-addressed in documentation, which
    is why I keep promoting "cipher /x" on this newsgroup.'

    You also say below: "The bottom line is that if you back up your EFS
    certificate/key, your bases are covered."

    I don't understand how backing up my .PFX and .CER files helps me, if I cannot
    use them on a different computer. What would happen if a user with a single
    computer lost his or her computer because of theft? Would there be no way to
    recover the information, even if he or she had backups?

    I tried reading my EFS encrypted test data on a second computer with the same
    account name and password, and it would not decrypt.

    What about the computer on which I originally EFS encrypt is unique, so that I
    cannot transport my encrypted data elsewhere? When is a backup of .CER and
    ..PFX files not a real backup for the data?

    If I understand this correctly, it strikes me as cruel. I saw one newsgroup
    posting in which a man said he had lost 11 years of research. EFS works in a
    way that is counter-intuitive and not documented.

    You said, "That's probably more than you ever wanted to know, but I hope it
    helps."

    It's not more than I wanted to know. It does help, a lot.

    Michael


    ___________________

    Pat Hoffer [MSFT] wrote:
    > Yes, the data is very domain-oriented, theoretical, and lengthy (and needs to
    > be addressed). The KB articles tend to be more specific, so I thought those
    > might be helpful to look through. EFS was designed with a domain environment
    > in mind. Domains have the default EFS recovery policy (a File Recovery
    > certificate and key stored on the DC), that can be used to recover users'
    > encrypted files when issues arise. That is why there is so much
    > documentation in that direction.
    >
    > The reality is that many non-domain users are using EFS, also. The best
    > "recovery policy" for non-domain users is to back up their EFS
    > certificates/keys. This has not been well-addressed in documentation, which
    > is why I keep promoting "cipher /x" on this newsgroup. (WS2003 actually
    > shipped with a backup UI for this.)
    >
    > You said you can still decrypt your files even though you have deleted your
    > EFS certificate. EFS keeps your private key in cache until you log off. Try
    > logging off and then on again, and you should get access denied to those
    > files. As for moving encrypted files between standalone machines, EFS was
    > not designed in WinXP to do that. (Win2K was a different story.)
    >
    > The "password change" issue was caused by another Windows component that
    > encrypts your EFS private key with your password to keep it secure. When you
    > log on and then access an encrypted file, this component decrypts your EFS
    > key (using your password) and hands it to EFS. In a domain environment, the
    > component had to be able to reach the DC to confirm that the new password is
    > correct before it can decrypt your key. This caused a problem for domain
    > users who were disconnected from their networks when they tried to access
    > encrypted files for the first time after a password change. This issue has
    > been fixed in the service packs for WinXP and in SP4 for Win2K.
    >
    > The bottom line is that if you back up your EFS certificate/key, your bases
    > are covered. Do this: encrypt a new file (EFS will create a new certificate
    > since you've deleted the original), run "cipher /x" at command line to create
    > a .pfx file, delete your new EFS certificate, log off and on, try to open the
    > new file (you shouldn't), run or double-click the .pfx file to import the
    > certificate (select to make the key exportable), and try to open the new file
    > again (you should).
    >
