Sign in with
Sign up | Sign in
Your question

Questions About Recovering EFS Security Certificate

Tags:
  • Certificate
  • Windows XP
Last response: in Windows XP
Share
March 12, 2005 8:50:55 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I have a hard drive (w/ XP Pro SP2) that refused to boot up recently because
the 'system' files became corrupted after I loaded the new Norton 2005 AV.
It would not even boot to any restore points or any safe modes - 'corrupted
config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned an EFS Recovery Agent -
which means it used the default Adminstrator certificate (I assume). Of
course I can not access that one folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat it (I just reassigned it as a "slave" to the new drive). The old
'ownership' still shows up since I have only changed ownership on a few of
the folders that I had to recover. The encrypted folder in question I have
NOT taken ownership on yet.

Can any of you MVP gurus give me a clue or some guidance on how I might
recover that old certificate (assuming it is possible)? Where would that
default EFS certificate be stored on the old drive, and how could I access
it currently?

thanks
John

More about : questions recovering efs security certificate

March 12, 2005 11:42:00 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"John" <john@nospam.com> wrote in message
news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
>because the 'system' files became corrupted after I loaded the new Norton
>2005 AV. It would not even boot to any restore points or any safe modes -
>'corrupted config/system file(s).'
>
> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
> assigned the old drive as a "slave" to the new one so I could recover some
> critical data files (which worked just fine). However, I had (1) folder
> that was encrypted on the old drive and I never had assigned an EFS
> Recovery Agent - which means it used the default Adminstrator certificate
> (I assume). Of course I can not access that one folder currently.
>
> Is there ANY way to get at that certificate from the old drive? I did NOT
> reformat it (I just reassigned it as a "slave" to the new drive). The old
> 'ownership' still shows up since I have only changed ownership on a few of
> the folders that I had to recover. The encrypted folder in question I have
> NOT taken ownership on yet.
>
> Can any of you MVP gurus give me a clue or some guidance on how I might
> recover that old certificate (assuming it is possible)? Where would that
> default EFS certificate be stored on the old drive, and how could I access
> it currently?
>
> thanks
> John
>

Unless you backed up the key to that encryption, you can kiss that folder
goodbye, as there is no way to retrieve the info from it without it.
March 12, 2005 11:42:01 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Tom" <noway@nothere.com> wrote in message
news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
>
> "John" <john@nospam.com> wrote in message
> news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
>>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
>>because the 'system' files became corrupted after I loaded the new Norton
>>2005 AV. It would not even boot to any restore points or any safe modes -
>>'corrupted config/system file(s).'
>>
>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
>> assigned the old drive as a "slave" to the new one so I could recover
>> some critical data files (which worked just fine). However, I had (1)
>> folder that was encrypted on the old drive and I never had assigned an
>> EFS Recovery Agent - which means it used the default Adminstrator
>> certificate (I assume). Of course I can not access that one folder
>> currently.
>>
>> Is there ANY way to get at that certificate from the old drive? I did NOT
>> reformat it (I just reassigned it as a "slave" to the new drive). The old
>> 'ownership' still shows up since I have only changed ownership on a few
>> of the folders that I had to recover. The encrypted folder in question I
>> have NOT taken ownership on yet.
>>
>> Can any of you MVP gurus give me a clue or some guidance on how I might
>> recover that old certificate (assuming it is possible)? Where would that
>> default EFS certificate be stored on the old drive, and how could I
>> access it currently?
>>
>> thanks
>> John
>>
>
> Unless you backed up the key to that encryption, you can kiss that folder
> goodbye, as there is no way to retrieve the info from it without it.

Really... not even when you have the original drive?? I would assume - if I
could ever get that drive to boot again - that the info would still be
there, and including the default EFS certificate the system was using under
that user. No??

And if so it would seem there should be some way to recover the embedded EFS
certificate the system was using.

Or perhaps I am using poor logic or misunderstand how the EFS certificate
system works??

