Cannot get EFS recovery agent function to work!

Archived from groups: microsoft.public.win2000.security (More info?)

I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
encrypted some files before I knew anything about EFS - now a program
that uses some of the files cannot access them. The files were encrypted
under my "power user" account. The certificate that Win2k used to
encrypt them is enabled for "All Purposes" including Encrypted File
System, and File Recovery. As Administrator, I cannot import this
certificate for the Recovery Agent - says it is not enabled for file
recovery.

My Recovery Agent certificate (issued by Administrator to Administrator,
has a different thumbprint and is for File Recovery only.

Does EFS recovery agent's certificate thumbprint have to match the
certificate the files were encrypted with in order to recover these files?

Ken
6 answers Last reply
More about cannot recovery agent function work
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes. for more info:
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx


    --
    David B. Cross [MS]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Top Whitepapers:

    Auto-enrollment whitepaper:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

    Best Practices for implementing Windows Server 2003 PKI:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

    Troubleshooting Certificate Status and Revocation whitepaper:
    http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

    Windows Server 2003 web enrollment and troubleshooting guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
    "kgstrong" <kgstrong@hotmail.com> wrote in message
    news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
    >
    > I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
    > encrypted some files before I knew anything about EFS - now a program that
    > uses some of the files cannot access them. The files were encrypted under
    > my "power user" account. The certificate that Win2k used to encrypt them
    > is enabled for "All Purposes" including Encrypted File System, and File
    > Recovery. As Administrator, I cannot import this certificate for the
    > Recovery Agent - says it is not enabled for file recovery.
    >
    > My Recovery Agent certificate (issued by Administrator to Administrator,
    > has a different thumbprint and is for File Recovery only.
    >
    > Does EFS recovery agent's certificate thumbprint have to match the
    > certificate the files were encrypted with in order to recover these files?
    >
    > Ken
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes the thumbprints need to match for either the user or Recovery Agent. If
    you have a stand alone computer and the RA is the built in administrator
    account [which it would be by default] then logon as that account and try to
    decrypt the files. The utility efsinfo can display information on the
    recovery agent. You can use the certificates mmc snapin for user to view
    certificate information and the certificate will need to show that it has
    the matching private key for the certificate. If you reinstalled the
    operating system [other than an upgrade install] at some point the original
    user and RA certificate/private key would have been destroyed. The EFS
    certificate and private key for a user/RA are stored in the user's/RA's
    profile folder. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
    practices

    "kgstrong" <kgstrong@hotmail.com> wrote in message
    news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
    >
    > I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
    > encrypted some files before I knew anything about EFS - now a program that
    > uses some of the files cannot access them. The files were encrypted under
    > my "power user" account. The certificate that Win2k used to encrypt them
    > is enabled for "All Purposes" including Encrypted File System, and File
    > Recovery. As Administrator, I cannot import this certificate for the
    > Recovery Agent - says it is not enabled for file recovery.
    >
    > My Recovery Agent certificate (issued by Administrator to Administrator,
    > has a different thumbprint and is for File Recovery only.
    >
    > Does EFS recovery agent's certificate thumbprint have to match the
    > certificate the files were encrypted with in order to recover these files?
    >
    > Ken
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I did reinstall Win2k from scratch a while back; then restored the rest
    of my files from a backup. The certificate that the files were
    encrypted with no longer exists on my system.

    However, I was able to decrypt the files using a program called Advanced
    EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
    lesson in what NOT to do.

    Thanks for the help.
    Ken Strong


    Steven L Umbach wrote:
    > Yes the thumbprints need to match for either the user or Recovery Agent. If
    > you have a stand alone computer and the RA is the built in administrator
    > account [which it would be by default] then logon as that account and try to
    > decrypt the files. The utility efsinfo can display information on the
    > recovery agent. You can use the certificates mmc snapin for user to view
    > certificate information and the certificate will need to show that it has
    > the matching private key for the certificate. If you reinstalled the
    > operating system [other than an upgrade install] at some point the original
    > user and RA certificate/private key would have been destroyed. The EFS
    > certificate and private key for a user/RA are stored in the user's/RA's
    > profile folder. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
    > practices
    >
    > "kgstrong" <kgstrong@hotmail.com> wrote in message
    > news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
    >
    >>I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
    >>encrypted some files before I knew anything about EFS - now a program that
    >>uses some of the files cannot access them. The files were encrypted under
    >>my "power user" account. The certificate that Win2k used to encrypt them
    >>is enabled for "All Purposes" including Encrypted File System, and File
    >>Recovery. As Administrator, I cannot import this certificate for the
    >>Recovery Agent - says it is not enabled for file recovery.
    >>
    >>My Recovery Agent certificate (issued by Administrator to Administrator,
    >>has a different thumbprint and is for File Recovery only.
    >>
    >>Does EFS recovery agent's certificate thumbprint have to match the
    >>certificate the files were encrypted with in order to recover these files?
    >>
    >>Ken
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Glad you got it to work but the EFS private key that was used to encrypt the
    files must have been available - possibly from a restore of the user's
    profile from a backup?? --- Steve