    > That's probably more than you ever wanted to know, but I hope it helps.
    > Thanks for your comments regarding the documentation. I'll pass that on.
    >
    > Thanks.
    > Pat
    >
    > "M. Jennings" wrote:
    >
    >
    >>Pat,
    >>
    >>Thanks for your reply.
    >>
    >>If you read all of Microsoft's documentation carefully, you will find that the
    >>explanation just is not there. There are plenty of "overviews" that cover the
    >>same information.
    >>
    >>Only if I can move the files between different accounts on different
    >>stand-alone computers will I know I understand how EFS works. I have been
    >>unable to do that.
    >>
    >>I deleted my personal certificate, but the files in a test directory are still
    >>automatically decrypted. This also shows that I don't understand EFS.
    >>
    >>I need to be able to change my logon password without losing my encrypted files.
    >>
    >>I don't understand why they say "Recovery Certificate", when supposedly the
    >>Recovery Certificate does not include the private key. With no private key, it
    >>is impossible to decrypt files.
    >>
    >>Pat, do a search on EFS in the newsgroups. People are having a very difficult
    >>time with encryption. They are losing files. It is easy to encrypt, and
    >>difficult to know how the encryption works.
    >>
    >>Two people have advised me to use non-Microsoft products. People are directing
    >>other people to poorly written and formatted non-Microsoft web pages.
    >>
    >>Part of the confusion is obvious from the fact that there are so many web
    >>Microsoft web pages devoted to the same incomplete explanations. EFS is
    >>different between Windows 2000 and Windows XP, but often the web pages refer
    >>to both seemingly indiscriminately. Those who did the writing were confused
    >>about the differences between EFS when connected to a domain, and EFS on a
    >>stand-alone computer.
    >>
    >>Michael
    >>
    >>_________________________
    >>
    >>Pat Hoffer [MSFT] wrote:
    >>
    >>>Here's a Microsoft site with information about EFS:
    >>>
    >>>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    >>>
    >>>Thanks.
    >>>Pat
    >>>
    >>>"M. Jennings" wrote:
    >>>
    >>>
    >>>
    >>>>I'm wanting to understand the same issues. Many, many people lose their
    >>>>encrypted files, partly because Microsoft's explanation is so poor.
    >>>>
    >>>>The web site you referenced is very poorly written and formatted. Doesn't
    >>>>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >>>>
    >>>>Thanks, Michael
    >>>>
    >>>>___________________________
    >>>>
    >>>>Torgeir Bakken (MVP) wrote:
    >>>>
    >>>>
    >>>>>NewComrMSNETFam wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>>Hi,
    >>>>>>
    >>>>>>Dont ask, I realy don't know but it look like that I cannot open my
    >>>>>>encrypted files.
    >>>>>>This is to say that the assicated user key of the account with the
    >>>>>>problem are misplaced or lost.
    >>>>>>
    >>>>>>Q1) If the key is not lost but missplaced, who can I locate it and
    >>>>>>place it back at the right place?
    >>>>>>Q2) If the key is lost, I have a data and system backup of my machine
    >>>>>>using the "Backup" program. How can I locate and extract from the
    >>>>>>backup the missing key?
    >>>>>
    >>>>>Hi
    >>>>>
    >>>>>If you can restore the user profile folders for the user that
    >>>>>encrypted the files and if you remember the password for the user
    >>>>>when the backup was taken, you might be able to save the files.
    >>>>>
    >>>>>Take a look at this site for more details:
    >>>>>
    >>>>>http://www.beginningtoseethelight.org/efsrecovery/
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>
  14. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pat,

