Questions About Recovering EFS Security Certificate

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I have a hard drive (w/ XP Pro SP2) that refused to boot up recently because
the 'system' files became corrupted after I loaded the new Norton 2005 AV.
It would not even boot to any restore points or any safe modes - 'corrupted
config/system file(s).'

Anyway... I bought a new drive and loaded it with XP SP2 as well. I assigned
the old drive as a "slave" to the new one so I could recover some critical
data files (which worked just fine). However, I had (1) folder that was
encrypted on the old drive and I never had assigned an EFS Recovery Agent -
which means it used the default Adminstrator certificate (I assume). Of
course I can not access that one folder currently.

Is there ANY way to get at that certificate from the old drive? I did NOT
reformat it (I just reassigned it as a "slave" to the new drive). The old
'ownership' still shows up since I have only changed ownership on a few of
the folders that I had to recover. The encrypted folder in question I have
NOT taken ownership on yet.

Can any of you MVP gurus give me a clue or some guidance on how I might
recover that old certificate (assuming it is possible)? Where would that
default EFS certificate be stored on the old drive, and how could I access
it currently?

thanks
John
8 answers Last reply
More about questions recovering security certificate
  1. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "John" <john@nospam.com> wrote in message
    news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
    >I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
    >because the 'system' files became corrupted after I loaded the new Norton
    >2005 AV. It would not even boot to any restore points or any safe modes -
    >'corrupted config/system file(s).'
    >
    > Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    > assigned the old drive as a "slave" to the new one so I could recover some
    > critical data files (which worked just fine). However, I had (1) folder
    > that was encrypted on the old drive and I never had assigned an EFS
    > Recovery Agent - which means it used the default Adminstrator certificate
    > (I assume). Of course I can not access that one folder currently.
    >
    > Is there ANY way to get at that certificate from the old drive? I did NOT
    > reformat it (I just reassigned it as a "slave" to the new drive). The old
    > 'ownership' still shows up since I have only changed ownership on a few of
    > the folders that I had to recover. The encrypted folder in question I have
    > NOT taken ownership on yet.
    >
    > Can any of you MVP gurus give me a clue or some guidance on how I might
    > recover that old certificate (assuming it is possible)? Where would that
    > default EFS certificate be stored on the old drive, and how could I access
    > it currently?
    >
    > thanks
    > John
    >

    Unless you backed up the key to that encryption, you can kiss that folder
    goodbye, as there is no way to retrieve the info from it without it.
  2. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Tom" <noway@nothere.com> wrote in message
    news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
    >
    > "John" <john@nospam.com> wrote in message
    > news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
    >>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
    >>because the 'system' files became corrupted after I loaded the new Norton
    >>2005 AV. It would not even boot to any restore points or any safe modes -
    >>'corrupted config/system file(s).'
    >>
    >> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    >> assigned the old drive as a "slave" to the new one so I could recover
    >> some critical data files (which worked just fine). However, I had (1)
    >> folder that was encrypted on the old drive and I never had assigned an
    >> EFS Recovery Agent - which means it used the default Adminstrator
    >> certificate (I assume). Of course I can not access that one folder
    >> currently.
    >>
    >> Is there ANY way to get at that certificate from the old drive? I did NOT
    >> reformat it (I just reassigned it as a "slave" to the new drive). The old
    >> 'ownership' still shows up since I have only changed ownership on a few
    >> of the folders that I had to recover. The encrypted folder in question I
    >> have NOT taken ownership on yet.
    >>
    >> Can any of you MVP gurus give me a clue or some guidance on how I might
    >> recover that old certificate (assuming it is possible)? Where would that
    >> default EFS certificate be stored on the old drive, and how could I
    >> access it currently?
    >>
    >> thanks
    >> John
    >>
    >
    > Unless you backed up the key to that encryption, you can kiss that folder
    > goodbye, as there is no way to retrieve the info from it without it.

    Really... not even when you have the original drive?? I would assume - if I
    could ever get that drive to boot again - that the info would still be
    there, and including the default EFS certificate the system was using under
    that user. No??

    And if so it would seem there should be some way to recover the embedded EFS
    certificate the system was using.

    Or perhaps I am using poor logic or misunderstand how the EFS certificate
    system works??

