Cannot Access EFS filesystem

Hi all,
all of sudden I cannot access any files that have been encrypted on XP
NTFS (EFS) and I get the same error ("cannot access file") or similar
(it depends, obviously, on the application's error message). I did not
change my password recently or played with certificates and the likes,
so it's a real mistery for me. I tried to log on with the
administrator account, but nothing happens. I 've also played with
recovery agents, but as far as I've tried, I couldn't access my files.
Obviously, it is also impossible to copy files to another location and/
or remove the encryption or add further certificates/users to access
the directory/files. My certificate shown in certmgr.exe->personal-<!--coloro:blue--><span style="color:blue <!--/coloro-->
>certificates is issued to my name, the expiration date is 2109, the<!--colorc--><!--/colorc-->
intended purpose is encrypting file system and by double clicking on
it, it shows that I have the private key corresponding to the
certificate.

What could be a possible solution? I've read many Microsoft articles
on creating recovery agents, exporting private keys and the likes, but
I'm missing a point: how do I use these recovery agents and private
keys if Windows XP does not allow me to add any further user to access
the filesystem? Moreover, it seems that no certificate/private key
file is corrupted. The funny thing is that the most important files
are encrypted, and those are the ones I cannot access anymore...

Any help is very much appreciated.

 

From: "Marco Bellettini" <suddenlyfrustrated@gmail.com>

| Hi all,
| all of sudden I cannot access any files that have been encrypted on XP
| NTFS (EFS) and I get the same error ("cannot access file") or similar
| (it depends, obviously, on the application's error message). I did not
| change my password recently or played with certificates and the likes,
| so it's a real mistery for me. I tried to log on with the
| administrator account, but nothing happens. I 've also played with
| recovery agents, but as far as I've tried, I couldn't access my files.
| Obviously, it is also impossible to copy files to another location and/
| or remove the encryption or add further certificates/users to access
| the directory/files. My certificate shown in certmgr.exe->personal-<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
>>certificates is issued to my name, the expiration date is 2109, the<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
| intended purpose is encrypting file system and by double clicking on
| it, it shows that I have the private key corresponding to the
| certificate.

| What could be a possible solution? I've read many Microsoft articles
| on creating recovery agents, exporting private keys and the likes, but
| I'm missing a point: how do I use these recovery agents and private
| keys if Windows XP does not allow me to add any further user to access
| the filesystem? Moreover, it seems that no certificate/private key
| file is corrupted. The funny thing is that the most important files
| are encrypted, and those are the ones I cannot access anymore...

| Any help is very much appreciated.

You are using the WRONG certificate. It is probable that the Certificate that ends 2109
is a later certificate and the one that encrypted the files was accidently deleted from
the Certificate Store and a new one was subsequently created. Thus the new certificate
can not be used to decrypt the data files encrypted using a previous certifcate.

I have seen this happen numerous times and I'll bet this is the same type of situation.


--
Dave

Multi-AV -

 

On Sep 8, 2:12 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Marco Bellettini" <suddenlyfrustra...@gmail.com>
>
> | Hi all,
> | all of sudden Icannotaccessany files that have been encrypted on XP
> | NTFS (EFS) and I get the same error ("cannotaccessfile") or similar
> | (it depends, obviously, on the application's error message). I did not
> | change my password recently or played with certificates and the likes,
> | so it's a real mistery for me. I tried to log on with the
> | administrator account, but nothing happens. I 've also played with
> | recovery agents, but as far as I've tried, I couldn'taccessmy files.
> | Obviously, it is also impossible to copy files to another location and/
> | or remove the encryption or add further certificates/users toaccess
> | the directory/files. My certificate shown in certmgr.exe->personal->>certificates is issued to my name, the expiration date is 2109, the
>
> | intended purpose is encrypting file system and by double clicking on
> | it, it shows that I have the private key corresponding to the
> | certificate.
>
> | What could be a possible solution? I've read many Microsoft articles
> | on creating recovery agents, exporting private keys and the likes, but
> | I'm missing a point: how do I use these recovery agents and private
> | keys if Windows XP does not allow me to add any further user toaccess
> | the filesystem? Moreover, it seems that no certificate/private key
> | file is corrupted. The funny thing is that the most important files
> | are encrypted, and those are the ones Icannotaccessanymore...
>
> | Any help is very much appreciated.
>
> You are using the WRONG certificate.  It is probable that the Certificate that ends 2109
> is a later certificate and the one that encrypted the files was accidently deleted from
> the Certificate Store and a new one was subsequently created.  Thus the new certificate
> can not be used to decrypt the data files encrypted using a previous certifcate.
>
> I have seen this happen numerous times and I'll bet this is the same type of situation.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp<!--colorc--><!--/colorc-->

