Windows EFS - Recovery

By Awesome80s ·
Here's the scenario -

Windows Server 2003 hard disk has become corrupt and unbootable. Also attached was a secondary hard drive for data.

I have slaved the secondary hard drive over to a Windows 2000 workstation utilizing NTFS, as well. I can copy almost all of the files locally, except for my encrypted files...makes sense, because I don't have my EFS certificate.

Any chance I can slave over the primary 2003 drive to my 2000 machine and recover a certificate? I don't believe a cert was ever 'exported', but I would hope there is a way to access this privy information to create one. If so, where do I locate and how do I restore?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

If the Encryption Key wasn't Backed up

by OH Smeg Moderator In reply to Windows EFS - Recovery

You are stuffed good and properly.

But to move the Files you'll need to Take Ownership of them. That will then allow you to move them off the Data Drive elsewhere

If you had XP I would point you here to Mount the Recovery Agent

From memory the steps for XP and 2003 are the same.

But if the Recovery Agent was never backed up you are Well and Truly Stuffed you should not expect to ever see the contents of those Files ever again. But if they are important Files your only real option is to Pack up the Drive that they are on and send it to a Specialist Data Recovery Company who is willing to have a go at removing the encryption. It's not going to be cheap though.


Collapse -


by Awesome80s In reply to If the Encryption Key was ...

Here's the part that may have not come across correctly. The original drive/OS that created the EFS key and Recovery Agent is still may not boot correctly, but I can gain access to all of the files. The encrypted key must still be on this drive, right? I have the user name/password to logon, as well, if I recreate the install elsewhere.

Can I backup the key if I gain entry to:
%User Profile%\Application Data\Microsoft\Crypto\RSA\User SID?

Collapse -

Some Light Reading for you here from M$ Knowledge Base

by OH Smeg Moderator In reply to But...

How to Backup the Recovery Agent

How to add an EFS Recovery Agent in XP

The Help Files in the OS that created the EFS System also will be able to tell you what should have been done when EFS was first Implemented. If these Recommendations where not followed you can not expect the Data to be recoverable.

As for having access to the Loaded Drive that created the Encryption Key this is only of any use if the OS will boot. Doing most things to repair the Installed OS will cripple the EFS System and render the Key Unusable or recoverable.

Sorry but this is all covered in the warning that the client is given when they first enable the EFS System. If they chose to ignore this advice they do so at their own peril and they will most certainly loose their Data.

The only thing that may be of use here is the Backup's of the Data if this was done without the Data Being Encrypted you've got it but if it was encrypted forget it all as you will not get anywhere and it will be extremely Painful attempting to.

Or you could use the advice that one M$ Technical Rep gave to someone who ignored all of the warnings and then complained that they had lost their Data. Well just the ability to read it as they messed up the Encryption System without any Backups and they demanded that M$ give them a solution to breaking the Encryption.

They where told to find a Friendly Cracker and hand over all of their Data to them. The reality though is that they had about as much chance of seeing their Data in a readable form again by doing that as they did from attempting to recover it. When the person that they gave it to would have sold it on after they Cracked the Encryption to their competition.

If you have the Original Drive that isn't booting pas this onto the Data Recovery House it should make the Recovery Cheaper maybe. If you attempt to repair the OS you will most likely trash the EFS System and render the Data Unreadable forever.


Collapse -

Message has been deleted.

by artiomjar In reply to Some Light Reading for yo ...
Collapse -

Zombie alert!!!

by TobiF In reply to Message has been deleted.

Zombie alert!!!

Collapse -

Oh, but the zombie brought tasty spam!

by seanferd In reply to Zombie alert!!!

Mmm. DELicious.

Collapse -

Ancient Post, but am I allowed . . .

by Who Am I Really In reply to Oh, but the zombie brough ...

to answer it anyway
just in case someone searches for this?

because I do have a possible solution for that problem
that worked for me when I stupidly enabled EFS

Collapse -

Yes I know

by OH Smeg Moderator In reply to Oh, but the zombie brough ...

Coffee works a treat.

But not to many people are allowed to get coffee.


Related Discussions

Related Forums