FRIHOSTFORUMSFAQTOSBLOGSDIRECTORY
You are invited to Log in or Register a Frihost Account!

How can i restore data encrypted in winxp?( 50 FRIH$ )

   Frihost Forum Index -> Computers -> Operating Systems
 


shamil
Some time after i have encrypted my personal folder. I decided to delete and recreate my current user for some reason. Now i can't decrypt it even if i log on as administrator.
If this was normal thing to happen then why windows didn't ask me about encrypted folder before i delete the user? This makes me think that there is still a chance to restore it. But some say it is impossible.
OS is winxp

First person to help solve my problem will get 50 FRIH$. Post must not be edited.

Last edited by shamil on Fri Dec 29, 2006 9:15 am; edited 1 time in total
otiscom
I'm afraid the "some people" may be right!
Deleting the user lost all personal settings and creating a new one (whether administrator or not) is still a new user whith different rights.

Have you tried encrypting your personal folder under the new admin?
shamil
otiscom wrote:
I'm afraid the "some people" may be right!
Deleting the user lost all personal settings and creating a new one (whether administrator or not) is still a new user whith different rights.

Have you tried encrypting your personal folder under the new admin?

It is not the new user with different rights. What is diifferent is unique userid which is given by os. And some say the folder encrypted with that id. As i said before if this is the case then why windows didn't warn me instead depriving me of my data.

No i can't edit files in that folder. Even can't copy. I have also linux os in my computer. I also tried to copy from linux. But coludn't. My hatred against windows is groving day by day. Yesterday a virus also hit.
ssthanapati
well it is possible 2 recover the data if u want. I have done it many times for myself and my frnds too. If u wanna kno then send me a pm. BTW wat do i get??????
TheGeek
In administrator account do the following:

Start > My Computer > drive you need to regain access to files on
Right Click folder that you can not get into and go to the security tab
go to advanced and check the "replace permission etries on all child..." box
Click the owner tab, make sure your current account is highlighted and check the "replace owner on subcontainers and objects" box
Click "Apply" and then "OK" and it should work.

During that you may see a box or two come up when you hit "Apply" just accept it whatever it says and move on.

That is how you replace owners of files with other owners. Same thing happened to me and I had to have a friend show me how to do this so I could get all my music back.
shamil
TheGeek wrote:
In administrator account do the following:

Start > My Computer > drive you need to regain access to files on
Right Click folder that you can not get into and go to the security tab
go to advanced and check the "replace permission etries on all child..." box
Click the owner tab, make sure your current account is highlighted and check the "replace owner on subcontainers and objects" box
Click "Apply" and then "OK" and it should work.

During that you may see a box or two come up when you hit "Apply" just accept it whatever it says and move on.

That is how you replace owners of files with other owners. Same thing happened to me and I had to have a friend show me how to do this so I could get all my music back.
There is no security tab available after right click on folder. What i have to do then? Repair winxp or anything else? If i install newer one i think that it is guaranteed that i would lose my data.
ssthanapati
Quote:
the encryption process is based on keys. Therefore, the question that you’ll have to ask yourself before you begin the decryption process is “do the keys still exist”? For example, suppose that a key employee encrypted all of their data and then walked off of the job. In such a situation, there’s a good chance that the user’s keys still exist on the hard disk of their PC. If that’s the case, you can simply reset the user’s password, log on as the user from the user’s PC and then decrypt the files.

However, this technique won’t work if the keys are missing. For example, if the user knew the location of the keys and erased them, then logging on as that user wouldn’t do any good. Likewise, suppose that a legitimate user’s hard disk went bad. If this hard disk contained the user’s keys then there’s no easy way of decrypting the users files, even if the files were stored on a different hard disk or on a network partition.

The key to recovering from such a situation is to understand how the encryption process works. Remember that the encryption process is key based. When a user encrypts a file, the file itself is encrypted by using symmetric encryption. As you may know, symmetric key encryption works by using an algorithm to encrypt a file and then providing the user with a separate key that can be used to decrypt the file. However, since anyone who has the key would be able to decrypt the file, the key is also encrypted. Because symmetric encryption requires a key for decryption, Windows 2000 can’t use symmetric key encryption to encrypt the key. Instead, Windows encrypts the key by using the user’s public key, which is derived from the user’s certificate. Since the user’s machine already contains a copy of the public key, the user has no trouble decrypting the symmetric key and then using the symmetric key to decrypt the file.

