Restoring EFS and Passwords

  • Thread starter Thread starter jwgoerlich@gmail.com
  • Start date Start date
J

jwgoerlich@gmail.com

Guest
I am working with a single Windows Server 2003 computer. It is not
part of an Active Directory domain. EFS is enabled and a couple users
are encrypting their files. Full backups with system state are
performed regularly using the default Windows Backup utility.

About a week ago, a user forgot their password. The administrator
reset it and, thus, locked them out of their EFS encrypted files. All
attempts by the user and the administrator to open the files results
in the "Access is denied" dialog box.

My job is to find a way for the user to open them. I did restore
system state and the encrypted files from a backup made a couple weeks
before. The user, whose memory has returned, logged in with their last
password. They still cannot decrypt the files, however.

What do I need to restore in order to for this user to decrypt their
files?

J Wolfgang Goerlich
 
My two cents...

People who encrypt files should learn how to export their personal
encryption key and keep it in a safe place, off the system - just for the
reasons you've outlined alone below. IIRC - if he had his personal EFS key
he could put the key back into trusted certificates, take owership of the
files, and be able to decrypt them.

jwgoerlich@gmail.com wrote:
> I am working with a single Windows Server 2003 computer. It is not
> part of an Active Directory domain. EFS is enabled and a couple users
> are encrypting their files. Full backups with system state are
> performed regularly using the default Windows Backup utility.
>
> About a week ago, a user forgot their password. The administrator
> reset it and, thus, locked them out of their EFS encrypted files. All
> attempts by the user and the administrator to open the files results
> in the "Access is denied" dialog box.
>
> My job is to find a way for the user to open them. I did restore
> system state and the encrypted files from a backup made a couple weeks
> before. The user, whose memory has returned, logged in with their last
> password. They still cannot decrypt the files, however.
>
> What do I need to restore in order to for this user to decrypt their
> files?
>
> J Wolfgang Goerlich
 
Hi Wolfgang,

That they could not gain access after the restore (did you
restore their profile and system state and the encrypted files
or just system state and the encrypted files ?) at first seemed
surprising to me.
When you restored system state it reverted their account
to their old password, but DPAPI would still be set to
use the new password as their profile had been touched
after the password was forgotten and reset. So perhaps
restoring their profile is needed so that they can get at
the stored key via the (system state) restored account pwd.
At least that is my thinking. Including restore of the
EFS encrypted files was a good idea as they may have
been altered in the attempts but probably not.

Roger

<jwgoerlich@gmail.com> wrote in message
news:1184354201.953509.137960@57g2000hsv.googlegroups.com...
>I am working with a single Windows Server 2003 computer. It is not
> part of an Active Directory domain. EFS is enabled and a couple users
> are encrypting their files. Full backups with system state are
> performed regularly using the default Windows Backup utility.
>
> About a week ago, a user forgot their password. The administrator
> reset it and, thus, locked them out of their EFS encrypted files. All
> attempts by the user and the administrator to open the files results
> in the "Access is denied" dialog box.
>
> My job is to find a way for the user to open them. I did restore
> system state and the encrypted files from a backup made a couple weeks
> before. The user, whose memory has returned, logged in with their last
> password. They still cannot decrypt the files, however.
>
> What do I need to restore in order to for this user to decrypt their
> files?
>
> J Wolfgang Goerlich
>
 
PS
At least in XP, after remembering the password all one needs
to do is reset (not set with new+old) the password back.

<jwgoerlich@gmail.com> wrote in message
news:1184354201.953509.137960@57g2000hsv.googlegroups.com...
>I am working with a single Windows Server 2003 computer. It is not
> part of an Active Directory domain. EFS is enabled and a couple users
> are encrypting their files. Full backups with system state are
> performed regularly using the default Windows Backup utility.
>
> About a week ago, a user forgot their password. The administrator
> reset it and, thus, locked them out of their EFS encrypted files. All
> attempts by the user and the administrator to open the files results
> in the "Access is denied" dialog box.
>
> My job is to find a way for the user to open them. I did restore
> system state and the encrypted files from a backup made a couple weeks
> before. The user, whose memory has returned, logged in with their last
> password. They still cannot decrypt the files, however.
>
> What do I need to restore in order to for this user to decrypt their
> files?
>
> J Wolfgang Goerlich
>
 
If the machine is NOT a domain-member, then the local Administrator account
should have a copy of the key. Try logging-on as Adminsitrator and see if you
can access the files.

If anyone is thinking of using EFS, then I would first of all ask them to
consider if they have an actual need for it. Basically, if you're not with
the CIA, KGB -Or NID, then...
 
"Ian" <Ian@discussions.microsoft.com> wrote in message
news:5BF37EB8-4D3D-4DFE-BE0C-50D4BEA59197@microsoft.com...
> If the machine is NOT a domain-member, then the local Administrator
> account
> should have a copy of the key. Try logging-on as Adminsitrator and see if
> you
> can access the files.
>
> If anyone is thinking of using EFS, then I would first of all ask them to
> consider if they have an actual need for it. Basically, if you're not
> with
> the CIA, KGB -Or NID, then...
>

Hi Ian,

In a standalone the built-in Administrator, however renamed, does not
have copies of the users' EFS keys. In Windows 2000 this account was
by default configured to the the default recovery agent (DRA), and as
such its EFS credentials were used when the file was encrypted in
addition to use of the saving user's. Starting with Windows XP there
is no automatically configured DRA, so one would exist on a standalone
machine only if it had been manually configured.