    John
  3. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "John" <john@nospam.com> wrote in message
    news:%23Qx7PswJFHA.3596@TK2MSFTNGP14.phx.gbl...
    >
    > "Tom" <noway@nothere.com> wrote in message
    > news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
    >>
    >> "John" <john@nospam.com> wrote in message
    >> news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
    >>>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
    >>>because the 'system' files became corrupted after I loaded the new Norton
    >>>2005 AV. It would not even boot to any restore points or any safe modes -
    >>>'corrupted config/system file(s).'
    >>>
    >>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    >>> assigned the old drive as a "slave" to the new one so I could recover
    >>> some critical data files (which worked just fine). However, I had (1)
    >>> folder that was encrypted on the old drive and I never had assigned an
    >>> EFS Recovery Agent - which means it used the default Adminstrator
    >>> certificate (I assume). Of course I can not access that one folder
    >>> currently.
    >>>
    >>> Is there ANY way to get at that certificate from the old drive? I did
    >>> NOT reformat it (I just reassigned it as a "slave" to the new drive).
    >>> The old 'ownership' still shows up since I have only changed ownership
    >>> on a few of the folders that I had to recover. The encrypted folder in
    >>> question I have NOT taken ownership on yet.
    >>>
    >>> Can any of you MVP gurus give me a clue or some guidance on how I might
    >>> recover that old certificate (assuming it is possible)? Where would that
    >>> default EFS certificate be stored on the old drive, and how could I
    >>> access it currently?
    >>>
    >>> thanks
    >>> John
    >>>
    >>
    >> Unless you backed up the key to that encryption, you can kiss that folder
    >> goodbye, as there is no way to retrieve the info from it without it.
    >
    > Really... not even when you have the original drive?? I would assume - if
    > I could ever get that drive to boot again - that the info would still be
    > there, and including the default EFS certificate the system was using
    > under that user. No??
    >
    > And if so it would seem there should be some way to recover the embedded
    > EFS certificate the system was using.
    >
    > Or perhaps I am using poor logic or misunderstand how the EFS certificate
    > system works??
    >
    > John

    It's possible that you didn't backup, or make a key; open Help and Support,
    and type EFS in the search box, and read the related links in the left
    column.
  4. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Tom" <noway@nothere.com> wrote in message
    news:edOEY6wJFHA.3832@TK2MSFTNGP10.phx.gbl...
    >
    > "John" <john@nospam.com> wrote in message
    > news:%23Qx7PswJFHA.3596@TK2MSFTNGP14.phx.gbl...
    >>
    >> "Tom" <noway@nothere.com> wrote in message
    >> news:u9TKFlwJFHA.1392@TK2MSFTNGP10.phx.gbl...
    >>>
    >>> "John" <john@nospam.com> wrote in message
    >>> news:eWYzGnvJFHA.3184@TK2MSFTNGP09.phx.gbl...
    >>>>I have a hard drive (w/ XP Pro SP2) that refused to boot up recently
    >>>>because the 'system' files became corrupted after I loaded the new
    >>>>Norton 2005 AV. It would not even boot to any restore points or any safe
    >>>>modes - 'corrupted config/system file(s).'
    >>>>
    >>>> Anyway... I bought a new drive and loaded it with XP SP2 as well. I
    >>>> assigned the old drive as a "slave" to the new one so I could recover
    >>>> some critical data files (which worked just fine). However, I had (1)
    >>>> folder that was encrypted on the old drive and I never had assigned an
    >>>> EFS Recovery Agent - which means it used the default Adminstrator
    >>>> certificate (I assume). Of course I can not access that one folder
    >>>> currently.
    >>>>
    >>>> Is there ANY way to get at that certificate from the old drive? I did
    >>>> NOT reformat it (I just reassigned it as a "slave" to the new drive).
    >>>> The old 'ownership' still shows up since I have only changed ownership
    >>>> on a few of the folders that I had to recover. The encrypted folder in
    >>>> question I have NOT taken ownership on yet.
    >>>>
    >>>> Can any of you MVP gurus give me a clue or some guidance on how I might
    >>>> recover that old certificate (assuming it is possible)? Where would
    >>>> that default EFS certificate be stored on the old drive, and how could
    >>>> I access it currently?
    >>>>
    >>>> thanks
    >>>> John
    >>>>
    >>>
    >>> Unless you backed up the key to that encryption, you can kiss that
    >>> folder goodbye, as there is no way to retrieve the info from it without
    >>> it.
    >>
    >> Really... not even when you have the original drive?? I would assume - if
    >> I could ever get that drive to boot again - that the info would still be
    >> there, and including the default EFS certificate the system was using
    >> under that user. No??
    >>
    >> And if so it would seem there should be some way to recover the embedded
    >> EFS certificate the system was using.
    >>
    >> Or perhaps I am using poor logic or misunderstand how the EFS certificate
    >> system works??
    >>
    >> John
    >
    > It's possible that you didn't backup, or make a key; open Help and
    > Support, and type EFS in the search box, and read the related links in the
    > left column.

    Yes... thanks Tom. No I did not backup the key to floppy as I should have
    (unfortunately), and in fact had forgotten that I still even had that one
    encrypted folder (has old email in it that I'd love to get back). Where I
    REALLY screwed up was failing to set up a system-wide Recovery Agent and
    keeping that certificate on floppy. Dumb oversight on my part.

    But really my question was related to WHERE that EFS certificate and
    associated key would be stored on my old drive. It would seem it has to be
    stored somewhere, and associated under the user that originally encrypted
    any folders/files (has a specific thumbprint).