Although this process makes for good security, the drawback is that unless an administrator is able to decrypt the symmetric key, they won’t be able to decrypt the user’s files. Fortunately, Windows actually makes two different copies of the symmetric key. The first copy, as you know, is encrypted with the user’s public key information. The second copy though is encrypted into a separate file, using the public key of something known as the Recovery Agent.

The Recovery Agent is a mechanism that allows the administrator to recover encrypted files when the user’s keys are lost. If files are encrypted on a stand alone machine, then by default the local Administrator account becomes the designated recovery agent by default. If the machine containing the encrypted files is a part of a domain, then the domain Administrator account becomes the designated recovery agent. You can designate a different user as the recovery agent. There are at least two situations when you might consider making another user the recovery agent. First, if you’re working in an extremely high security environment, then rotating who the recovery agent is will keep hack attempts at bay, since the hacker will have no way of knowing who today’s recovery agent is (unless you follow a pattern).

Another situation in which you’d want to switch recovery agents is if you wanted to encrypt a file while logged in as the Administrator. Remember that if you don’t switch recovery agents and you encrypt a file as the Administrator, then the user keys and the recovery keys can be identical and could seriously compromise your ability to recover the files in a disaster.

So how does the recovery process work? Remember that the recovery process uses the recovery agent’s public key to decrypt the symmetric key, which is in turn used to decrypt the file. Therefore, the trick is to bring the recovery agent’s key and the symmetric key together. Windows 2000 stores each user’s public keys in the user’s personal certificate store. This store is located in the Documents and Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates. As you can see by the location within the directory structure, this storage point is a part of each user’s profile. Any time that a user logs on, the certificates that are contained in this location are read into memory and are then copied into the registry for use. If your network uses roaming profiles, then the certificates will follow the user where ever they login.

As you can see, if your network uses a roaming profile, then getting the recovery certificates to the encrypted file is no big trick. To get the ball rolling, the recovery agent can simply log into the machine containing the encrypted files. From that point, they can begin the rest of the recovery process. However, if your network doesn’t use roaming profiles, you’ll have to figure out a way to bring the recovery certificates together with the encrypted files before you can begin the recovery process. There are two ways that you can do this.

The best way to bring the encrypted files together with the recovery certificates is to begin by backing up the encrypted files. Remember that the backup process preserves the files because it doesn’t attempt to decrypt or re-encrypt the file as a part of the process. Once you’ve made a backup of the secure files, send the backup file to the recovery agent via secure E-mail. When the recovery agent receives the E-mail, they can restore the backup file and begin the recovery process. Remember that the designated recovery agent must restore the backup onto an NTFS version 5 partition or the operation won’t work.

Another way to bring the recovery certificates and the encrypted files together is for the recovery agent to physically travel to the computer that contains the encrypted files and then import his or her recovery certificates. However, while this method does work, I don’t recommend using it because of the sensitivity of the recovery keys. You don’t want copies of the recovery keys to exist on end user’s PCs.

Which ever technique you use, the idea is to recover the data, without compromising your recovery keys. Even though the preferred method is to restore the backup of the encrypted files onto your own PC, there will sometimes be situations in which this proves to be impossible because of hardware limitations. If your PC’s hard drive is almost full, or your system simply isn’t up to par, then I recommend buying a PC that you can use solely for the task of recovering encrypted files. You should keep this PC in a secure location such as the server room, so that certificates that it contains won’t be compromised. When files need to be decrypted, you can send the backup of the files to this PC. You may then import your recovery keys to the PC and decrypt the files without fear of compromising your keys.

If you do decide to export the encryption keys to transport them to a different PC, the process for doing so is fairly easy. You can import and export certificates through the Certificates snap in for Microsoft Management Console. This snap in also provides you with a way to see which certificates are installed on the machine. Once you’ve loaded the snap in, you must locate the certificate that you want to export. Since a machine can potentially contain hundreds of certificates, the easiest way to locate a specific certificate is to right click on Certificates – Current User within the console and select the Find Certificates command from the resulting context menu. This will allow you to search through the certificates while looking for specific criteria such as a certificate number, or hash number.

When you’ve located the certificate that you need to export, right click on the certificate and select the All Tasks | Export commands from the resulting context menu. Doing so launches a wizard that will help you to export the certificate. The import process is just as easy. Simply select the container within the Certificates snap in that you want to import the certificate into. Right click on the certificate and select the All Tasks | Import command from the resulting context menu. Doing so will launch the certificate import wizard, through which you’ll be able to import the certificate.