John
Related resources
March 12, 2005 12:20:10 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"John" <john@nospam.com> wrote in message
news:%23Qx7PswJFHA.3596@TK2MSFTNGP14.phx.gbl...
>
> "Tom" <noway@nothere.com> wrote in message
> news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
>>
>> "John" <john@nospam.com> wrote in message
>> news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
>>>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
>>>because the 'system' files became corrupted after I loaded the new Norton
>>>2005 AV. It would not even boot to any restore points or any safe modes -
>>>'corrupted config/system file(s).'
>>>
>>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
>>> assigned the old drive as a "slave" to the new one so I could recover
>>> some critical data files (which worked just fine). However, I had (1)
>>> folder that was encrypted on the old drive and I never had assigned an
>>> EFS Recovery Agent - which means it used the default Adminstrator
>>> certificate (I assume). Of course I can not access that one folder
>>> currently.
>>>
>>> Is there ANY way to get at that certificate from the old drive? I did
>>> NOT reformat it (I just reassigned it as a "slave" to the new drive).
>>> The old 'ownership' still shows up since I have only changed ownership
>>> on a few of the folders that I had to recover. The encrypted folder in
>>> question I have NOT taken ownership on yet.
>>>
>>> Can any of you MVP gurus give me a clue or some guidance on how I might
>>> recover that old certificate (assuming it is possible)? Where would that
>>> default EFS certificate be stored on the old drive, and how could I
>>> access it currently?
>>>
>>> thanks
>>> John
>>>
>>
>> Unless you backed up the key to that encryption, you can kiss that folder
>> goodbye, as there is no way to retrieve the info from it without it.
>
> Really... not even when you have the original drive?? I would assume - if
> I could ever get that drive to boot again - that the info would still be
> there, and including the default EFS certificate the system was using
> under that user. No??
>
> And if so it would seem there should be some way to recover the embedded
> EFS certificate the system was using.
>
> Or perhaps I am using poor logic or misunderstand how the EFS certificate
> system works??
>
> John

It's possible that you didn't backup, or make a key; open Help and Support,
and type EFS in the search box, and read the related links in the left
column.
March 12, 2005 12:20:11 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Tom" <noway@nothere.com> wrote in message
news:edOEY6wJFHA.3832@TK2MSFTNGP10.phx.gbl...
>
> "John" <john@nospam.com> wrote in message
> news:%23Qx7PswJFHA.3596@TK2MSFTNGP14.phx.gbl...
>>
>> "Tom" <noway@nothere.com> wrote in message
>> news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
>>>
>>> "John" <john@nospam.com> wrote in message
>>> news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
>>>>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
>>>>because the 'system' files became corrupted after I loaded the new
>>>>Norton 2005 AV. It would not even boot to any restore points or any safe
>>>>modes - 'corrupted config/system file(s).'
>>>>
>>>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
>>>> assigned the old drive as a "slave" to the new one so I could recover
>>>> some critical data files (which worked just fine). However, I had (1)
>>>> folder that was encrypted on the old drive and I never had assigned an
>>>> EFS Recovery Agent - which means it used the default Adminstrator
>>>> certificate (I assume). Of course I can not access that one folder
>>>> currently.
>>>>
>>>> Is there ANY way to get at that certificate from the old drive? I did
>>>> NOT reformat it (I just reassigned it as a "slave" to the new drive).
>>>> The old 'ownership' still shows up since I have only changed ownership
>>>> on a few of the folders that I had to recover. The encrypted folder in
>>>> question I have NOT taken ownership on yet.
>>>>
>>>> Can any of you MVP gurus give me a clue or some guidance on how I might
>>>> recover that old certificate (assuming it is possible)? Where would
>>>> that default EFS certificate be stored on the old drive, and how could
>>>> I access it currently?
>>>>
>>>> thanks
>>>> John
>>>>
>>>
>>> Unless you backed up the key to that encryption, you can kiss that
>>> folder goodbye, as there is no way to retrieve the info from it without
>>> it.
>>
>> Really... not even when you have the original drive?? I would assume - if
>> I could ever get that drive to boot again - that the info would still be
>> there, and including the default EFS certificate the system was using
>> under that user. No??
>>
>> And if so it would seem there should be some way to recover the embedded
>> EFS certificate the system was using.
>>
>> Or perhaps I am using poor logic or misunderstand how the EFS certificate
>> system works??
>>
>> John
>
> It's possible that you didn't backup, or make a key; open Help and
> Support, and type EFS in the search box, and read the related links in the
> left column.

Yes... thanks Tom. No I did not backup the key to floppy as I should have
(unfortunately), and in fact had forgotten that I still even had that one
encrypted folder (has old email in it that I'd love to get back). Where I
REALLY screwed up was failing to set up a system-wide Recovery Agent and
keeping that certificate on floppy. Dumb oversight on my part.

But really my question was related to WHERE that EFS certificate and
associated key would be stored on my old drive. It would seem it has to be
stored somewhere, and associated under the user that originally encrypted
any folders/files (has a specific thumbprint).