    First, I want to say that your reply is very, very much appreciated.

    You said below: "As for moving encrypted files between standalone machines,
    EFS was not designed in WinXP to do that. (Win2K was a different story.)"

    Wow! There is nothing in the documentation that hints at this!

    Do I understand you correctly? There is no way whatsoever to decrypt an EFS
    encrypted file on a computer other than the one on which it was encrypted,
    unless the computer is attached to a domain?

    This means that the encrypted data is, basically, owned by Windows 2003?

    Do I understand correctly that Microsoft made a change between EFS in Windows
    2000 and EFS in Windows 2003/XP, without adequately notifying users?

    You said, 'The reality is that many non-domain users are using EFS, also. The
    best "recovery policy" for non-domain users is to back up their EFS
    certificates/keys. This has not been well-addressed in documentation, which
    is why I keep promoting "cipher /x" on this newsgroup.'

    You also say below: "The bottom line is that if you back up your EFS
    certificate/key, your bases are covered."

    I don't understand how backing up my .PFX and .CER files helps me, if I cannot
    use them on a different computer. What would happen if a user with a single
    computer lost his or her computer because of theft? Would there be no way to
    recover the information, even if he or she had backups?

    I tried reading my EFS encrypted test data on a second computer with the same
    account name and password, and it would not decrypt.