Earlier, I discussed the possibility of you needing to change recovery agents. If you need to change the recovery agent before you begin the decryption process, or just want to verify who the recovery agent is, you can do so by opening the Domain Security Policy tool found on the Administrative Tools menu. When you do, you can locate the recovery agent by navigating to Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agent, as shown in Figure A.




Quote:
You can find the recovery agent through the Domain Security Policy console.

If you need to add another user as the recovery agent, you can do so by selecting the Add command from the Action menu. Doing so will launch the Add Recovery Agent Wizard. Simply follow the wizard’s prompts to designate a new recovery agent. Remember that for this procedure to work, you must have administrative privileges, and the user that you designate must have an EFS Recovery Agent certificate. Published in the Active Directory (assuming that you’re working in a domain environment).

Once you’ve got all of the pieces to the puzzle in place, you can decrypt the encrypted files. There are two ways of doing so. You can use the usual method through Windows Explorer, or you can use the Cipher command. The Cipher command allows you to use a few simple command line switches to verify or change a file or folder’s encryption status.

As you can see, the process of decrypting a file who’s keys have been lost can be a bit complicated, but isn’t impossible.


Tell me if it wrks or i will give u more info
ssthanapati
the encryption process is based on keys. Therefore, the question that you’ll have to ask yourself before you begin the decryption process is “do the keys still exist”? For example, suppose that a key employee encrypted all of their data and then walked off of the job. In such a situation, there’s a good chance that the user’s keys still exist on the hard disk of their PC. If that’s the case, you can simply reset the user’s password, log on as the user from the user’s PC and then decrypt the files.

However, this technique won’t work if the keys are missing. For example, if the user knew the location of the keys and erased them, then logging on as that user wouldn’t do any good. Likewise, suppose that a legitimate user’s hard disk went bad. If this hard disk contained the user’s keys then there’s no easy way of decrypting the users files, even if the files were stored on a different hard disk or on a network partition.

The key to recovering from such a situation is to understand how the encryption process works. Remember that the encryption process is key based. When a user encrypts a file, the file itself is encrypted by using symmetric encryption. As you may know, symmetric key encryption works by using an algorithm to encrypt a file and then providing the user with a separate key that can be used to decrypt the file. However, since anyone who has the key would be able to decrypt the file, the key is also encrypted. Because symmetric encryption requires a key for decryption, Windows 2000 can’t use symmetric key encryption to encrypt the key. Instead, Windows encrypts the key by using the user’s public key, which is derived from the user’s certificate. Since the user’s machine already contains a copy of the public key, the user has no trouble decrypting the symmetric key and then using the symmetric key to decrypt the file.

Although this process makes for good security, the drawback is that unless an administrator is able to decrypt the symmetric key, they won’t be able to decrypt the user’s files. Fortunately, Windows actually makes two different copies of the symmetric key. The first copy, as you know, is encrypted with the user’s public key information. The second copy though is encrypted into a separate file, using the public key of something known as the Recovery Agent.

The Recovery Agent is a mechanism that allows the administrator to recover encrypted files when the user’s keys are lost. If files are encrypted on a stand alone machine, then by default the local Administrator account becomes the designated recovery agent by default. If the machine containing the encrypted files is a part of a domain, then the domain Administrator account becomes the designated recovery agent. You can designate a different user as the recovery agent. There are at least two situations when you might consider making another user the recovery agent. First, if you’re working in an extremely high security environment, then rotating who the recovery agent is will keep hack attempts at bay, since the hacker will have no way of knowing who today’s recovery agent is (unless you follow a pattern).

Another situation in which you’d want to switch recovery agents is if you wanted to encrypt a file while logged in as the Administrator. Remember that if you don’t switch recovery agents and you encrypt a file as the Administrator, then the user keys and the recovery keys can be identical and could seriously compromise your ability to recover the files in a disaster.

So how does the recovery process work? Remember that the recovery process uses the recovery agent’s public key to decrypt the symmetric key, which is in turn used to decrypt the file. Therefore, the trick is to bring the recovery agent’s key and the symmetric key together. Windows 2000 stores each user’s public keys in the user’s personal certificate store. This store is located in the Documents and Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates. As you can see by the location within the directory structure, this storage point is a part of each user’s profile. Any time that a user logs on, the certificates that are contained in this location are read into memory and are then copied into the registry for use. If your network uses roaming profiles, then the certificates will follow the user where ever they login.

