Sign in with
Sign up | Sign in
Your question

decrypting a file question

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
May 30, 2005 1:17:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I'm guessing I'm "sol" here but I just have to ask.

A long while back I selected a folder to encrypt using the checkbox on the
folders properties box in the advanced form. It worked just fine. I never
did do anything about creating any certificates or agents or anything as
backup. I'm just an applications guy who needs a lan setup to do what I do,
so I learned enough AD, DNS, Exchange and so forth to make it all more or
less work. I do backups fairly well, and my systyem seems safe enough.

Recently I upgraded my W2K PDC to be a W2K3 SBS PDC. I ran DCPROMO a little
prematurely (on hind sight), and I neglected to remove the encryption
settings on this folder. This server is now just a member server in my new
LAN with a new PDC.

My files and such are all still there. And I can get to all of them, just
can't access the encrypted ones.

Is there an administractive "backdoor" that will gain me access?

regards,

doug
Anonymous
May 30, 2005 6:52:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

EFS has a way of biting people when it comes to accessing their own files.
The EFS "private" key that is used to decrypt files is stored in the user
profile of the user account that encrypted the file and the Recovery Agent
profile that was in effect at the time that the files were encrypted/
Windows 2000 requires a Recovery Agent which can be the built in local
administrator account for the local computer or the built in administrator
account for the domain. For a domain the built in administrator account EFS
recovery certificate would probably be on the first domain controller for
the domain.

I am not sure exactly all what you reconfigured but that may help give you
somewhere to look. You can use the tool efsinfo to find the user and RA's
that can decrypt a file and the thumbprint info for the certificates that
will be helpful in tracking them down if they exist. The mmc snapin for
certificates for user can be used to view the certificates on a computer for
a user in the personal/certificates folder. The EFS or Recovery Agent
certificate needs to show that "you have the private key that corresponds
with this certificate" on the general page of the certificate in order to be
able to decrypt the EFS certificate. If you find a Recovery Agent you can
either back/restore the EFS files to the computer where the RA lives or
export the RA certificate AND private key to a password protected .pfx file
to import to the computer where the EFS files are.

Normally users have problems when the reinstall the operating system as
profiles can be erased or associated with the wrong computer operating
system ID. If you have a backup of the users profiles that encrypted the
files you probably still have a copy of the EFS private key though it can
not be restored via normal means. If that is the case and you know the user
password then you may be able to recover the EFS files with the help of
Microsoft support [around $245] or the use of a program such as the one from
Elcomsoft that sells for $99. Elcomsoft does have a free trial download that
you can use but it will only recover very small files, but it should let you
know if the private keys are found or not. The first link below is to
Elcomsoft and the other two may provide info to lead you to a solution. ---
Steve

http://www.elcomsoft.com/aefsdr.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223316 --- EFS
best practices.
http://support.microsoft.com/default.aspx?scid=kb;en-us;259732&sd=tech ---
info on Recovery Agent

"douglas martin" <dsmrtn-supt@pacbell.net> wrote in message
news:o j7VQLTZFHA.4088@TK2MSFTNGP15.phx.gbl...
> I'm guessing I'm "sol" here but I just have to ask.
>
> A long while back I selected a folder to encrypt using the checkbox on the
> folders properties box in the advanced form. It worked just fine. I
> never
> did do anything about creating any certificates or agents or anything as
> backup. I'm just an applications guy who needs a lan setup to do what I
> do,
> so I learned enough AD, DNS, Exchange and so forth to make it all more or
> less work. I do backups fairly well, and my systyem seems safe enough.
>
> Recently I upgraded my W2K PDC to be a W2K3 SBS PDC. I ran DCPROMO a
> little
> prematurely (on hind sight), and I neglected to remove the encryption
> settings on this folder. This server is now just a member server in my
> new
> LAN with a new PDC.
>
> My files and such are all still there. And I can get to all of them, just
> can't access the encrypted ones.
>
> Is there an administractive "backdoor" that will gain me access?
>
> regards,
>
> doug
>
>
Anonymous
May 31, 2005 8:42:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I seem to have all profiles. I didn't reinstall anything. I just demoted
myt PDC to a member server and then joined my new domain.

I'll look into your suggestions and links. I only have 1 file small file
needing decryption.

regards,

doug

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:#snqOEVZFHA.3364@TK2MSFTNGP09.phx.gbl...
> EFS has a way of biting people when it comes to accessing their own files.
> The EFS "private" key that is used to decrypt files is stored in the user
> profile of the user account that encrypted the file and the Recovery Agent
> profile that was in effect at the time that the files were encrypted/
> Windows 2000 requires a Recovery Agent which can be the built in local
> administrator account for the local computer or the built in administrator
> account for the domain. For a domain the built in administrator account
EFS
> recovery certificate would probably be on the first domain controller for
> the domain.
>
> I am not sure exactly all what you reconfigured but that may help give you
> somewhere to look. You can use the tool efsinfo to find the user and RA's
> that can decrypt a file and the thumbprint info for the certificates that
> will be helpful in tracking them down if they exist. The mmc snapin for
> certificates for user can be used to view the certificates on a computer
for
> a user in the personal/certificates folder. The EFS or Recovery Agent
> certificate needs to show that "you have the private key that corresponds
> with this certificate" on the general page of the certificate in order to
be
> able to decrypt the EFS certificate. If you find a Recovery Agent you can
> either back/restore the EFS files to the computer where the RA lives or
> export the RA certificate AND private key to a password protected .pfx
file
> to import to the computer where the EFS files are.
>
> Normally users have problems when the reinstall the operating system as
> profiles can be erased or associated with the wrong computer operating
> system ID. If you have a backup of the users profiles that encrypted the
> files you probably still have a copy of the EFS private key though it can
> not be restored via normal means. If that is the case and you know the
user
> password then you may be able to recover the EFS files with the help of
> Microsoft support [around $245] or the use of a program such as the one
from
> Elcomsoft that sells for $99. Elcomsoft does have a free trial download
that
> you can use but it will only recover very small files, but it should let
you
> know if the private keys are found or not. The first link below is to
> Elcomsoft and the other two may provide info to lead you to a
olution. ---
> Steve
>
> http://www.elcomsoft.com/aefsdr.html
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223316 --- EFS
> best practices.
>
ttp://support.microsoft.com/default.aspx?scid=kb;en-us;259732&sd=tech ---
> info on Recovery Agent
>
> "douglas martin" <dsmrtn-supt@pacbell.net> wrote in message
> news:o j7VQLTZFHA.4088@TK2MSFTNGP15.phx.gbl...
> > I'm guessing I'm "sol" here but I just have to ask.
> >
> > A long while back I selected a folder to encrypt using the checkbox on
the
> > folders properties box in the advanced form. It worked just fine. I
> > never
> > did do anything about creating any certificates or agents or anything as
> > backup. I'm just an applications guy who needs a lan setup to do what I
> > do,
> > so I learned enough AD, DNS, Exchange and so forth to make it all more
or
> > less work. I do backups fairly well, and my systyem seems safe enough.
> >
> > Recently I upgraded my W2K PDC to be a W2K3 SBS PDC. I ran DCPROMO a
> > little
> > prematurely (on hind sight), and I neglected to remove the encryption
> > settings on this folder. This server is now just a member server in my
> > new
> > LAN with a new PDC.
> >
> > My files and such are all still there. And I can get to all of them,
just
> > can't access the encrypted ones.
> >
> > Is there an administractive "backdoor" that will gain me access?
> >
> > regards,
> >
> > doug
> >
> >
>
>
!