Solved

EFS on Windows XP user can not open EFS protected files after changing user name and password

Posted on 2012-03-18
3
415 Views
Last Modified: 2012-03-24
I have a WIndows XP Prof. user who can not open some EFS files after turning on EFS for some files and folders and then later changing his user name and password.

The user said he was changing passwords and even user names after he had setup EFS for some files and folders and now can not open the EFS protected files.  He does not have a EFS password recovery file etc..

He is not sure what the password originally was and he said he even changed the user name etc..  He is not sure about the orig. user name or password.

Is there a way to be able to open these files?  Some of the files are important TurboTax files and some are pictures that are important to the user.

I have read if you change the password back to the one used when EFS was turned on for that file or folder that would work.  But he can not remember the password and he even changed the user name.

I also read if you copy to FAT32 (not NTFS like the disk drive XP is using that EFS is not kept....

Not sure if it is as easy as removing the hard drive, connecting to USB to IDE or SATA harness and copying the files to another NTFS or FAT hard drive etc...  Also, in XP I am not sure the administrator account could help if enabled etc..

Thanks
0
Comment
Question by:rdwolf
3 Comments
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 250 total points
ID: 37734837
EFS won't work on a FAT32 format but changing from NTFS to FAT32 won't undo it.

EFS links the Hash of username/password as the key to decrypt so unless the original account name and password is restored the files will remain inaccessible.

Forced change of password using boot CD tools has the same effect

http://technet.microsoft.com/en-us/library/cc700811.aspx

If you have a DRA installed you might just be able to help
http://technet.microsoft.com/library/cc722672.aspx
0
 
LVL 6

Assisted Solution

by:huacat
huacat earned 250 total points
ID: 37737316
I remember EFS could recovery by user cert.
Also we can use saminside(http://www.insidepro.com/eng/saminside.shtml) to recovery the password.
Boot the system using a usb stick or boot-able CD, and run Saminside to import the system registry information, then try to crack the password.

Change user name & password, the EFS folder  should be  recoverable, but if the user delete the user and create the user again, I'm afraid we can't recover it forever.
See http://support.microsoft.com/kb/290260 for more information
0
 

Author Closing Comment

by:rdwolf
ID: 37761139
Thanks for the help.  The info. is useful.  I will try, if possible, next week but it seems the user has changed the user name and can not remember the old user name now.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now