I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I

encrypted some files before I knew anything about EFS - now a program

that uses some of the files cannot access them. The files were encrypted

under my "power user" account.  The certificate that Win2k used to

encrypt them is enabled for "All Purposes" including Encrypted File

System, and File Recovery. As Administrator, I cannot import this

certificate for the Recovery Agent - says it is not enabled for file

recovery.



My Recovery Agent certificate (issued by Administrator to Administrator,

has a different thumbprint and is for File Recovery only.



Does EFS recovery agent's certificate thumbprint have to match the

certificate the files were encrypted with in order to recover these files?



Ken

Yes.  for more info:

http://www.microsoft.com/technet/pro...y/cryptfs.mspx





--

David B. Cross [MS]

--

This posting is provided "AS IS" with no warranties, and confers no rights.





Top Whitepapers:



Auto-enrollment whitepaper:

http://www.microsoft.com/technet/pro.../autoenro.mspx



Best Practices for implementing Windows Server 2003 PKI:

http://www.microsoft.com/technet/pro.../ws3pkibp.mspx



Troubleshooting Certificate Status and Revocation whitepaper:

http://www.microsoft.com/technet/sec...o/tshtcrl.mspx



Windows Server 2003 web enrollment and troubleshooting guide:

http://www.microsoft.com/technet/pro...webenroll.mspx

"kgstrong" <kgstrong@hotmail.com> wrote in message

news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...

>

> I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I

> encrypted some files before I knew anything about EFS - now a program that

> uses some of the files cannot access them. The files were encrypted under

> my "power user" account.  The certificate that Win2k used to encrypt them

> is enabled for "All Purposes" including Encrypted File System, and File

> Recovery. As Administrator, I cannot import this certificate for the

> Recovery Agent - says it is not enabled for file recovery.

>

> My Recovery Agent certificate (issued by Administrator to Administrator,

> has a different thumbprint and is for File Recovery only.

>

> Does EFS recovery agent's certificate thumbprint have to match the

> certificate the files were encrypted with in order to recover these files?

>

> Ken

Yes the thumbprints need to match for either the user or Recovery Agent. If

you have a stand alone computer and the RA is the built in administrator

account [which it would be by default] then logon as that account and try to

decrypt the files. The utility efsinfo can display information on the

recovery agent. You can use the certificates mmc snapin for user to view

certificate information and the certificate will need to show that it has

the matching private key for the certificate. If you reinstalled the

operating system [other than an upgrade install] at some point the original

user and RA certificate/private key would have been destroyed. The EFS

certificate and private key for a user/RA are stored in the user's/RA's

profile folder. --- Steve



http://support.microsoft.com/default...b;EN-US;223316  --- EFS best

practices



"kgstrong" <kgstrong@hotmail.com> wrote in message

news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...

>

> I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I

> encrypted some files before I knew anything about EFS - now a program that

> uses some of the files cannot access them. The files were encrypted under

> my "power user" account.  The certificate that Win2k used to encrypt them

> is enabled for "All Purposes" including Encrypted File System, and File

> Recovery. As Administrator, I cannot import this certificate for the

> Recovery Agent - says it is not enabled for file recovery.

>

> My Recovery Agent certificate (issued by Administrator to Administrator,

> has a different thumbprint and is for File Recovery only.

>

> Does EFS recovery agent's certificate thumbprint have to match the

> certificate the files were encrypted with in order to recover these files?

>

> Ken

I did reinstall Win2k from scratch a while back; then restored the rest

of my files from a backup.  The certificate that the files were

encrypted with no longer exists on my system.



However, I was able to decrypt the files using a program called Advanced

EFS Data Recovery ($99) from elcomsoft.com.  All-in-all an expensive

lesson in what NOT to do.



Thanks for the help.

Ken Strong





Steven L Umbach wrote:

> Yes the thumbprints need to match for either the user or Recovery Agent. If

> you have a stand alone computer and the RA is the built in administrator

> account [which it would be by default] then logon as that account and try to

> decrypt the files. The utility efsinfo can display information on the

> recovery agent. You can use the certificates mmc snapin for user to view

> certificate information and the certificate will need to show that it has

> the matching private key for the certificate. If you reinstalled the

> operating system [other than an upgrade install] at some point the original

> user and RA certificate/private key would have been destroyed. The EFS

> certificate and private key for a user/RA are stored in the user's/RA's

> profile folder. --- Steve

>

> http://support.microsoft.com/default...b;EN-US;223316  --- EFS best

> practices

>

> "kgstrong" <kgstrong@hotmail.com> wrote in message

> news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...

> 

>

>

>

Glad you got it to work but the EFS private key that was used to encrypt the

files must have been available - possibly from a restore of the user's

profile from a backup??  --- Steve





"kgstrong" <kgstrong@hotmail.com> wrote in message

news:OR2jjGmMFHA.3336@TK2MSFTNGP09.phx.gbl...[vbcol=seagreen]

>I did reinstall Win2k from scratch a while back; then restored the rest of

>my files from a backup.  The certificate that the files were encrypted with

>no longer exists on my system.

>

> However, I was able to decrypt the files using a program called Advanced

> EFS Data Recovery ($99) from elcomsoft.com.  All-in-all an expensive

> lesson in what NOT to do.

>

> Thanks for the help.

> Ken Strong

>

>

> Steven L Umbach wrote: 

Can someone please confirm that as long as I know the password for the user account which encrypted the files, I will be able decrypt them?



I have lost the user profile (temp files, application data, local settings, etc.) but I have NOT forgotten the password, and I'm able to log in. However, I'm now unable to decrypt the EFS data files.



Any suggestions will be appreciated.

The user profile is where the EFS private key is stored and thus your EFS

private key is gone. If you have backed the EFS private key to a .pfx file

then you could try to import it back into the user profile while logged on

as that user and try to decrypt the files. For Windows 2000 a Recovery Agent

is required which would be the built in administrator account for a non

domain computer and possibly "the" domain administrator account for the

domain. The Efsinfo utility will show if and who the RA is for an EFS file

and thumprint info.  --- Steve





"cuppachino" <cuppachino.1neeu2@mail.mcse.ms> wrote in message

news:cuppachino.1neeu2@mail.mcse.ms...

>

> Can someone please confirm that as long as I know the password for the

> user account which encrypted the files, I will be able decrypt them?

>

> I have lost the user profile (temp files, application data, local

> settings, etc.) but I have NOT forgotten the password, and I'm able to

> log in. However, I'm now unable to decrypt the EFS data files.

>

> Any suggestions will be appreciated.

>

>

>

> --

> cuppachino

> ------------------------------------------------------------------------

> Posted via http://www.mcse.ms

> ------------------------------------------------------------------------

> View this thread: http://www.mcse.ms/message1504209.html

>

Steven,



Thanks for the response. A couple follow up questions...



So once the private key is gone, it's not possible to login using known credential and regenerate the same private key?



The system belongs to a SBS 2003 domain, however the user account in question was a local user account. Does that rule out the recovery agent possibility?



Thanks!