Lost Data because of EFS in WinXP

Discussion in 'Windows Desktop Systems' started by WizZaRd, Jan 5, 2003.

  1. WizZaRd

    WizZaRd Guest

    I need help. Damn. Reinstalled Windows XP Professionnal because of a damn logon screens which wasn't the good ntoskrnl.exe version for my SP1 ... So I lost the user who encrypted the data, along with the keys used.

    At this point, I have realised that I could extract theses keys and a Data Recovery Agent certificate, I've loaded both in my current user (so I should be the DRA and have the good keys to decrypt) ... I try to decrypt and it still says ACCESS DENIED.

    What's wrong?

    For more info, simply ask, or email me.

    Thanx! That's for my documents =)
  2. Rootz

    Rootz Guest

    You can't, sorry.
    The recovery agent master key will never be accepted from your reinstalled WindowsXP, the key is stricly connected to the system installation ID hash (which has changed).

    The DRA is valid within a single system installation, you can't export its keys to another system or expect some other DRA to recover your files from another system.

    Also... the user encryption key refers to a non-existing user account.

    There's nothing you can do about it apart a brute force attack on your encrypted files...
    but I never knew of such a hacking (and working) tool.

    For the future.
    When a critical error prevents your computer from booting and you have encrypted files on that system, decrypt files with recovery console before reinstalling. The command line utility is *cipher* (see windows online help for switches).
    ...and always backup on CD/DVD/tape EFS data.:(
  3. PseudoKiller

    PseudoKiller Zug Zug

    Ice Crown Citadel
    Damn Rootz, I am impressed. Cheers m8. [​IMG]
  4. Rootz

    Rootz Guest

    Doin' my best..! :D :cool:
  5. WizZaRd

    WizZaRd Guest

    Yeah yeah... brute forcing. I've only got a small file, only a text file, that would REALLY be important. If anyone hears about such a tool, please reply!