Am I all wet here for some reason? I really didn't see anything in the HELP
or knowledge base that gave me much direction in finding where the system
specifically stores those certificates, or if there might be a way to
recover them since I still have the old drive available to me.
Anonymous
March 12, 2005 12:20:12 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

> Yes... thanks Tom. No I did not backup the key to floppy as I should have
> (unfortunately), and in fact had forgotten that I still even had that one
> encrypted folder (has old email in it that I'd love to get back). Where I
> REALLY screwed up was failing to set up a system-wide Recovery Agent and
> keeping that certificate on floppy. Dumb oversight on my part.
>
> But really my question was related to WHERE that EFS certificate and
> associated key would be stored on my old drive. It would seem it has to be
> stored somewhere, and associated under the user that originally encrypted
> any folders/files (has a specific thumbprint).
>
> Am I all wet here for some reason? I really didn't see anything in the
> HELP or knowledge base that gave me much direction in finding where the
> system specifically stores those certificates, or if there might be a way
> to recover them since I still have the old drive available to me.

John

If you could recover a certificate that way then anyone that had physical
access to the computer could access encrypted files. It can only be done by
exporting the key for a reason. I know of no way to recover your data.

Kerry
March 12, 2005 1:02:23 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
>> Yes... thanks Tom. No I did not backup the key to floppy as I should have
>> (unfortunately), and in fact had forgotten that I still even had that one
>> encrypted folder (has old email in it that I'd love to get back). Where I
>> REALLY screwed up was failing to set up a system-wide Recovery Agent and
>> keeping that certificate on floppy. Dumb oversight on my part.
>>
>> But really my question was related to WHERE that EFS certificate and
>> associated key would be stored on my old drive. It would seem it has to
>> be stored somewhere, and associated under the user that originally
>> encrypted any folders/files (has a specific thumbprint).
>>
>> Am I all wet here for some reason? I really didn't see anything in the
>> HELP or knowledge base that gave me much direction in finding where the
>> system specifically stores those certificates, or if there might be a way
>> to recover them since I still have the old drive available to me.
>
> John
>
> If you could recover a certificate that way then anyone that had physical
> access to the computer could access encrypted files. It can only be done
> by exporting the key for a reason. I know of no way to recover your data.

Well... actually they would have to know the user's password I assume (which
I have of course). But, apparently there is no way to recover the EFS
certificate short of getting that drive to boot up again (apparently).

thanks

John
Anonymous
March 12, 2005 1:14:40 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"John" <john@nospam.com> wrote in message
news:%23ShDmzxJFHA.4092@tk2msftngp13.phx.gbl...
>
> "Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
> news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
>>> Yes... thanks Tom. No I did not backup the key to floppy as I should
>>> have (unfortunately), and in fact had forgotten that I still even had
>>> that one encrypted folder (has old email in it that I'd love to get
>>> back). Where I REALLY screwed up was failing to set up a system-wide
>>> Recovery Agent and keeping that certificate on floppy. Dumb oversight on
>>> my part.
>>>
>>> But really my question was related to WHERE that EFS certificate and
>>> associated key would be stored on my old drive. It would seem it has to
>>> be stored somewhere, and associated under the user that originally
>>> encrypted any folders/files (has a specific thumbprint).
>>>
>>> Am I all wet here for some reason? I really didn't see anything in the
>>> HELP or knowledge base that gave me much direction in finding where the
>>> system specifically stores those certificates, or if there might be a
>>> way to recover them since I still have the old drive available to me.
>>
>> John
>>
>> If you could recover a certificate that way then anyone that had physical
>> access to the computer could access encrypted files. It can only be done
>> by exporting the key for a reason. I know of no way to recover your data.
>
> Well... actually they would have to know the user's password I assume
> (which I have of course). But, apparently there is no way to recover the
> EFS certificate short of getting that drive to boot up again (apparently).
>

If they have administrator status and the certificate was available in your
profile they wouldn't need the password. That's why EFS works as it does. If
someone could access the computer and get the certificate it wouldn't be
hard to use a brute force attack on the encrypted file.

I actually did the same thing as you a few years back. I was experimenting
with efs and for some reason encrypted my PST file. I promptly forgot it was
encrypted. Some time later I bought a new computer and transferred all my
data and wiped the old computer before selling it. Went into Outlook, tried
to import the old data and bingo, I was hooped. Luckily I had a complete
backup of the old computer. It took some time, had to restore the old
system, do a repair install, unencrypt the file, then rebuild the new
computer again. Doing this once is enough to make sure the first thing after
using efs you always export the cert. :-)

Kerry
Anonymous
March 13, 2005 12:16:25 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

>> "Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
>> news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
>
> If they have administrator status and the certificate was available in
> your profile they wouldn't need the password. That's why EFS works as it
> does. If someone could access the computer and get the certificate it
> wouldn't be hard to use a brute force attack on the encrypted file.
>
>
> Kerry
>

John

I may have been in error with this post. See this link for more details:

http://www.beginningtoseethelight.org/efsrecovery/

I haven't tried this but it does look like the procedure may work in your
case. I found the link on one of the other XP newsgroups.

Kerry
!