    What about the computer on which I originally EFS encrypt is unique, so that I
    cannot transport my encrypted data elsewhere? When is a backup of .CER and
    ..PFX files not a real backup for the data?

    If I understand this correctly, it strikes me as cruel. I saw one newsgroup
    posting in which a man said he had lost 11 years of research. EFS works in a
    way that is counter-intuitive and not documented.

    You said, "That's probably more than you ever wanted to know, but I hope it
    helps."

    It's not more than I wanted to know. It does help, a lot.

    Michael


    ___________________

    Pat Hoffer [MSFT] wrote:
    > Yes, the data is very domain-oriented, theoretical, and lengthy (and needs to
    > be addressed). The KB articles tend to be more specific, so I thought those
    > might be helpful to look through. EFS was designed with a domain environment
    > in mind. Domains have the default EFS recovery policy (a File Recovery
    > certificate and key stored on the DC), that can be used to recover users'
    > encrypted files when issues arise. That is why there is so much
    > documentation in that direction.
    >
    > The reality is that many non-domain users are using EFS, also. The best
    > "recovery policy" for non-domain users is to back up their EFS
    > certificates/keys. This has not been well-addressed in documentation, which
    > is why I keep promoting "cipher /x" on this newsgroup. (WS2003 actually
    > shipped with a backup UI for this.)
    >
    > You said you can still decrypt your files even though you have deleted your
    > EFS certificate. EFS keeps your private key in cache until you log off. Try
    > logging off and then on again, and you should get access denied to those
    > files. As for moving encrypted files between standalone machines, EFS was
    > not designed in WinXP to do that. (Win2K was a different story.)
    >
    > The "password change" issue was caused by another Windows component that
    > encrypts your EFS private key with your password to keep it secure. When you
    > log on and then access an encrypted file, this component decrypts your EFS
    > key (using your password) and hands it to EFS. In a domain environment, the
    > component had to be able to reach the DC to confirm that the new password is
    > correct before it can decrypt your key. This caused a problem for domain
    > users who were disconnected from their networks when they tried to access
    > encrypted files for the first time after a password change. This issue has
    > been fixed in the service packs for WinXP and in SP4 for Win2K.
    >
    > The bottom line is that if you back up your EFS certificate/key, your bases
    > are covered. Do this: encrypt a new file (EFS will create a new certificate
    > since you've deleted the original), run "cipher /x" at command line to create
    > a .pfx file, delete your new EFS certificate, log off and on, try to open the
    > new file (you shouldn't), run or double-click the .pfx file to import the
    > certificate (select to make the key exportable), and try to open the new file
    > again (you should).
    >
    > That's probably more than you ever wanted to know, but I hope it helps.
    > Thanks for your comments regarding the documentation. I'll pass that on.
    >
    > Thanks.
    > Pat
    >
    > "M. Jennings" wrote:
    >
    >
    >>Pat,
    >>
    >>Thanks for your reply.
    >>
    >>If you read all of Microsoft's documentation carefully, you will find that the
    >>explanation just is not there. There are plenty of "overviews" that cover the
    >>same information.
    >>
    >>Only if I can move the files between different accounts on different
    >>stand-alone computers will I know I understand how EFS works. I have been
    >>unable to do that.
    >>
    >>I deleted my personal certificate, but the files in a test directory are still
    >>automatically decrypted. This also shows that I don't understand EFS.
    >>
    >>I need to be able to change my logon password without losing my encrypted files.
    >>
    >>I don't understand why they say "Recovery Certificate", when supposedly the
    >>Recovery Certificate does not include the private key. With no private key, it
    >>is impossible to decrypt files.
    >>
    >>Pat, do a search on EFS in the newsgroups. People are having a very difficult
    >>time with encryption. They are losing files. It is easy to encrypt, and
    >>difficult to know how the encryption works.
    >>
    >>Two people have advised me to use non-Microsoft products. People are directing
    >>other people to poorly written and formatted non-Microsoft web pages.
    >>
    >>Part of the confusion is obvious from the fact that there are so many web
    >>Microsoft web pages devoted to the same incomplete explanations. EFS is
    >>different between Windows 2000 and Windows XP, but often the web pages refer
    >>to both seemingly indiscriminately. Those who did the writing were confused
    >>about the differences between EFS when connected to a domain, and EFS on a
    >>stand-alone computer.
    >>
    >>Michael
    >>
    >>_________________________
    >>
    >>Pat Hoffer [MSFT] wrote:
    >>
    >>>Here's a Microsoft site with information about EFS:
    >>>
    >>>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    >>>
    >>>Thanks.
    >>>Pat
    >>>
    >>>"M. Jennings" wrote:
    >>>
    >>>
    >>>
    >>>>I'm wanting to understand the same issues. Many, many people lose their
    >>>>encrypted files, partly because Microsoft's explanation is so poor.
    >>>>
    >>>>The web site you referenced is very poorly written and formatted. Doesn't
    >>>>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >>>>
    >>>>Thanks, Michael
    >>>>
    >>>>___________________________
    >>>>
    >>>>Torgeir Bakken (MVP) wrote:
    >>>>
    >>>>
    >>>>>NewComrMSNETFam wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>>Hi,
    >>>>>>
    >>>>>>Dont ask, I realy don't know but it look like that I cannot open my
    >>>>>>encrypted files.
    >>>>>>This is to say that the assicated user key of the account with the
    >>>>>>problem are misplaced or lost.
    >>>>>>
    >>>>>>Q1) If the key is not lost but missplaced, who can I locate it and
    >>>>>>place it back at the right place?
    >>>>>>Q2) If the key is lost, I have a data and system backup of my machine
    >>>>>>using the "Backup" program. How can I locate and extract from the
    >>>>>>backup the missing key?
    >>>>>
    >>>>>Hi
    >>>>>
    >>>>>If you can restore the user profile folders for the user that
    >>>>>encrypted the files and if you remember the password for the user
    >>>>>when the backup was taken, you might be able to save the files.
    >>>>>
    >>>>>Take a look at this site for more details:
    >>>>>
    >>>>>http://www.beginningtoseethelight.org/efsrecovery/
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>
  15. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pat,