    Am I all wet here for some reason? I really didn't see anything in the HELP
    or knowledge base that gave me much direction in finding where the system
    specifically stores those certificates, or if there might be a way to
    recover them since I still have the old drive available to me.
  5. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    > Yes... thanks Tom. No I did not backup the key to floppy as I should have
    > (unfortunately), and in fact had forgotten that I still even had that one
    > encrypted folder (has old email in it that I'd love to get back). Where I
    > REALLY screwed up was failing to set up a system-wide Recovery Agent and
    > keeping that certificate on floppy. Dumb oversight on my part.
    >
    > But really my question was related to WHERE that EFS certificate and
    > associated key would be stored on my old drive. It would seem it has to be
    > stored somewhere, and associated under the user that originally encrypted
    > any folders/files (has a specific thumbprint).
    >
    > Am I all wet here for some reason? I really didn't see anything in the
    > HELP or knowledge base that gave me much direction in finding where the
    > system specifically stores those certificates, or if there might be a way
    > to recover them since I still have the old drive available to me.

    John

    If you could recover a certificate that way then anyone that had physical
    access to the computer could access encrypted files. It can only be done by
    exporting the key for a reason. I know of no way to recover your data.

    Kerry
  6. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
    news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
    >> Yes... thanks Tom. No I did not backup the key to floppy as I should have
    >> (unfortunately), and in fact had forgotten that I still even had that one
    >> encrypted folder (has old email in it that I'd love to get back). Where I
    >> REALLY screwed up was failing to set up a system-wide Recovery Agent and
    >> keeping that certificate on floppy. Dumb oversight on my part.
    >>
    >> But really my question was related to WHERE that EFS certificate and
    >> associated key would be stored on my old drive. It would seem it has to
    >> be stored somewhere, and associated under the user that originally
    >> encrypted any folders/files (has a specific thumbprint).
    >>
    >> Am I all wet here for some reason? I really didn't see anything in the
    >> HELP or knowledge base that gave me much direction in finding where the
    >> system specifically stores those certificates, or if there might be a way
    >> to recover them since I still have the old drive available to me.
    >
    > John
    >
    > If you could recover a certificate that way then anyone that had physical
    > access to the computer could access encrypted files. It can only be done
    > by exporting the key for a reason. I know of no way to recover your data.

    Well... actually they would have to know the user's password I assume (which
    I have of course). But, apparently there is no way to recover the EFS
    certificate short of getting that drive to boot up again (apparently).

    thanks

    John
  7. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "John" <john@nospam.com> wrote in message
    news:%23ShDmzxJFHA.4092@tk2msftngp13.phx.gbl...
    >
    > "Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
    > news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
    >>> Yes... thanks Tom. No I did not backup the key to floppy as I should
    >>> have (unfortunately), and in fact had forgotten that I still even had
    >>> that one encrypted folder (has old email in it that I'd love to get
    >>> back). Where I REALLY screwed up was failing to set up a system-wide
    >>> Recovery Agent and keeping that certificate on floppy. Dumb oversight on
    >>> my part.
    >>>
    >>> But really my question was related to WHERE that EFS certificate and
    >>> associated key would be stored on my old drive. It would seem it has to
    >>> be stored somewhere, and associated under the user that originally
    >>> encrypted any folders/files (has a specific thumbprint).
    >>>
    >>> Am I all wet here for some reason? I really didn't see anything in the
    >>> HELP or knowledge base that gave me much direction in finding where the
    >>> system specifically stores those certificates, or if there might be a
    >>> way to recover them since I still have the old drive available to me.
    >>
    >> John
    >>
    >> If you could recover a certificate that way then anyone that had physical
    >> access to the computer could access encrypted files. It can only be done
    >> by exporting the key for a reason. I know of no way to recover your data.
    >
    > Well... actually they would have to know the user's password I assume
    > (which I have of course). But, apparently there is no way to recover the
    > EFS certificate short of getting that drive to boot up again (apparently).
    >

    If they have administrator status and the certificate was available in your
    profile they wouldn't need the password. That's why EFS works as it does. If
    someone could access the computer and get the certificate it wouldn't be
    hard to use a brute force attack on the encrypted file.

    I actually did the same thing as you a few years back. I was experimenting
    with efs and for some reason encrypted my PST file. I promptly forgot it was
    encrypted. Some time later I bought a new computer and transferred all my
    data and wiped the old computer before selling it. Went into Outlook, tried
    to import the old data and bingo, I was hooped. Luckily I had a complete
    backup of the old computer. It took some time, had to restore the old
    system, do a repair install, unencrypt the file, then rebuild the new
    computer again. Doing this once is enough to make sure the first thing after
    using efs you always export the cert. :-)

    Kerry
  8. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    >> "Kerry Brown" <kerry@kdbNOSPAMsystems.c*o*m> wrote in message
    >> news:uhf%23XixJFHA.3596@TK2MSFTNGP14.phx.gbl...
    >
    > If they have administrator status and the certificate was available in
    > your profile they wouldn't need the password. That's why EFS works as it
    > does. If someone could access the computer and get the certificate it
    > wouldn't be hard to use a brute force attack on the encrypted file.
    >
    >
    > Kerry
    >

    John

    I may have been in error with this post. See this link for more details:

    http://www.beginningtoseethelight.org/efsrecovery/

    I haven't tried this but it does look like the procedure may work in your
    case. I found the link on one of the other XP newsgroups.

    Kerry
Ask a new question

Read More

Certificate Windows XP