    "kgstrong" <kgstrong@hotmail.com> wrote in message
    news:OR2jjGmMFHA.3336@TK2MSFTNGP09.phx.gbl...
    >I did reinstall Win2k from scratch a while back; then restored the rest of
    >my files from a backup. The certificate that the files were encrypted with
    >no longer exists on my system.
    >
    > However, I was able to decrypt the files using a program called Advanced
    > EFS Data Recovery ($99) from elcomsoft.com. All-in-all an expensive
    > lesson in what NOT to do.
    >
    > Thanks for the help.
    > Ken Strong
    >
    >
    > Steven L Umbach wrote:
    >> Yes the thumbprints need to match for either the user or Recovery Agent.
    >> If you have a stand alone computer and the RA is the built in
    >> administrator account [which it would be by default] then logon as that
    >> account and try to decrypt the files. The utility efsinfo can display
    >> information on the recovery agent. You can use the certificates mmc
    >> snapin for user to view certificate information and the certificate will
    >> need to show that it has the matching private key for the certificate. If
    >> you reinstalled the operating system [other than an upgrade install] at
    >> some point the original user and RA certificate/private key would have
    >> been destroyed. The EFS certificate and private key for a user/RA are
    >> stored in the user's/RA's profile folder. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
    >> best practices
    >>
    >> "kgstrong" <kgstrong@hotmail.com> wrote in message
    >> news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
    >>
    >>>I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
    >>>encrypted some files before I knew anything about EFS - now a program
    >>>that uses some of the files cannot access them. The files were encrypted
    >>>under my "power user" account. The certificate that Win2k used to
    >>>encrypt them is enabled for "All Purposes" including Encrypted File
    >>>System, and File Recovery. As Administrator, I cannot import this
    >>>certificate for the Recovery Agent - says it is not enabled for file
    >>>recovery.
    >>>
    >>>My Recovery Agent certificate (issued by Administrator to Administrator,
    >>>has a different thumbprint and is for File Recovery only.
    >>>
    >>>Does EFS recovery agent's certificate thumbprint have to match the
    >>>certificate the files were encrypted with in order to recover these
    >>>files?
    >>>
    >>>Ken
    >>
    >>
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Can someone please confirm that as long as I know the password for the
    user account which encrypted the files, I will be able decrypt them?

    I have lost the user profile (temp files, application data, local
    settings, etc.) but I have NOT forgotten the password, and I'm able to
    log in. However, I'm now unable to decrypt the EFS data files.

    Any suggestions will be appreciated.


    --
    cuppachino
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1504209.html
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    The user profile is where the EFS private key is stored and thus your EFS
    private key is gone. If you have backed the EFS private key to a .pfx file
    then you could try to import it back into the user profile while logged on
    as that user and try to decrypt the files. For Windows 2000 a Recovery Agent
    is required which would be the built in administrator account for a non
    domain computer and possibly "the" domain administrator account for the
    domain. The Efsinfo utility will show if and who the RA is for an EFS file
    and thumprint info. --- Steve


    "cuppachino" <cuppachino.1neeu2@mail.mcse.ms> wrote in message
    news:cuppachino.1neeu2@mail.mcse.ms...
    >
    > Can someone please confirm that as long as I know the password for the
    > user account which encrypted the files, I will be able decrypt them?
    >
    > I have lost the user profile (temp files, application data, local
    > settings, etc.) but I have NOT forgotten the password, and I'm able to
    > log in. However, I'm now unable to decrypt the EFS data files.
    >
    > Any suggestions will be appreciated.
    >
    >
    >
    > --
    > cuppachino
    > ------------------------------------------------------------------------
    > Posted via http://www.mcse.ms
    > ------------------------------------------------------------------------
    > View this thread: http://www.mcse.ms/message1504209.html
    >
Ask a new question

Read More

Data Recovery Windows 2000 Certificate Windows