either way, here is an interesting program that might do it -- free for 20 days
http://www.elcomsoft.com/aefsdr.html
Decrypting files without recovery certificate
Started by
tomdrayson
, Feb 14 2006 06:33 AM
#16
Posted 15 February 2006 - 03:25 PM
gerryf
-
- Retired Staff
-
- 11,365 posts
Retired Staff
either way, here is an interesting program that might do it -- free for 20 days
http://www.elcomsoft.com/aefsdr.html
#17
Posted 15 February 2006 - 03:49 PM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
The program says "3 private keys were found and they were all decrypted successfully", but then when I scan my drive, all the files I want are "not decryptable", apparently. So I guess that's it.
Although there are files like "SAM registry" and "System Registry" which were found and identified as "EFS-related files", and these are from the present Windows installation, as opposed to the previous one.
Maybe recovering some more files from the previous installation could change the outcome. Also, the program did not mention "certificates" at all, I wonder why?
Although there are files like "SAM registry" and "System Registry" which were found and identified as "EFS-related files", and these are from the present Windows installation, as opposed to the previous one.
Maybe recovering some more files from the previous installation could change the outcome. Also, the program did not mention "certificates" at all, I wonder why?
#19
Posted 15 February 2006 - 05:08 PM
gerryf
-
- Retired Staff
-
- 11,365 posts
Retired Staff
demo--not sure if it will allow you to recover but it might tell you if it can...
#20
Posted 16 February 2006 - 04:43 PM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
Yeh, that's the one I was using. I have recovered my Documents and Settings folder as well as the Administrators, and I have tried putting the certificates in the right folder for my current user, but I still can't decrypt the files, and neither can Advanced EFS Data Recovery.
What I would like to know is:
Is it actually possible to decrypt these files using files from the previous installation, or is it completely futile? I'm sure I have to do something with the Microsoft Management Console, like importing a certificate or creating an agent or something. Basically, I haven't got a clue what I'm doing, but I am clinging on in desperation to the fact that I have recovered all the files which could help me and that there must be a way!!
Have a look at this http://www.softwaret...s-on-Windows-XP
Thanks
What I would like to know is:
Is it actually possible to decrypt these files using files from the previous installation, or is it completely futile? I'm sure I have to do something with the Microsoft Management Console, like importing a certificate or creating an agent or something. Basically, I haven't got a clue what I'm doing, but I am clinging on in desperation to the fact that I have recovered all the files which could help me and that there must be a way!!
Have a look at this http://www.softwaret...s-on-Windows-XP
Thanks
Edited by tomdrayson, 16 February 2006 - 04:49 PM.
#21
Posted 16 February 2006 - 05:36 PM
gerryf
-
- Retired Staff
-
- 11,365 posts
Retired Staff
the process they are describing applies to a recovery agent
In a network setting, you designate a recovery agent, but you don't want this person to have the power to willy nilly spy on everything so you export his recovery agent certificate to a floppy/cd and lock it in a safe. This way it takes two people to actually look at encrypted data.
You did not go through the routine of exporting the recovery agent (the local computer administrator) so you cannot follow this process.
I really do not think it would be possible to achieve this by conventional means, though here is another possibility, but it involves recovering the entire profile...I cannot say it will work
http://www.beginning...overy/index.php
In a network setting, you designate a recovery agent, but you don't want this person to have the power to willy nilly spy on everything so you export his recovery agent certificate to a floppy/cd and lock it in a safe. This way it takes two people to actually look at encrypted data.
You did not go through the routine of exporting the recovery agent (the local computer administrator) so you cannot follow this process.
I really do not think it would be possible to achieve this by conventional means, though here is another possibility, but it involves recovering the entire profile...I cannot say it will work
http://www.beginning...overy/index.php
#22
Posted 17 February 2006 - 12:31 PM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
Thanks for that gerryf, it looks promising! I quote:
"if you have following folders and their contents from the orginal install of 2k or xp, you can recover you efs data.
c:\documents and settings\user\application data\microsoft\crypto\
- private keys
c:\documents and settings\user\application data\microsoft\protect\
- locks your current password to your private keys
c:\documents and settings\user\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be madeup)"
Considering I have recovered all those folders successfully, maybe this is going to work. However, I get stuck almost straightaway:
"you will need a user account of the same user and machine number as the orginal.....
....go to: hklm\sam\sam\domains\account\users\%usernumbers%
check if a user account is already present of the orginal account number."
There is an HKLM/SAM/SAM key, but no more keys in the tree, and no values in that key.... Any ideas?
Thanks!
"if you have following folders and their contents from the orginal install of 2k or xp, you can recover you efs data.
c:\documents and settings\user\application data\microsoft\crypto\
- private keys
c:\documents and settings\user\application data\microsoft\protect\
- locks your current password to your private keys
c:\documents and settings\user\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be madeup)"
Considering I have recovered all those folders successfully, maybe this is going to work. However, I get stuck almost straightaway:
"you will need a user account of the same user and machine number as the orginal.....