    First, I want to say that your reply is very, very much appreciated.

    You said below: "As for moving encrypted files between standalone machines,
    EFS was not designed in WinXP to do that. (Win2K was a different story.)"

    Wow! There is nothing in the documentation that hints at this!

    Do I understand you correctly? There is no way whatsoever to decrypt an EFS
    encrypted file on a computer other than the one on which it was encrypted,
    unless the computer is attached to a domain?

    This means that the encrypted data is, basically, owned by Windows 2003?

    Do I understand correctly that Microsoft made a change between EFS in Windows
    2000 and EFS in Windows 2003/XP, without adequately notifying users?

    You said, 'The reality is that many non-domain users are using EFS, also. The
    best "recovery policy" for non-domain users is to back up their EFS
    certificates/keys. This has not been well-addressed in documentation, which
    is why I keep promoting "cipher /x" on this newsgroup.'

    You also say below: "The bottom line is that if you back up your EFS
    certificate/key, your bases are covered."

    I don't understand how backing up my .PFX and .CER files helps me, if I cannot
    use them on a different computer. What would happen if a user with a single
    computer lost his or her computer because of theft? Would there be no way to
    recover the information, even if he or she had backups?

    I tried reading my EFS encrypted test data on a second computer with the same
    account name and password, and it would not decrypt.

    What about the computer on which I originally EFS encrypt is unique, so that I
    cannot transport my encrypted data elsewhere? When is a backup of .CER and
    ..PFX files not a real backup for the data?

    If I understand this correctly, it strikes me as cruel. I saw one newsgroup
    posting in which a man said he had lost 11 years of research. EFS works in a
    way that is counter-intuitive and not documented.

    You said, "That's probably more than you ever wanted to know, but I hope it
    helps."

    It's not more than I wanted to know. It does help, a lot.

