|
How to decrypt EFS-protected restored files?
I had a directory configured to use EFS (so anything put under it got
encrypted). I export my EFS certificate to a floppy. My system crashed and a disk image wouldn't work (because of changes in the hardware). However, I could still use the ImageExplorer that comes with DriveImage to peruse the contents of the image files to extract files out of them. So I've tried the following: - Extracted the files from disk image. Cannot view them because of the EFS protection. Imported the EFS certificate used when the files got encrypted. It was imported under the Personal store for certificates. Could not open the files. - Deleted the EFS certificate and re-imported it but this time left the option selected to have Windows XP automatically determine under which certificate store to place the certificate. It imported it to the Trusted People certificate store. Still couldn't access the encrypted files. - Figuring that EFS had not yet been implemented on my new install and that maybe the imported EFS certificate would not get exercised until EFS was used, I right-clicked on a folder and had it encrypted. Then I copied the files to under this directory figuring that the certificate might also have to be imported before moving the files into an EFS-protected directory. Still cannot access the file contents. I've read several KB articles and the included help but it really never describes the steps in restoring EFS-protected files, the order of importing the EFS certificate (before or after the files have been restored to the new instance of Windows), or if importing the EFS certificate after restoring the files (or before) would allow access to them (or if I also need to actually implement EFS to have it utilize the imported certificate). I see mention of how use EFS, export certificates, manage them, import them, and some vague inferences in using them against encrypted files but no real instructions. After a few hours, I've exhausted what I could come up for a procedure to decrypt these files. Any ideas? -- __________________________________________________ __________ *** Post replies to newsgroup. Share with others. *** Email: domain = ".com" and append "=NEWS=" to Subject. __________________________________________________ __________ -- __________________________________________________ __________ *** Post replies to newsgroup. Share with others. *** Email: domain = ".com" and append "=NEWS=" to Subject. __________________________________________________ __________ |
Re: How to decrypt EFS-protected restored files?
"*Vanguard*" <no-email@reply-to-newsgroup.invalid> wrote in message news:efGdnYYzL5GFqgHdRVn-jg@comcast.com... > I had a directory configured to use EFS (so anything put under it got > encrypted). I export my EFS certificate to a floppy. My system crashed and > a disk image wouldn't work (because of changes in the hardware). However, I > could still use the ImageExplorer that comes with DriveImage to peruse the > contents of the image files to extract files out of them. So I've tried the > following: > > - Extracted the files from disk image. Cannot view them because of the EFS > protection. Imported the EFS certificate used when the files got encrypted. > It was imported under the Personal store for certificates. Could not open > the files. > > - Deleted the EFS certificate and re-imported it but this time left the > option selected to have Windows XP automatically determine under which > certificate store to place the certificate. It imported it to the Trusted > People certificate store. Still couldn't access the encrypted files. > > - Figuring that EFS had not yet been implemented on my new install and that > maybe the imported EFS certificate would not get exercised until EFS was > used, I right-clicked on a folder and had it encrypted. Then I copied the > files to under this directory figuring that the certificate might also have > to be imported before moving the files into an EFS-protected directory. > Still cannot access the file contents. > > I've read several KB articles and the included help but it really never > describes the steps in restoring EFS-protected files, the order of importing > the EFS certificate (before or after the files have been restored to the new > instance of Windows), or if importing the EFS certificate after restoring > the files (or before) would allow access to them (or if I also need to > actually implement EFS to have it utilize the imported certificate). I see > mention of how use EFS, export certificates, manage them, import them, and > some vague inferences in using them against encrypted files but no real > instructions. After a few hours, I've exhausted what I could come up for a > procedure to decrypt these files. Any ideas? One thing you can try is to import your certificate to another computer running XP Pro and copy your encrypted files to that computer and you should be able to view them. It doesn't fix your problem but at least you should be able to recover your files. |
Re: How to decrypt EFS-protected restored files?
karen said in news:c0gnc.33036$6L3.16945@fed1read05:
> > One thing you can try is to import your certificate to another > computer running XP Pro and copy your encrypted files to that > computer and you should be able to view them. It doesn't fix your > problem but at least you should be able to recover your files. That's basically what happened. My current instance of Windows became unusable due to a hardware change and some corruption. It was about time for a cleanup so I did a fresh install (so that is the other computer to which you refer). I then imported the EFS certicate that had been previously exported onto a floppy from the original instance of Windows. Then I recovered the files. I can get the data files. That is not a problem. I save disk images using DriveImage 2002 and it has its ImageExplorer to let you yank out individual files. So in a fresh install of Windows XP Pro, I imported the old EFS certificiate from the floppy and recovered the files from the drive image fileset. Yet I cannot get into the files. Any attempt to read one of the EFS-protected files results in "access denied" (and I checked the permissions which are okay). When I recovered the encrypted files using ImageExplorer to yank them from the disk image backup, I simply put them into a directory. Got the access denied error. Figuring that maybe the EFS certificate would not get applied unless the files were actually under an EFS-enabled folder (since I didn't want to individually set EFS on all the files), I configured their holding directory to enable EFS (so the EFS certificates would get applied). Summary. Was running Windows XP Pro SP-1. Was using EFS. Exported the EFS certificates to floppy (for both the user account that was using EFS and Administrator which had been designated a recovery agent). Had disk images for backups. Can use ImageExplorer to extract individual files from the disk images. Did a fresh install of Windows XP. Imported the EFS certificates. Pulled the old data files out of the disk image backup. Cannot access their contents (i.e., cannot read them). -- __________________________________________________ __________ *** Post replies to newsgroup. Share with others. *** Email: domain = ".com" and append "=NEWS=" to Subject. __________________________________________________ __________ |
Re: How to decrypt EFS-protected restored files?
