Solved

Newly Unaccessable Encrypted files in XP pro.

Posted on 2003-10-28
16
2,191 Views
Last Modified: 2010-04-11
I have some files that were encrypted using the standard (EFS) XP pro encryption.  After installing one of MS's massive security patches (5 actually)  I can not access the files.  I think all of the key files etc are intact, (as is are my profiles) but I can't do anything with the files.  Some other programs have had strange quirks dealing with profiles since that security update.  Is there some way I can manualy tell Windows where to look for the keys which seem to be ok?

Reading over some of the other similar questions, the thing that seems different is that I THINK I have all of the profile information.  I just can't do anything with the files!

Help.
0
Comment
Question by:Reedber
  • 8
  • 8
16 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Assuming you're the administrator: You might want to try to take ownership on the files, and afterwards, give yourself permissions (at least read) to those files. After you've done this, you should be able to open the files again.

LucF
0
 

Author Comment

by:Reedber
Comment Utility
I have done that, but unfortunately, it does not let me unencrypt the files, because only the profile that encrypted the files has the keys to unencrypt them.  

And although I HAVE the keys, there is something amiss in the operating system that is telling Windows that I don't.  A registry problem perhaps?

However ownership does let me delete the files...
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
> because only the profile that encrypted the files has the keys to unencrypt them.  
Not completely true, the administrator should have the same permissions after taking ownership and getting permissions. So I think you have another problem.
try SFC from command prompt (keep your winXP cd nearby in case you'll need it)

LucF
0
 

Author Comment

by:Reedber
Comment Utility
If all the admin profiles could unencrypt another profile's files, then it wouldn't really be encrypted!  :)  The only way I think another profile can unencrypt another user's encrypted files is if the file is shared with them (which I can't do (error 5)) or if that other user is a Data Recovery Agent which is what I'm about to try next, though it doesn't really solve my problem as to why I suddenly need to be doing all of this when everything should be working just fine... :(

?  SFC might be a good idea though...
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
> If all the admin profiles could unencrypt another profile's files, then it wouldn't really be encrypted!
Only the highest administrator in a domain should be able to do this. This is automatically done to prevent data-loss for a company in case a person leaves the company.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
> or if that other user is a Data Recovery Agent
The highest administrator in the domain is by default a Data Recovery Agent
0
 

Author Comment

by:Reedber
Comment Utility
>The highest administrator in the domain is by default a Data Recovery Agent

Not in XP Pro.  They changed that for security reasons.  Now the default is to have no DAR.  Unfortunately for me.
0
 

Author Comment

by:Reedber
Comment Utility
Here is MS's description of the XP Pro versus Win2000 settings for DAR...  It's almost the opposite.

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/reskit/prnb_efs_ayqu.asp
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Reedber
Comment Utility
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Ok, I'm sorry, I'm a win2k guy, so I didn't know they changed that in winXP (wich I don't use, not at home and not at my work) ThanQ for this information

So you already gave the answer (I think) yourself, create a DRA.

> though it doesn't really solve my problem as to why I suddenly need to be doing all of this when everything should be working just fine...
Something must have gone wrong with the security updates, have you tried looking at the specs on those security updates if they note anything on encrypted files?

LucF
0
 

Author Comment

by:Reedber
Comment Utility
UPDATE:

I just created a DRA, and still can not access those files that were created with the busted key.  I can access other encrypted files created AFTER the update both with the profile AND with the new DRA... AARGGHHH!!!

I can see that I have multiple key files for that profile (which I shouldn't), I just don't know how to USE them!
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Maybe an idea, not sure, have you tried uninstalling those security patches?

> I can see that I have multiple key files for that profile
Never seen that happen, I personnaly never needed a DRA, is there no way you can change the priority of those keys?

I have to say I'm really out of ideas at the moment.

LucF
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 125 total points
Comment Utility
I may have found something for you (after a long while)

Advanced EFS Data Recovery 1.30

Is a program to recover/decrypt files encrypted on NTFS (EFS) partitions created in Windows 2000 and Windows XP.
Files are being decrypted even in a case when the system is not bootable and so you cannot log on,
and/or some encryption keys have been tampered. AEFSDR effectively decrypts the files protected under
Windows XP (including Service Pack 1) and all versions of Windows 2000 (including Service Packs 1/2/3/4).
http://www.softempire.com/advanced-efs-data-recovery.html

Hope you didn't format the drive yet...

LucF
0
 

Author Comment

by:Reedber
Comment Utility
Thanks for the information.  It kind of makes it pointless to USE the encryption if you can just buy some off-the-shelf software to break it.  

But anyway, I did a system roll back to the day before I installed all the MS Security patches, and VOILA, all my files were readable.  I copied them, rolled forward, and now I never use MS's encryption and I don't recommend anyone else does either.  What a nightmare.  

-R
0
 

Author Comment

by:Reedber
Comment Utility
Yes, the real problem is MS, and I'm afraid that's unfixable.  

But I am giving you the points because that program would have worked!  (And besides, who else am I going to give them too!  :)

Thanks for sticking in there LucF!
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
>>It kind of makes it pointless to USE the encryption if you can just buy some off-the-shelf software to break it.<<
I also never thought I would be able to find something like that...

At least I'm glad you solved your problem (how can a stupid Security Patch cause so much problems???)

>>Thanks for sticking in there
You're welcome, I don't like keeping questions open.

Take care,

LucF
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now