We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


how do i recover and employ deleted efs certicates to decrypt a directory on my local drive d:

gbulger asked
Medium Priority
Last Modified: 2012-05-06
I am trying to recover erased Vista efs certificates. The customer lost his keys and no disk writing has occurred after the loss (erased?). Standard data recovery tools should bring back the missing certificates but I'm not sure what needs to be recoverd and where to put the recovered items so that I can decrypt a certain directory that the user has encrypted. I only have a bit copy of his drive set up as drive D: on my system.

Watch Question

ParanormasticCryptographic Engineer

If you happen to have a Data Recovery Agent set up, that would be the easiest to do that (default would be local admin)..  If you don't have a DRA then read this thread, it sounds pretty similar:

Take note of the product recommendation in post 23231153


I'm not sure what to do next. I have tried to set myself up as a recovery agent by:

- log in as administrator

- run "cipher /r: gordon" which placed a .pfx and .cer in the administrators directory. these arye the recovery agent's public and and private certificate keys I presume.

- I imported the pfx file by clicking on it to open the import wizard then ran "start-run-secpol.msc" and selected "Public Key Policy-EFS" in selected "add data

recovery agent" and selected the .cer file.

I ran data recovery sw on his drive and recovered several .pfx files which may be his missing private keys. His drive is locally hooked up as the second disk on my recovery computer.

How do I use these keys? I have aefsdr pro. Is the pfx key I generated with the .cer key ever used in ths process?

Sorry to be so stupid.
ParanormasticCryptographic Engineer

The DRA cert would need to be installed on the user box prior to requiring its use, not after.  You could use the DRA in place of their certificate to decrypt the data during the aefsdr recovery process.

The pfx files from the user hard drive might be of use if the user happens to remember the password to them - if you can copy them off that disk to your workstation you can have him try some of his typical passwords on that, and if it locks out then you can just pop in another copy.  You will need to unlock that in order to move forward recovering the encrypted data.

Alternatively, you can see if aefsdr pro will have any luck with the files located in the %userprofile%\Application Data\Microsoft\Crypto\RSA\%sid% directory.  This is where the private keys are stored.  Note: the file names will just be random characters with no extension - this is fine and normal.

From your previous comment - yes the pfx has both the public and private keysets included with the cert and is usually password protected.  You would put the .cer file (public key only with the cert) into your policy settings (local policy, GPO, etc.) and use the pfx for decryption processes.


How do I install the dra cert files on the user box if I don't have a booting drive from the user?
As it stands I have his drive only as a local drive g: attached to my recovery computer?  What are the steps involved in using the DRA in place of of their certificate to then decrypt the data? I am really a beginner here (obviously).

Cryptographic Engineer
You install the DRA cert on the user box when everything is working normally.  The DRA cert is the ounce of prevention...  You can't apply it afterwards without the user logging in to update the existing encrypted files, as they would need to log in to decrypt them to re-encrypt them with their cert and the DRA cert.  It isn't magic.  In other words - if you didn't already have the DRA installed, then forget about that for now and move on, then when this fire is out take your new DRA cert, back up the PFX in at least 3 different physical locations (USB flash drives, CD, etc.), then put it into group policy so all of your clients will use the same DRA cert so you are prepared for next time.

For now, I would see if you can take the information from the 3rd paragraph from my last post and do something with that.  If that doesn't work then you might need to chalk this one up to experience and either let it go or bring it into a data recovery specialist like DriveSavers (which isn't cheap and still isn't guaranteed).

If the private key or any single bit of the encrypted file got overwritten, you're not going to get anywhere with standard tools.  Sometimes you get lucky, sometimes you don't, and sometimes you pay a few hundred bucks or more to get the pros with the special equipment that can read lost data better than a utility you can download.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.