Thanks for the reply: now, what would you suggest me to do if you are
right? Is there any solution? Should I search on the filesystem
for .pfx files (as an example) and import it somewhere (where, how?)?
Can you suggest me a pointer I can look at?
By the way, by using the trial version of "Advanced EFS Data
Recovery", I could read the first 512 bytes of every encrypted file
(expecially text files): this mean that the files and the certificates
are ok. My feeling is that there is a sort of lock somewhere and the
access to the encrypted file-system is locked until it is removed.

Thanks again for you reply!

Marco

 

From: "Marco Bellettini" <suddenlyfrustrated@gmail.com>



| Thanks for the reply: now, what would you suggest me to do if you are
| right? Is there any solution? Should I search on the filesystem
| for .pfx files (as an example) and import it somewhere (where, how?)?
| Can you suggest me a pointer I can look at?
| By the way, by using the trial version of "Advanced EFS Data
| Recovery", I could read the first 512 bytes of every encrypted file
| (expecially text files): this mean that the files and the certificates
| are ok. My feeling is that there is a sort of lock somewhere and the
| access to the encrypted file-system is locked until it is removed.

| Thanks again for you reply!

| Marco

If the original encrypting certificate was backed up into a .PFX you are in luck. If it
wasn't, SOL...

--
Dave

Multi-AV -

 

On Sep 8, 12:51 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Marco Bellettini" <suddenlyfrustra...@gmail.com>
>
> | Thanks for the reply: now, what would you suggest me to do if you are
> | right? Is there any solution? Should I search on the filesystem
> | for .pfx files (as an example) and import it somewhere (where, how?)?
> | Can you suggest me a pointer I can look at?
> | By the way, by using the trial version of "AdvancedEFSData
> | Recovery", I could read the first 512 bytes of every encrypted file
> | (expecially text files): this mean that the files and the certificates
> | are ok. My feeling is that there is a sort of lock somewhere and the
> |accessto the encrypted file-system is locked until it is removed.
>
> | Thanks again for you reply!
>
> | Marco
>
> If the original encrypting certificate was backed up into a .PFX you are in luck.  If it
> wasn't, SOL...
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp<!--colorc--><!--/colorc-->

Since the trial version of Advanced EFS Data Recovery is able to read
the encrypted files, I think that the right certificate is stored
somewhere. The problem is how can I force XP to use this (or another)
certificate? How can I import it or use a tool and tell it "use this
certificate / private key to decrypt the file system". In fact, when I
go on advanced properties, and I click on ADD to add an additional
user/certificate to access the file system, the only certificate that
appears is just one (which should be the correct one) even if I add
other certificates through certmngr.exe (such as the recovery agent
certificate).

Anyway, I don't think it is a problem with the certificate (otherwise
Advanced EFS Data Recovery would not be able to read the files
correctly): I think there are some problems with permissions or locks
that prevent me to access the files. Is there any way of accessing
XP's log files for such disallowed operations?

Thanks again!
Marco

 

On 8 Set, 12:51, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Marco Bellettini" <suddenlyfrustra...@gmail.com>
>
> | Thanks for the reply: now, what would you suggest me to do if you are
> | right? Is there any solution? Should I search on the filesystem
> | for .pfx files (as an example) and import it somewhere (where, how?)?
> | Can you suggest me a pointer I can look at?
> | By the way, by using the trial version of "Advanced EFS Data
> | Recovery", I could read the first 512 bytes of every encrypted file
> | (expecially text files): this mean that the files and the certificates
> | are ok. My feeling is that there is a sort of lock somewhere and the
> | access to the encrypted file-system is locked until it is removed.
>
> | Thanks again for you reply!
>
> | Marco
>
> If the original encrypting certificate was backed up into a .PFX you are in luck.  If it
> wasn't, SOL...
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp<!--colorc--><!--/colorc-->

Using EFS recovery I see that there are some key files in:
C:\Documents and Settings\%username\Application Data\Microsoft\Crypto
\RSA\S-1-5-21-1757981266-.......-1003\
Filenames are something like:
5bfa14d0bde9b240b9f9e954cfcb868a_f1225bce-..............
I've also had a look in this guide:

but it seems too dangerous to me..
Do you have any other suggestion on how to use the backup key files to
restore the encrypted file system in a "safe" and easy way?