It could be in the sequence you used. Importing your certificate before you
had encrypted any files on your new installation. The individual file names of your encrypted files are still readable? I would try creating a new administrator account, encrpyt a file which of course would create a new certificate then import your backed up certificate. Next copy one encrypted text file to your desktop for example and see if you are still denied access. |
Re: How to decrypt EFS-protected restored files?
karen said in news:zU3oc.36654$6L3.30541@fed1read05:
> It could be in the sequence you used. Importing your certificate > before you had encrypted any files on your new installation. > > The individual file names of your encrypted files are still readable? > I would try creating a new administrator account, encrpyt a file > which of course would create a new certificate then import your > backed up certificate. Next copy one encrypted text file to your > desktop for example and see if you are still denied access. Thanks for the hint. At this point, I cannot remember if I had already created an EFS certificate (a new one) on my new Windows XP install before yanking the encrypted files from the disk image fileset. The individual filenames were always readable. When I realized that I had not yet used EFS in the new install (so there were no EFS certificates yet created), I deleted the imported certificates, I created an EFS-protected folder which gave me the new EFS certificate, I re-imported the old certificates, and then tried to yank the files while putting them under the EFS-protected folder. Didn't work. At this point, I've run out of time to expend on this and need to get back to real work. Nothing was stored in the EFS-protected folder that couldn't be rebuilt or retrieved from other media. I had my user-created files under the folder on backup tape and which had been saved before EFS had been applied to the folder (so the data files on tape were not encrypted). The other-sourced data files were on other CDs (not encrypted). So I think I've got back all my data files but now I'm a bit gun shy on employing EFS on the data folder. Would have been much easier, faster, and reassuring if the cert import and file retrieve had worked right. I'm wondering at this point if maybe yanking individual files out of a disk image won't work for EFS protected files. I recall the same scenario a couple years back under Windows 2000 which did work when I retrieved the encrypted files from a tape backup (which is a logical backup that actually reads the files rather than a physical backup using a disk image that records the data in sectors). For as slow as is ImageExplorer at yanking out 20,000+ files under a directory when rebuilding logical files from the physical sector data, I'll use tape from now on and keep the disk images only for disaster recovery to rebuild the entire partition (if it still works since significant hardware changes seems to render them unusable). Extracting thousands of files using ImageExplorer took hours to run. A tape restore would be faster. I've done the EFS file recovery before (but under Windows 2000 instead of Windows XP) and it worked, so the only significant difference this time was yanking files from a disk image rather than pulling them off tape. -- __________________________________________________ __________ *** Post replies to newsgroup. Share with others. *** Email: domain = ".com" and append "=NEWS=" to Subject. __________________________________________________ __________ |
ACCESS DENIED in NTFS files;
hi,
i have a laptop winxp-pro sp2 with a fat32 partition (system root) and another partition for secured data; essentially some xl files, jpg files, some ppt and proposal files. the secured file system was working well with no problem till a week back when i thought of using IE7( i am not sure ie7 is the culprit); i loaded ie7 restarted the machine; the fat partition is visible and accessible; NTFS partition, files are visibily listed but on opening, "Access Denied" pops up; i am the single user (so obviously with administrator rights) of the laptop (no password used for login). i checked and found the certificate thumbprint of the inaccessible files lists my name (neelakantan@laptop) as the owner with all permissions; but i am denied the access; i tried to login as administrator (through safeboot) and also tried to provide full access to everyuser; still "access denied" pops up. i created a new file and checked its certificate hash; it is different from the one listed for inaccessible files; i ran a file recovery to recover the old certifcates and keys and obtained the old private key and master key; using them with ELCOMsoft's EFS data recovery theoretically redecrypts files (it lists all 245 files are decryptable); but when i open the decrypt file, they have garbage at regular intervals; i checked with a hex editor and found that 16bytes at every 512byte is not decrypted or garbaged; this results in ppt and xl files not opening and the doc files coming with garbage. how to get access to the old files and remove the new keys and restore the old ones? neelakantan |
| All times are GMT. The time now is 09:39 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.