As you can see, if your network uses a roaming profile, then getting the recovery certificates to the encrypted file is no big trick. To get the ball rolling, the recovery agent can simply log into the machine containing the encrypted files. From that point, they can begin the rest of the recovery process. However, if your network doesn’t use roaming profiles, you’ll have to figure out a way to bring the recovery certificates together with the encrypted files before you can begin the recovery process. There are two ways that you can do this.

The best way to bring the encrypted files together with the recovery certificates is to begin by backing up the encrypted files. Remember that the backup process preserves the files because it doesn’t attempt to decrypt or re-encrypt the file as a part of the process. Once you’ve made a backup of the secure files, send the backup file to the recovery agent via secure E-mail. When the recovery agent receives the E-mail, they can restore the backup file and begin the recovery process. Remember that the designated recovery agent must restore the backup onto an NTFS version 5 partition or the operation won’t work.

Another way to bring the recovery certificates and the encrypted files together is for the recovery agent to physically travel to the computer that contains the encrypted files and then import his or her recovery certificates. However, while this method does work, I don’t recommend using it because of the sensitivity of the recovery keys. You don’t want copies of the recovery keys to exist on end user’s PCs.

Which ever technique you use, the idea is to recover the data, without compromising your recovery keys. Even though the preferred method is to restore the backup of the encrypted files onto your own PC, there will sometimes be situations in which this proves to be impossible because of hardware limitations. If your PC’s hard drive is almost full, or your system simply isn’t up to par, then I recommend buying a PC that you can use solely for the task of recovering encrypted files. You should keep this PC in a secure location such as the server room, so that certificates that it contains won’t be compromised. When files need to be decrypted, you can send the backup of the files to this PC. You may then import your recovery keys to the PC and decrypt the files without fear of compromising your keys.

If you do decide to export the encryption keys to transport them to a different PC, the process for doing so is fairly easy. You can import and export certificates through the Certificates snap in for Microsoft Management Console. This snap in also provides you with a way to see which certificates are installed on the machine. Once you’ve loaded the snap in, you must locate the certificate that you want to export. Since a machine can potentially contain hundreds of certificates, the easiest way to locate a specific certificate is to right click on Certificates – Current User within the console and select the Find Certificates command from the resulting context menu. This will allow you to search through the certificates while looking for specific criteria such as a certificate number, or hash number.

When you’ve located the certificate that you need to export, right click on the certificate and select the All Tasks | Export commands from the resulting context menu. Doing so launches a wizard that will help you to export the certificate. The import process is just as easy. Simply select the container within the Certificates snap in that you want to import the certificate into. Right click on the certificate and select the All Tasks | Import command from the resulting context menu. Doing so will launch the certificate import wizard, through which you’ll be able to import the certificate.

Earlier, I discussed the possibility of you needing to change recovery agents. If you need to change the recovery agent before you begin the decryption process, or just want to verify who the recovery agent is, you can do so by opening the Domain Security Policy tool found on the Administrative Tools menu. When you do, you can locate the recovery agent by navigating to Windows Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agent, as shown in Figure A.



You can find the recovery agent through the Domain Security Policy console.

If you need to add another user as the recovery agent, you can do so by selecting the Add command from the Action menu. Doing so will launch the Add Recovery Agent Wizard. Simply follow the wizard’s prompts to designate a new recovery agent. Remember that for this procedure to work, you must have administrative privileges, and the user that you designate must have an EFS Recovery Agent certificate. Published in the Active Directory (assuming that you’re working in a domain environment).

Once you’ve got all of the pieces to the puzzle in place, you can decrypt the encrypted files. There are two ways of doing so. You can use the usual method through Windows Explorer, or you can use the Cipher command. The Cipher command allows you to use a few simple command line switches to verify or change a file or folder’s encryption status.

As you can see, the process of decrypting a file who’s keys have been lost can be a bit complicated, but isn’t impossible.

Tell me if it wrks for u otherwise i will post more for u
shamil
ssthanapati wrote:

Tell me if it wrks or i will give u more info

I am not home right now. Will reply u as soon as possible.
ssthanapati
Or u can use the following software also

Heres the link

http://www.ptdd.com/datarecovery/recover-encrypted-file.htm
shamil
ssthanapati wrote:
Tell me if it wrks for u otherwise i will post more for u

It doesn't tell much and doesn't give enough information to do any action. It tells more about a comp in a domain rather than local.

ssthanapati wrote:
If files are encrypted on a stand alone machine, then by default the local Administrator account becomes the designated recovery agent by default.