....go to: hklm\sam\sam\domains\account\users\%usernumbers%
check if a user account is already present of the orginal account number."
There is an HKLM/SAM/SAM key, but no more keys in the tree, and no values in that key.... Any ideas?
Thanks!
Edited by tomdrayson, 17 February 2006 - 02:08 PM.
#23
Posted 18 February 2006 - 07:34 AM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
OK I've sorted that part. I understand how to do this now!
You have to change both the computer SID and the user SID to match the old account, then copy over the certificates/keys etc. and then everything should work.
So I managed to change the computer SID. Then you have to edit a registry string with a "user counter" in it, which determines the user SID of the NEXT user that is created. So I converted the user SID of the old account to hex, and changed the counter to that. BUT when I try to add a new user, I get this:
"The user is already a member of this group"
The user SID I need is "500". If I change the counter so that the next user is "499", I can add the user, I only get the error with "500".
Any ideas?
This is driving me insane, I'm so close!
You have to change both the computer SID and the user SID to match the old account, then copy over the certificates/keys etc. and then everything should work.
So I managed to change the computer SID. Then you have to edit a registry string with a "user counter" in it, which determines the user SID of the NEXT user that is created. So I converted the user SID of the old account to hex, and changed the counter to that. BUT when I try to add a new user, I get this:
"The user is already a member of this group"
The user SID I need is "500". If I change the counter so that the next user is "499", I can add the user, I only get the error with "500".
Any ideas?
This is driving me insane, I'm so close!
Edited by tomdrayson, 18 February 2006 - 07:35 AM.
#24
Posted 18 February 2006 - 09:02 AM
gerryf
-
- Retired Staff
-
- 11,365 posts
Retired Staff
wish I was there so I could see this...
Right click MY COMPUTER, choose MANAGE > LOCAL USERS AND GROUPS >
look through users and groups--is the user account already there? Can you delete it?
Right click MY COMPUTER, choose MANAGE > LOCAL USERS AND GROUPS >
look through users and groups--is the user account already there? Can you delete it?
#25
Posted 18 February 2006 - 11:59 AM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
It's OK, I have given up on this!! After trying to follow these somewhat complicated instructions, I managed to lock myself out of the system - my password was not accepted at logon!
So I have reinstalled again and I think I'm going to leave it. The procedure seems like it should work, for anyone out there, because it puts all the right pieces back in place to reconstruct a profile of the original user....but I don't know whether this error happens to everyone, or just for me.
Anyway, looks like my files are going to remain encrypted for some time....
Thanks for all your help gerryf
So I have reinstalled again and I think I'm going to leave it. The procedure seems like it should work, for anyone out there, because it puts all the right pieces back in place to reconstruct a profile of the original user....but I don't know whether this error happens to everyone, or just for me.
Anyway, looks like my files are going to remain encrypted for some time....
Thanks for all your help gerryf
#26
Posted 18 February 2006 - 12:06 PM
gerryf
-
- Retired Staff
-
- 11,365 posts
Retired Staff
sorry it didn't work out for you...
I think, the issue may be that when you set up the new system, you used the same username
You might have had more luck with creating a totally different name and then trying
I think, the issue may be that when you set up the new system, you used the same username
You might have had more luck with creating a totally different name and then trying
#27
Posted 19 February 2006 - 08:43 AM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
I'm not sure what you mean there....
Anyway, I have just created a new partition and installed a second XP Pro on it, so I'm going to keep that there for testing purposes, may come in handy for other experiments as well. I'll get back to you!
Also, do you think the computer name and user name matter, or is it just the SIDs which are important?
Thanks
Anyway, I have just created a new partition and installed a second XP Pro on it, so I'm going to keep that there for testing purposes, may come in handy for other experiments as well. I'll get back to you!
Also, do you think the computer name and user name matter, or is it just the SIDs which are important?
Thanks
#28
Posted 19 February 2006 - 10:41 AM
tomdrayson
- Topic Starter
-
- Member
-
- 198 posts
Member
Well that didn't work either.
I checked the user SIDs straight after install and the Administrator had an SID of 500, which was what I needed. So I then changed the computer SID to the correct one, copied the recovered Crypto, Protect, and SystemCertificates over to the profile, but I still can't decrypt. The computer name is the same.
AAAAAAAAAAHHHH
I checked the user SIDs straight after install and the Administrator had an SID of 500, which was what I needed. So I then changed the computer SID to the correct one, copied the recovered Crypto, Protect, and SystemCertificates over to the profile, but I still can't decrypt. The computer name is the same.
AAAAAAAAAAHHHH
#29
Posted 10 January 2016 - 08:27 AM
Jhonbul5
-
- Member
-
- 1 posts
New Member
Hey there
can you guide me thru this i mean, i started this and canceled it in middle & now i'm stuck
i cannot understand this things.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