    Michael


    ___________________

    Pat Hoffer [MSFT] wrote:
    > Yes, the data is very domain-oriented, theoretical, and lengthy (and needs to
    > be addressed). The KB articles tend to be more specific, so I thought those
    > might be helpful to look through. EFS was designed with a domain environment
    > in mind. Domains have the default EFS recovery policy (a File Recovery
    > certificate and key stored on the DC), that can be used to recover users'
    > encrypted files when issues arise. That is why there is so much
    > documentation in that direction.
    >
    > The reality is that many non-domain users are using EFS, also. The best
    > "recovery policy" for non-domain users is to back up their EFS
    > certificates/keys. This has not been well-addressed in documentation, which
    > is why I keep promoting "cipher /x" on this newsgroup. (WS2003 actually
    > shipped with a backup UI for this.)
    >
    > You said you can still decrypt your files even though you have deleted your
    > EFS certificate. EFS keeps your private key in cache until you log off. Try
    > logging off and then on again, and you should get access denied to those
    > files. As for moving encrypted files between standalone machines, EFS was
    > not designed in WinXP to do that. (Win2K was a different story.)
    >
    > The "password change" issue was caused by another Windows component that
    > encrypts your EFS private key with your password to keep it secure. When you
    > log on and then access an encrypted file, this component decrypts your EFS
    > key (using your password) and hands it to EFS. In a domain environment, the
    > component had to be able to reach the DC to confirm that the new password is
    > correct before it can decrypt your key. This caused a problem for domain
    > users who were disconnected from their networks when they tried to access
    > encrypted files for the first time after a password change. This issue has
    > been fixed in the service packs for WinXP and in SP4 for Win2K.
    >
    > The bottom line is that if you back up your EFS certificate/key, your bases
    > are covered. Do this: encrypt a new file (EFS will create a new certificate
    > since you've deleted the original), run "cipher /x" at command line to create
    > a .pfx file, delete your new EFS certificate, log off and on, try to open the
    > new file (you shouldn't), run or double-click the .pfx file to import the
    > certificate (select to make the key exportable), and try to open the new file
    > again (you should).
    >
    > That's probably more than you ever wanted to know, but I hope it helps.
    > Thanks for your comments regarding the documentation. I'll pass that on.
    >
    > Thanks.
    > Pat
    >
    > "M. Jennings" wrote:
    >
    >
    >>Pat,
    >>
    >>Thanks for your reply.
    >>
    >>If you read all of Microsoft's documentation carefully, you will find that the
    >>explanation just is not there. There are plenty of "overviews" that cover the
    >>same information.
    >>
    >>Only if I can move the files between different accounts on different
    >>stand-alone computers will I know I understand how EFS works. I have been
    >>unable to do that.
    >>
    >>I deleted my personal certificate, but the files in a test directory are still
    >>automatically decrypted. This also shows that I don't understand EFS.
    >>
    >>I need to be able to change my logon password without losing my encrypted files.
    >>
    >>I don't understand why they say "Recovery Certificate", when supposedly the
    >>Recovery Certificate does not include the private key. With no private key, it
    >>is impossible to decrypt files.
    >>
    >>Pat, do a search on EFS in the newsgroups. People are having a very difficult
    >>time with encryption. They are losing files. It is easy to encrypt, and
    >>difficult to know how the encryption works.
    >>
    >>Two people have advised me to use non-Microsoft products. People are directing
    >>other people to poorly written and formatted non-Microsoft web pages.
    >>
    >>Part of the confusion is obvious from the fact that there are so many web
    >>Microsoft web pages devoted to the same incomplete explanations. EFS is
    >>different between Windows 2000 and Windows XP, but often the web pages refer
    >>to both seemingly indiscriminately. Those who did the writing were confused
    >>about the differences between EFS when connected to a domain, and EFS on a
    >>stand-alone computer.
    >>
    >>Michael
    >>
    >>_________________________
    >>
    >>Pat Hoffer [MSFT] wrote:
    >>
    >>>Here's a Microsoft site with information about EFS:
    >>>
    >>>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    >>>
    >>>Thanks.
    >>>Pat
    >>>
    >>>"M. Jennings" wrote:
    >>>
    >>>
    >>>
    >>>>I'm wanting to understand the same issues. Many, many people lose their
    >>>>encrypted files, partly because Microsoft's explanation is so poor.
    >>>>
    >>>>The web site you referenced is very poorly written and formatted. Doesn't
    >>>>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >>>>
    >>>>Thanks, Michael
    >>>>
    >>>>___________________________
    >>>>
    >>>>Torgeir Bakken (MVP) wrote:
    >>>>
    >>>>
    >>>>>NewComrMSNETFam wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>>Hi,
    >>>>>>
    >>>>>>Dont ask, I realy don't know but it look like that I cannot open my
    >>>>>>encrypted files.
    >>>>>>This is to say that the assicated user key of the account with the
    >>>>>>problem are misplaced or lost.
    >>>>>>
    >>>>>>Q1) If the key is not lost but missplaced, who can I locate it and
    >>>>>>place it back at the right place?
    >>>>>>Q2) If the key is lost, I have a data and system backup of my machine
    >>>>>>using the "Backup" program. How can I locate and extract from the
    >>>>>>backup the missing key?
    >>>>>
    >>>>>Hi
    >>>>>
    >>>>>If you can restore the user profile folders for the user that
    >>>>>encrypted the files and if you remember the password for the user
    >>>>>when the backup was taken, you might be able to save the files.
    >>>>>
    >>>>>Take a look at this site for more details:
    >>>>>
    >>>>>http://www.beginningtoseethelight.org/efsrecovery/
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>
  16. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pat,