Local Administrator is not default recovery agent in my comp. Take a look at a quote from http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1224652,00.html
Quote:
In Windows 2000, if a user encrypted files while logged in locally to a machine (using a computer account, not a domain account), then the computer administrator was automatically designated as a recovery agent. I have seen Microsoft documentation indicating that machines running XP do not automatically designate a local recovery agent unless those machines were upgraded from Win2k. However, I have not been able to verify this.

Now what do u suggest Question
But Thank you for ur help.
shamil
This problem remains unsolved and will remain so forever.
I have lost my encrypted data. I recommend u to have a default recovery agent on ur computer before u encrypt ur files.
Thank you,
Vrythramax
all of the info given here is true and accurate to the best of my own knowledge......but what if they can't login to even see the "start" button let alone admin privilidges?

Your better off showing the how to delete the password file from a DOS window.

Sheesh.
amineelasry
here is a good software to can do this .. Advanced EFS data recovery .. try it Smile http://www.elcomsoft.com/aefsdr.html
[FuN]goku
im not sure what you mean, like... you had an administrator account, created a limited user, and then deleted the admin account by mistake, and now you cant get admin access? or something like that... if we're both on the right page here, then its really easy to do.

EDIT: after re-reading that i think you mean , you had your documents folder or w/e and it was encrypted and on the other account you cant decrypt it? Tbh... that just reminds me of gpg or w/e its called on linux.

EDIT2: i just realised this is a really old post -.- why do people bother responding to old threads.... god i gotta start checking the first and last date before posting.... im basically giving out useless info lol.
fadirocks
shamil wrote:
TheGeek wrote:
In administrator account do the following:

Start > My Computer > drive you need to regain access to files on
Right Click folder that you can not get into and go to the security tab
go to advanced and check the "replace permission etries on all child..." box
Click the owner tab, make sure your current account is highlighted and check the "replace owner on subcontainers and objects" box
Click "Apply" and then "OK" and it should work.

During that you may see a box or two come up when you hit "Apply" just accept it whatever it says and move on.

That is how you replace owners of files with other owners. Same thing happened to me and I had to have a friend show me how to do this so I could get all my music back.
There is no security tab available after right click on folder. What i have to do then? Repair winxp or anything else? If i install newer one i think that it is guaranteed that i would lose my data.


I think I mentioned this somewhere else but you need to switch back to the good classic PRO features of 2k pro to see that security tab

in any folder, click no Tools --> Folder Options --> View --> (scroll all the way down) uncheck "use simple file sharing" then apply and ok

now when you right click no folder and go to properties, you'll see the security tab!!!

Cheers Very Happy
blueray
Hi,

By default, Windows XP does't have a DRA created if it's standalone
or workgroup.

So, if you haven't created it before using cipher command-line tools
or advanced dialog box to encyped data. You have lost you data.

For Windows 2000 Professional, it is created automatically and is
assigned to administator as DRA. DRA is a cerficate and a pairs of key.
It is private and public key.


You can create a certficate and a pairs of key by using the cipher
command tools with /r:filename

For more information. Open help and support tool on Windows XP
to imports the generated key (private key).

Wish this help.
Aitrusskyy
Yo I'm new here, but I know what this guy is talking about...

Previously mentioned someone told him to go to the security in properties of the folder, then reset the file permissions. This is known as "Taking Ownership of a Folder or File".

The reason you didn't have the security tab is because you must first disable simple file sharing (in xp pro).

Here is how you do it.

Step #1 (you must first do this before taking ownership).

How to turn off simple file sharing
To disable simple file sharing, follow these steps:
1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box.
4. Click OK.

Step #2

To take ownership of a folder, follow these steps:

1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.
5. Click OK, and then click Yes when you receive the following message:
You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?

All permissions will be replaced if you press Yes.
Note folder name is the name of the folder that you want to take ownership of.
6. Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.

************

That should be what you need. I found this when I had formatted my computer on a second partition, installed an os, and it got messed up because I made a small mistake. In any case, when I got everything reinstalled, accessing my old documents from my previous OS and USER wouldnt work due to encryption. This is the way to fix it...

Here is the source.

http://support.microsoft.com/kb/308421
Reply to topic    Frihost Forum Index -> Computers -> Operating Systems

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2007 Frihost, forums powered by phpBB.