Thank very much!
Marco

 

From: "Marco Bellettini" <suddenlyfrustrated@gmail.com>


| Using EFS recovery I see that there are some key files in:
| C:\Documents and Settings\%username\Application Data\Microsoft\Crypto
| \RSA\S-1-5-21-1757981266-.......-1003\
| Filenames are something like:
| 5bfa14d0bde9b240b9f9e954cfcb868a_f1225bce-..............
| I've also had a look in this guide:
|
| but it seems too dangerous to me..
| Do you have any other suggestion on how to use the backup key files to
| restore the encrypted file system in a "safe" and easy way?

| Thank very much!
| Marco

Do you have a tape, disc, or other type of backup of the following ?

C:\Documents and Settings\%username%\Application Data

BTW: What I described happend to one of my users Today. She could no longer access ANY
encrypted data. I looked in her Certificate Store and noted that the EFS Cert. was to
expire on 08/2109. However I KNOW she's been encrypting much longer than that. Luckly a
PFX had been created for her account and I assisted her in importing that certificate back
into her the Certificate Store. That EFS Certificate had an expiration date of 12/2108
which shows she's been encrypting since last year. One restored, she could immediately
access her encrypted data again.

One has to take the time out and execute; CIPHER /R:Backup_Name if they are to use EFS
and save Backup_Name.PFX somewhere easily accessible.
In my case it is a large AD and its done via GP to a network share.

--
Dave

Multi-AV -

 

On Sep 9, 1:00 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Marco Bellettini" <suddenlyfrustra...@gmail.com>
>
> | UsingEFSrecovery I see that there are some key files in:
> | Cocuments and Settings%usernameApplication DataMicrosoftCrypto
> | RSAS-1-5-21-1757981266-.......-1003
> | Filenames are something like:
> | 5bfa14d0bde9b240b9f9e954cfcb868a_f1225bce-..............
> | I've also had a look in this guide:
> |
> | but it seems too dangerous to me..
> | Do you have any other suggestion on how to use the backup key files to
> | restore the encrypted file system in a "safe" and easy way?
>
> | Thank very much!
> | Marco
>
> Do you have a tape, disc, or other type of backup of the following ?
>
> Cocuments and Settings%username%Application Data
>
> BTW:  What I described happend to one of my users Today.  She could no longeraccessANY
> encrypted data.  I looked in her Certificate Store and noted that theEFSCert. was to
> expire on 08/2109.  However I KNOW she's been encrypting much longer than that.  Luckly a
> PFX had been created for her account and I assisted her in importing that certificate back
> into her the Certificate Store.  ThatEFSCertificate had an expiration date of 12/2108
> which shows she's been encrypting since last year.  One restored, she could immediatelyaccessher encrypted data again.
>
> One has to take the time out and execute;  CIPHER /R:Backup_Name   if they are to useEFS
> and save Backup_Name.PFX somewhere easily accessible.
> In my case it is a large AD and its done via GP to a network share.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp<!--colorc--><!--/colorc-->

As you said, probably XP renewed my certificate without any reason (in
fact, its expiration date is 100 years exactly from the day I couldn't
access the FS anymore). Anyway, since I couldnt restore the PFX files
from the C:\Documents and Settings\%username\Application Data\Microsoft
\Crypto\RSA\ (the "good" old private keys were certainly there) I used
the full version of Advanced EFS Data Recovery and succeded in
restoring all the keys and encrypted files). Anyway, I'd like to know
if there is a way to restore the files by only using XP tools....

Thanks for the support!
Marco

 

From: "Marco Bellettini" <suddenlyfrustrated@gmail.com>



| As you said, probably XP renewed my certificate without any reason (in
| fact, its expiration date is 100 years exactly from the day I couldn't
| access the FS anymore). Anyway, since I couldnt restore the PFX files
| from the C:\Documents and Settings\%username\Application Data\Microsoft
| \Crypto\RSA\ (the "good" old private keys were certainly there) I used
| the full version of Advanced EFS Data Recovery and succeded in
| restoring all the keys and encrypted files). Anyway, I'd like to know
| if there is a way to restore the files by only using XP tools....

| Thanks for the support!
| Marco

Do you have a tape, disc, or other type of backup of the following ?
C:\Documents and Settings\%username%\Application Data

--
Dave

Multi-AV -