Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Decrypting files without recovery certificate


  • Please log in to reply

#16
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
well, yes, there actually is a way to change the sid...if that is the only thing in the certificate in addition to the name, but you would need the previous SID to do it....and again, I am not certain that would be enough....

either way, here is an interesting program that might do it -- free for 20 days

http://www.elcomsoft.com/aefsdr.html
  • 0

Advertisements


#17
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
The program says "3 private keys were found and they were all decrypted successfully", but then when I scan my drive, all the files I want are "not decryptable", apparently. So I guess that's it.
Although there are files like "SAM registry" and "System Registry" which were found and identified as "EFS-related files", and these are from the present Windows installation, as opposed to the previous one.
Maybe recovering some more files from the previous installation could change the outcome. Also, the program did not mention "certificates" at all, I wonder why?
  • 0

#18
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
try this one

http://www.active-un...om/download.htm
  • 0

#19
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
demo--not sure if it will allow you to recover but it might tell you if it can...
  • 0

#20
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Yeh, that's the one I was using. I have recovered my Documents and Settings folder as well as the Administrators, and I have tried putting the certificates in the right folder for my current user, but I still can't decrypt the files, and neither can Advanced EFS Data Recovery.
What I would like to know is:
Is it actually possible to decrypt these files using files from the previous installation, or is it completely futile? I'm sure I have to do something with the Microsoft Management Console, like importing a certificate or creating an agent or something. Basically, I haven't got a clue what I'm doing, but I am clinging on in desperation to the fact that I have recovered all the files which could help me and that there must be a way!!
Have a look at this http://www.softwaret...s-on-Windows-XP
Thanks

Edited by tomdrayson, 16 February 2006 - 04:49 PM.

  • 0

#21
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
the process they are describing applies to a recovery agent

In a network setting, you designate a recovery agent, but you don't want this person to have the power to willy nilly spy on everything so you export his recovery agent certificate to a floppy/cd and lock it in a safe. This way it takes two people to actually look at encrypted data.

You did not go through the routine of exporting the recovery agent (the local computer administrator) so you cannot follow this process.

I really do not think it would be possible to achieve this by conventional means, though here is another possibility, but it involves recovering the entire profile...I cannot say it will work

http://www.beginning...overy/index.php
  • 0

#22
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Thanks for that gerryf, it looks promising! I quote:

"if you have following folders and their contents from the orginal install of 2k or xp, you can recover you efs data.

c:\documents and settings\user\application data\microsoft\crypto\
- private keys

c:\documents and settings\user\application data\microsoft\protect\
- locks your current password to your private keys

c:\documents and settings\user\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be madeup)"

Considering I have recovered all those folders successfully, maybe this is going to work. However, I get stuck almost straightaway:
"you will need a user account of the same user and machine number as the orginal.....

....go to: hklm\sam\sam\domains\account\users\%usernumbers%

check if a user account is already present of the orginal account number."

There is an HKLM/SAM/SAM key, but no more keys in the tree, and no values in that key.... Any ideas?

Thanks!

Edited by tomdrayson, 17 February 2006 - 02:08 PM.

  • 0

#23
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
OK I've sorted that part. I understand how to do this now!

You have to change both the computer SID and the user SID to match the old account, then copy over the certificates/keys etc. and then everything should work.

So I managed to change the computer SID. Then you have to edit a registry string with a "user counter" in it, which determines the user SID of the NEXT user that is created. So I converted the user SID of the old account to hex, and changed the counter to that. BUT when I try to add a new user, I get this:
"The user is already a member of this group"
The user SID I need is "500". If I change the counter so that the next user is "499", I can add the user, I only get the error with "500".
Any ideas?
This is driving me insane, I'm so close!

Edited by tomdrayson, 18 February 2006 - 07:35 AM.

  • 0

#24
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
wish I was there so I could see this...

Right click MY COMPUTER, choose MANAGE > LOCAL USERS AND GROUPS >

look through users and groups--is the user account already there? Can you delete it?
  • 0

#25
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
It's OK, I have given up on this!! After trying to follow these somewhat complicated instructions, I managed to lock myself out of the system - my password was not accepted at logon!

So I have reinstalled again and I think I'm going to leave it. The procedure seems like it should work, for anyone out there, because it puts all the right pieces back in place to reconstruct a profile of the original user....but I don't know whether this error happens to everyone, or just for me.

Anyway, looks like my files are going to remain encrypted for some time....

Thanks for all your help gerryf
  • 0

Advertisements


#26
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
sorry it didn't work out for you...

I think, the issue may be that when you set up the new system, you used the same username

You might have had more luck with creating a totally different name and then trying
  • 0

#27
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
I'm not sure what you mean there....
Anyway, I have just created a new partition and installed a second XP Pro on it, so I'm going to keep that there for testing purposes, may come in handy for other experiments as well. I'll get back to you!
Also, do you think the computer name and user name matter, or is it just the SIDs which are important?
Thanks
  • 0

#28
tomdrayson

tomdrayson

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 198 posts
Well that didn't work either.
I checked the user SIDs straight after install and the Administrator had an SID of 500, which was what I needed. So I then changed the computer SID to the correct one, copied the recovered Crypto, Protect, and SystemCertificates over to the profile, but I still can't decrypt. The computer name is the same.
AAAAAAAAAAHHHH
  • 0

#29
Jhonbul5

Jhonbul5

    New Member

  • Member
  • Pip
  • 1 posts

Hey there

can you guide me thru this i mean, i started this and canceled it in middle & now i'm stuck

i cannot understand this things.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP