Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Decrypting files without recovery certificate


  • Please log in to reply

#1
tomdrayson

tomdrayson

    Member

  • Member
  • PipPipPip
  • 198 posts
Hi, I recently had to format my hard disk and reinstall Windows from my recovery disk. Unfortunately, I was not aware that for some reason, some of my files had been encrypted using the previous Windows installation. I don't know why I would have done this, and the files were NOT green on the previous installation, which I thought was supposed to be the indicator for encrypted files, so I did not know that they were encrypted when I backed them up.

Anyway, now I cannot access my own files, because I did NOT backup a certificate or key or whatever it is (I don't know much about encryption). I don't remember ever being warned or informed about encryption by Windows, or being asked to create a certificate, so I must never have done so. Ok, it was obviously stupid to encrypt files without reading about it first, but I would expect Windows to warn people about it.

So, I need to decrypt these files without any authentication, basically! Surely there must be a way, as I have read about many other people faced with the same dilemma!

I may be able to recover my deleted "Documents and Settings" folder from the previous installation using a data recovery tool, would this make it any easier?

Thanks
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
if you can recover that folder, yes, it may be the only way to get your data

Off hand, the way to recover the data was to use the local administrator account, which by default is the recovery agent. Because you formatted, you wiped out that account to.

See if you can get that folder back, and see if these folders exist

This store is located in the Documents and

Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates

This store is located in the Documents and Settings\Administrator\ApplicationData\Microsoft\SystemCertificates\My\Certificates
  • 0

#3
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Ok thanks. Although I did not create any kind of record before formatting, so will there still be a certificate? You will be aware that I am not very knowledgable on the subject!

Edited by tomdrayson, 14 February 2006 - 11:38 AM.

  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
this one is a new one for m, too

I am hoping there will be one in there, and that it is somehow transferable to your current system...I cannot swear that it will be, since I am not 100 percent certain how the certificate is formed....

If it just uses your username, I think we can make a go of it, but if it uses the SID, we're in trouble

The certificate will look something like this
C5676869FD4E3BFB624BD0D83D895B49196661AC
  • 0

#5
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
OK, the next thing is to find a good data recovery program! Do you know of any which can restore these folders after a format?
Thanks
  • 0

#6
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
so, no backup?

No free ones that are guaranteed to work...this product is supposed to be able to achieve it, but recognize that installing a new OS on top of the old drive greatly reduces any chance of success

http://www.r-undelete.com/
  • 0

#7
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Well, I backed up all the files I thought I needed! Yeh, this OS is over the top of the previous one, and therefore so is my "Documents and Settings" folder. Not looking good. Although I have no \Microsoft\SystemCertificates\My\Certificates\ directory on this installation as I have not encrypted any files.
Supposing I cannot recover this folder, or it doesn't work, is there actually another way to decrypt the files? Expensive software?
Thanks
  • 0

#8
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
The R-Undelete demo did not find the folder to recover, but a program called Active Undelete did! I now have what looks like my old certificate file! Now.....what do I do with it....
Thanks
  • 0

#9
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
is your current user name and your previous user name the same? I mean EXACTLY the same?

If so, place it in
c:\documents and Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates

then ,right click the file and see if you can unencrypt it under PROPERTIES > Advanced
  • 0

#10
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
The user name is exactly the same, as is the computer name (not sure whether that makes any difference). The certificate is not encrypted.
  • 0

Advertisements


#11
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Can I recover my data using just this certificate? If so, how?
Thanks

Edited by tomdrayson, 15 February 2006 - 02:00 PM.

  • 0

#12
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
I do not know....did you do this?

is your current user name and your previous user name the same? I mean EXACTLY the same?

If so, place it in
c:\documents and Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates

then ,right click the file and see if you can unencrypt it under PROPERTIES > Advanced



Here is the thing....each user and each computer gets a completely unique security identifier (a SID)...I am not sure if the certificate uses that information or not--I can tell by looking at one in a hex editor that the certificate does use the username account.

If it is this easy, I have serious doubts about microsoft security.
  • 0

#13
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
yeh I put it in that folder, but I still get "Access Denied" if I try to remove encryption.
How about trying to recover the Administrator certificate and doing it that way, I think the Administrator account is a "recovery agent" or something, only thing is, I can't recover this certificate using this data recovery app, only the one for my user name, so I'll have to try a different one.
What is a "private key"? Maybe I need this as well?
Thanks

Edited by tomdrayson, 15 February 2006 - 02:26 PM.

  • 0

#14
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
if that did not work, neither will the recovery agent

Here's how Windows encryption works in a VERY SIMPLIFIED EXPLANATION

User A wants to encrypt file, and directs windows to do so
think of this as if you are putting a letter in a safe

User A's key is a special key developed from his Security Identifier, a unique alphanumeric code generated when the user account is created. Even if you delete and account and then recreate the account with the same name, the SID will be different

Windows also has key, which belongs to the LOCAL ADMINISTRATOR account, and is derived from the LOCAL ADMINSTRATOR ACCOUNT SID. If you wipe out windows and reinstall, the LOCAL ADMINISTRATOR account will have a different SID..infact, it will have a different SID on every machine, everywhere, even though the account is named the same on each machine.

If you were on a Domain, the DOMAIN ADMINSTRATOR's would be the recovery agent.


I really had my doubts the above would work, and cannot think of anyway to recover this file givent eh circumstances....these people say they can do it in a similar situation, but I do not know them and cannot recommend or not recommend them

http://www.essdatarecovery.com/
  • 0

#15
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
So even if I manage to recover my entire "Documents and Settings" folder AND that of the old Administrator account, I still do not have enough to decrypt my files?
Is there a way to change an SID?
Thanks

Edited by tomdrayson, 15 February 2006 - 02:37 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP