WinXP Encryption and System Recovery

[emajor]

I think I just learned a lesson the hard way. On my WinXP MCE PC I have some encrypted files. I made copies of the (encrypted) files on my second data drive, but I wasn't smart enough to back up any encryption keys.

The system disc died (reported bad boot sector), so I bought a new disc and ran Windows recovery to get the system running. Then I connected the damaged drive as a slave and ran a data recovery tool (R-Studio) to copy as much data as possible from the damaged drive to the data drive before proceeding further.

Assuming my data recovery is able to scrape up the necessary files (registry, user files, etc.) is there any way I can copy the user profile back to the functioning system and decrypt those files on the undamaged drive? Or is my only option to try and repair the damaged drive and try to make it boot again?

I didn't export any certificates or set up any other agents, so I'm guessing if there is a solution it will involve some file hacking.

Thanks for your help.

 

[schultzy]

HAHA, soz my bad
try to get copied, otherwise ur stuffed
if you can take it to a computer it, then u might be in luck
but, yeah, nothing else


THOUGH you can pay hundreds of dollars to get it repaired and recovered

 

[Win2kpatcher]

If the EFS certificate/private key was not exported you can kiss that data goodbye. I hear even 3rd party software has trouble getting passed EFS. If you can recover the profile from the dead drive that encrypted these files you "might" be able to export the key out of it.

 

[emajor]

Thanks for the information Win2kpatcher and schultzy. As you predicted it hasn't been easy to decrypt those files. So far I have figured out (and correct me if I'm wrong) that decryption would require a few things:

1. Set up a user account having the same user name and password as the original account. This may not be 100% necessary, but it seemed like a logical step.

2. Copy the user profile files from the original user directory under Documents and Settings to the new system. I do have these files, so that part's easy.

3. Duplicate the machine SID from the original windows installation. This took a little more time, but I successfully changed the machine SID of the new windows installation to look like the old one. Fortunately the old machine SID was recorded in the user profile directory, and free tools are available to make the task easier (it sure beats tweaking the registry by hand).

4. Change the user SID of the new account to be the same as the original one. This has proven to be a bit more difficult since (according to MS) there's no way to change the user SID of an account, and there's no way to specify a user SID when the account is created. I know the SID number I need, but it's lower than the numbers windows is generating, so I haven't figured this out yet.

So, step #4 is what I haven't figured out yet. My question is this: if I do succeed in changing the user SID back to the original one will this work? Will I be able to decrypt my files? Is there more to it than just copying the user key files and matching the machine SID, user SID, and user password?

I've also considered just replacing all five registry hive files with the old ones I recovered from the crashed drive. I'd probably have to do this from a recovery console since I doubt windows will allow me to overwrite active registry files, but it seems to me like it might work since the new OS was installed from the recovery disc of the old one. Once I decrypt the files I could just re-install the entire operating system to make the registry clean again.

Any ideas or opinions -- other than "don't EVER use MS encryption"?