    My newsreader software failed, and posted three copies of my previous message.

    The EFS question: In numerous places, readers are told that they can recover
    encrypted files if they have the .PFX file. Sometimes they are told that only
    a .CER file (apparently with no private key) is sufficient for recovery. Yet
    you seem to indicate below that is not true, and my tests show it is not true.
    My tests show that I cannot read files from an account with the same user name
    and the same user name password on another computer. Encrypted data seems to
    be tied to Windows and a particular Windows installation. Users seem to be
    losing control of their data in a way they would never accept if they understood.

    What then is the minimum required to recover encrypted files? I need an
    understanding and step-by-step instructions so I can do it myself. The
    instructions cannot involve a domain, since there are numerous instances in
    which someone traveling may need to recover data without involvement with a
    home office, particularly in less-developed foreign countries.

    Thank you,

    Michael

    __________________________

    Pat Hoffer [MSFT] wrote:
    > Yes, the data is very domain-oriented, theoretical, and lengthy (and needs to
    > be addressed). The KB articles tend to be more specific, so I thought those
    > might be helpful to look through. EFS was designed with a domain environment
    > in mind. Domains have the default EFS recovery policy (a File Recovery
    > certificate and key stored on the DC), that can be used to recover users'
    > encrypted files when issues arise. That is why there is so much
    > documentation in that direction.
    >
    > The reality is that many non-domain users are using EFS, also. The best
    > "recovery policy" for non-domain users is to back up their EFS
    > certificates/keys. This has not been well-addressed in documentation, which
    > is why I keep promoting "cipher /x" on this newsgroup. (WS2003 actually
    > shipped with a backup UI for this.)
    >
    > You said you can still decrypt your files even though you have deleted your
    > EFS certificate. EFS keeps your private key in cache until you log off. Try
    > logging off and then on again, and you should get access denied to those
    > files. As for moving encrypted files between standalone machines, EFS was
    > not designed in WinXP to do that. (Win2K was a different story.)
    >
    > The "password change" issue was caused by another Windows component that
    > encrypts your EFS private key with your password to keep it secure. When you
    > log on and then access an encrypted file, this component decrypts your EFS
    > key (using your password) and hands it to EFS. In a domain environment, the
    > component had to be able to reach the DC to confirm that the new password is
    > correct before it can decrypt your key. This caused a problem for domain
    > users who were disconnected from their networks when they tried to access
    > encrypted files for the first time after a password change. This issue has
    > been fixed in the service packs for WinXP and in SP4 for Win2K.
    >
    > The bottom line is that if you back up your EFS certificate/key, your bases
    > are covered. Do this: encrypt a new file (EFS will create a new certificate
    > since you've deleted the original), run "cipher /x" at command line to create
    > a .pfx file, delete your new EFS certificate, log off and on, try to open the
    > new file (you shouldn't), run or double-click the .pfx file to import the
    > certificate (select to make the key exportable), and try to open the new file
    > again (you should).
    >
    > That's probably more than you ever wanted to know, but I hope it helps.
    > Thanks for your comments regarding the documentation. I'll pass that on.
    >
    > Thanks.
    > Pat
    >
    > "M. Jennings" wrote:
    >
    >
    >>Pat,
    >>
    >>Thanks for your reply.
    >>
    >>If you read all of Microsoft's documentation carefully, you will find that the
    >>explanation just is not there. There are plenty of "overviews" that cover the
    >>same information.
    >>
    >>Only if I can move the files between different accounts on different
    >>stand-alone computers will I know I understand how EFS works. I have been
    >>unable to do that.
    >>
    >>I deleted my personal certificate, but the files in a test directory are still
    >>automatically decrypted. This also shows that I don't understand EFS.
    >>
    >>I need to be able to change my logon password without losing my encrypted files.
    >>
    >>I don't understand why they say "Recovery Certificate", when supposedly the
    >>Recovery Certificate does not include the private key. With no private key, it
    >>is impossible to decrypt files.
    >>
    >>Pat, do a search on EFS in the newsgroups. People are having a very difficult
    >>time with encryption. They are losing files. It is easy to encrypt, and
    >>difficult to know how the encryption works.
    >>
    >>Two people have advised me to use non-Microsoft products. People are directing
    >>other people to poorly written and formatted non-Microsoft web pages.
    >>
    >>Part of the confusion is obvious from the fact that there are so many web
    >>Microsoft web pages devoted to the same incomplete explanations. EFS is
    >>different between Windows 2000 and Windows XP, but often the web pages refer
    >>to both seemingly indiscriminately. Those who did the writing were confused
    >>about the differences between EFS when connected to a domain, and EFS on a
    >>stand-alone computer.
    >>
    >>Michael
    >>
    >>_________________________
    >>
    >>Pat Hoffer [MSFT] wrote:
    >>
    >>>Here's a Microsoft site with information about EFS:
    >>>
    >>>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    >>>
    >>>Thanks.
    >>>Pat
    >>>
    >>>"M. Jennings" wrote:
    >>>
    >>>
    >>>
    >>>>I'm wanting to understand the same issues. Many, many people lose their
    >>>>encrypted files, partly because Microsoft's explanation is so poor.
    >>>>
    >>>>The web site you referenced is very poorly written and formatted. Doesn't
    >>>>Micrososoft have anything better? I notice that that web site is mentioned a lot.
    >>>>
    >>>>Thanks, Michael
    >>>>
    >>>>___________________________
    >>>>
    >>>>Torgeir Bakken (MVP) wrote:
    >>>>
    >>>>
    >>>>>NewComrMSNETFam wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>>Hi,
    >>>>>>
    >>>>>>Dont ask, I realy don't know but it look like that I cannot open my
    >>>>>>encrypted files.
    >>>>>>This is to say that the assicated user key of the account with the
    >>>>>>problem are misplaced or lost.
    >>>>>>
    >>>>>>Q1) If the key is not lost but missplaced, who can I locate it and
    >>>>>>place it back at the right place?
    >>>>>>Q2) If the key is lost, I have a data and system backup of my machine
    >>>>>>using the "Backup" program. How can I locate and extract from the
    >>>>>>backup the missing key?
    >>>>>
    >>>>>Hi
    >>>>>
    >>>>>If you can restore the user profile folders for the user that
    >>>>>encrypted the files and if you remember the password for the user
    >>>>>when the backup was taken, you might be able to save the files.
    >>>>>
    >>>>>Take a look at this site for more details:
    >>>>>
    >>>>>http://www.beginningtoseethelight.org/efsrecovery/
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>
Ask a new question

Read More

Security Backup Microsoft Windows XP