WinXP Encryption and System Recovery - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
Thread Tools Display Modes
Old 11-09-2006, 10:34 PM   #1 (permalink)
Newb Techie
Join Date: Nov 2006
Posts: 2
Default WinXP Encryption and System Recovery

I think I just learned a lesson the hard way. On my WinXP MCE PC I have some encrypted files. I made copies of the (encrypted) files on my second data drive, but I wasn't smart enough to back up any encryption keys.

The system disc died (reported bad boot sector), so I bought a new disc and ran Windows recovery to get the system running. Then I connected the damaged drive as a slave and ran a data recovery tool (R-Studio) to copy as much data as possible from the damaged drive to the data drive before proceeding further.

Assuming my data recovery is able to scrape up the necessary files (registry, user files, etc.) is there any way I can copy the user profile back to the functioning system and decrypt those files on the undamaged drive? Or is my only option to try and repair the damaged drive and try to make it boot again?

I didn't export any certificates or set up any other agents, so I'm guessing if there is a solution it will involve some file hacking.

Thanks for your help.

emajor is offline  
Old 11-10-2006, 12:22 AM   #2 (permalink)
True Techie
Join Date: Jan 2006
Posts: 105

HAHA, soz my bad
try to get copied, otherwise ur stuffed
if you can take it to a computer it, then u might be in luck
but, yeah, nothing else

THOUGH you can pay hundreds of dollars to get it repaired and recovered

Intel Pentium 4 2.00Ghz FSB 400Mhz
MSI MS-6533 Motherboard
1 - Seagate 20Gb 1 - 40 gig Maxtor AND 1 Western Digital - 80 gig (Variety there eh)
Geforce 5200 128mb AGP
Liteon Dvd Burner
340watt PSU
schultzy is offline  
Old 11-10-2006, 12:48 AM   #3 (permalink)
Master Techie
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher

If the EFS certificate/private key was not exported you can kiss that data goodbye. I hear even 3rd party software has trouble getting passed EFS. If you can recover the profile from the dead drive that encrypted these files you "might" be able to export the key out of it.
Win2kpatcher is offline  
Old 11-21-2006, 04:42 PM   #4 (permalink)
Newb Techie
Join Date: Nov 2006
Posts: 2

Thanks for the information Win2kpatcher and schultzy. As you predicted it hasn't been easy to decrypt those files. So far I have figured out (and correct me if I'm wrong) that decryption would require a few things:

1. Set up a user account having the same user name and password as the original account. This may not be 100% necessary, but it seemed like a logical step.

2. Copy the user profile files from the original user directory under Documents and Settings to the new system. I do have these files, so that part's easy.

3. Duplicate the machine SID from the original windows installation. This took a little more time, but I successfully changed the machine SID of the new windows installation to look like the old one. Fortunately the old machine SID was recorded in the user profile directory, and free tools are available to make the task easier (it sure beats tweaking the registry by hand).

4. Change the user SID of the new account to be the same as the original one. This has proven to be a bit more difficult since (according to MS) there's no way to change the user SID of an account, and there's no way to specify a user SID when the account is created. I know the SID number I need, but it's lower than the numbers windows is generating, so I haven't figured this out yet.

So, step #4 is what I haven't figured out yet. My question is this: if I do succeed in changing the user SID back to the original one will this work? Will I be able to decrypt my files? Is there more to it than just copying the user key files and matching the machine SID, user SID, and user password?

I've also considered just replacing all five registry hive files with the old ones I recovered from the crashed drive. I'd probably have to do this from a recovery console since I doubt windows will allow me to overwrite active registry files, but it seems to me like it might work since the new OS was installed from the recovery disc of the old one. Once I decrypt the files I could just re-install the entire operating system to make the registry clean again.

Any ideas or opinions -- other than "don't EVER use MS encryption"?
emajor is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 10:34 PM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.