Lost Data because of EFS in WinXP

[WizZaRd]

Hello,
I need help. Damn. Reinstalled Windows XP Professionnal because of a damn logon screens which wasn't the good ntoskrnl.exe version for my SP1 ... So I lost the user who encrypted the data, along with the keys used.

At this point, I have realised that I could extract theses keys and a Data Recovery Agent certificate, I've loaded both in my current user (so I should be the DRA and have the good keys to decrypt) ... I try to decrypt and it still says ACCESS DENIED.

What's wrong?

For more info, simply ask, or email me.

Thanx! That's for my documents =)

 

[Rootz]

You can't, sorry.
The recovery agent master key will never be accepted from your reinstalled WindowsXP, the key is stricly connected to the system installation ID hash (which has changed).

The DRA is valid within a single system installation, you can't export its keys to another system or expect some other DRA to recover your files from another system.

Also... the user encryption key refers to a non-existing user account.

There's nothing you can do about it apart a brute force attack on your encrypted files...
but I never knew of such a hacking (and working) tool.

PS
For the future.
When a critical error prevents your computer from booting and you have encrypted files on that system, decrypt files with recovery console before reinstalling. The command line utility is *cipher* (see windows online help for switches).
...and always backup on CD/DVD/tape EFS data.

 

[PseudoKiller]

Damn Rootz, I am impressed. Cheers m8.

 

[Rootz]

Doin' my best..!

 

[WizZaRd]

Yeah yeah... brute forcing. I've only got a small file, only a text file, that would REALLY be important. If anyone hears about such a tool, please reply!