Roger
 
You could try the following software.

http://www.elcomsoft.com/aefsdr.html

Download the trial. It will only decrypt the first part of a file but it is
enough to know if it will work. If it does pay for the full version and
decrypt the files. As the rest of the replies suggest you should read up on
EFS before continuing it's use.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


<jwgoerlich@gmail.com> wrote in message
news:1184354201.953509.137960@57g2000hsv.googlegroups.com...
>I am working with a single Windows Server 2003 computer. It is not
> part of an Active Directory domain. EFS is enabled and a couple users
> are encrypting their files. Full backups with system state are
> performed regularly using the default Windows Backup utility.
>
> About a week ago, a user forgot their password. The administrator
> reset it and, thus, locked them out of their EFS encrypted files. All
> attempts by the user and the administrator to open the files results
> in the "Access is denied" dialog box.
>
> My job is to find a way for the user to open them. I did restore
> system state and the encrypted files from a backup made a couple weeks
> before. The user, whose memory has returned, logged in with their last
> password. They still cannot decrypt the files, however.
>
> What do I need to restore in order to for this user to decrypt their
> files?
>
> J Wolfgang Goerlich
>
 
That's the ticket! I restored the user's profile and system state,
then had the user change their password. The EFS-encrypted files were
then accessible. I owe you one, Roger.

Thank you very much,

J Wolfgang Goerlich

On Jul 13, 6:16 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> Hi Wolfgang,
>
> That they could not gain access after the restore (did you
> restore their profile and system state and the encrypted files
> or just system state and the encrypted files ?) at first seemed
> surprising to me.
> When you restored system state it reverted their account
> to their old password, but DPAPI would still be set to
> use the new password as their profile had been touched
> after the password was forgotten and reset. So perhaps
> restoring their profile is needed so that they can get at
> the stored key via the (system state) restored account pwd.
> At least that is my thinking. Including restore of the
> EFS encrypted files was a good idea as they may have
> been altered in the attempts but probably not.
>
> Roger
>
> <jwgoerl...@gmail.com> wrote in message
>
> news:1184354201.953509.137960@57g2000hsv.googlegroups.com...
>
>
>
> >I am working with a single Windows Server 2003 computer. It is not
> > part of an Active Directory domain. EFS is enabled and a couple users
> > are encrypting their files. Full backups with system state are
> > performed regularly using the default Windows Backup utility.
>
> > About a week ago, a user forgot their password. The administrator
> > reset it and, thus, locked them out of their EFS encrypted files. All
> > attempts by the user and the administrator to open the files results
> > in the "Access is denied" dialog box.
>
> > My job is to find a way for the user to open them. I did restore
> > system state and the encrypted files from a backup made a couple weeks
> > before. The user, whose memory has returned, logged in with their last
> > password. They still cannot decrypt the files, however.
>
> > What do I need to restore in order to for this user to decrypt their
> > files?
>
> > J Wolfgang Goerlich- Hide quoted text -
>
> - Show quoted text -
 
<jwgoerlich@gmail.com> wrote in message
news:1184787551.871572.4210@g12g2000prg.googlegroups.com...
> That's the ticket! I restored the user's profile and system state,
> then had the user change their password. The EFS-encrypted files were
> then accessible. I owe you one, Roger.
>
> Thank you very much,
>

I am glad it worked. I am also not too sure as to why
the profile no longer had the old cert/key available in
an accessible way once the password was reset to the
prior value however.

Roger

> On Jul 13, 6:16 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> Hi Wolfgang,
>>
>> That they could not gain access after the restore (did you
>> restore their profile and system state and the encrypted files
>> or just system state and the encrypted files ?) at first seemed
>> surprising to me.
>> When you restored system state it reverted their account
>> to their old password, but DPAPI would still be set to
>> use the new password as their profile had been touched
>> after the password was forgotten and reset. So perhaps
>> restoring their profile is needed so that they can get at
>> the stored key via the (system state) restored account pwd.
>> At least that is my thinking. Including restore of the
>> EFS encrypted files was a good idea as they may have
>> been altered in the attempts but probably not.
>>
>> Roger
>>
>> <jwgoerl...@gmail.com> wrote in message
>>
>> news:1184354201.953509.137960@57g2000hsv.googlegroups.com...
>>
>>
>>
>> >I am working with a single Windows Server 2003 computer. It is not
>> > part of an Active Directory domain. EFS is enabled and a couple users
>> > are encrypting their files. Full backups with system state are
>> > performed regularly using the default Windows Backup utility.
>>
>> > About a week ago, a user forgot their password. The administrator
>> > reset it and, thus, locked them out of their EFS encrypted files. All
>> > attempts by the user and the administrator to open the files results
>> > in the "Access is denied" dialog box.
>>
>> > My job is to find a way for the user to open them. I did restore
>> > system state and the encrypted files from a backup made a couple weeks
>> > before. The user, whose memory has returned, logged in with their last
>> > password. They still cannot decrypt the files, however.
>>
>> > What do I need to restore in order to for this user to decrypt their
>> > files?
>>
>> > J Wolfgang Goerlich- Hide quoted text -
>>
>> - Show quoted text -
>
>
 
You must log in or register to reply here.

Similar threads

J
Encrypted Files moved to FAT32 Data Locker/Iron Key drive inaccessible
Replies
0
Views
2
JamesMeaney
J
J
Encrypted Files moved to FAT32 Data Locker/Iron Key drive inaccessible
Replies
0
Views
5
JamesMeaney
J
A
Decrypting EFS encrypted USB Drive
Replies
0
Views
22
Ak1M1
A
A
Decrypting EFS encrypted USB Drive
Replies
0
Views
17
Ak1M1
A
I
Restore from backup of encrypted personal files: can they just be opened like before with the password I encrypted them with?
Replies
0
Views
8
IB66
I
Back
Top