Can not open encrypted files (EFS) , please help (uregnt)

Discussion:

(too old to reply)

p***@gmail.com

2006-04-06 14:55:24 UTC

Hi there,

I need an ugent help on this problem, please let me know if you can
help me:

I've encrypted some files in my Windows XP system by Windows encryption
feature for NTFS (the EFS file system). I am realy do not know how, but
after a reboot, I am unable to open any encrypted file for user 'ABC'.
I get 'Access Deined' message when try to open them. As I research for
this problem, I guess that my 'ABC' account's Certificate is damaged.

I say again I realy do not know how this happen! by a virus? is this
possible? however, when I right-click on encrypted file -> Properties
-> General -> Advanced Attribures and then click Details, I see my
account 'ABC (***@MACHINE)' listed in users who can transparently
access lists but not able to open them by this account!

And as I said, I guess that my 'ABC Certificate' is damaged because I
saw a red-box near the Certificate icon in the Certificate Information
window for account ABC.

Note that I read something about Data recovery Agent, but I do not
understand how to do it, I need a simple step by step guide. Also I
have to say I have not any backup of my Certificate.

Please help me to recover these files or recover my damaged
Certificate. I realy need these files.

Thanks,
Mehdi

Herman D. Knoble

2006-04-06 15:40:31 UTC

Permalink

You need to be logged on with the same Profile that was used to encrypt
the file/folder.

If you still can login to that profile, you might look at:
http://www.motherboards.org/forums/viewtopic.php?p=461105&sid=34dfcad459fd6f57a5b2116ab3873a26

Skip

On 6 Apr 2006 07:55:24 -0700, ***@gmail.com wrote:

-|Hi there,
-|
-|I need an ugent help on this problem, please let me know if you can
-|help me:
-|
-|I've encrypted some files in my Windows XP system by Windows encryption
-|feature for NTFS (the EFS file system). I am realy do not know how, but
-|after a reboot, I am unable to open any encrypted file for user 'ABC'.
-|I get 'Access Deined' message when try to open them. As I research for
-|this problem, I guess that my 'ABC' account's Certificate is damaged.
-|
-|I say again I realy do not know how this happen! by a virus? is this
-|possible? however, when I right-click on encrypted file -> Properties
-|-> General -> Advanced Attribures and then click Details, I see my
-|account 'ABC (***@MACHINE)' listed in users who can transparently
-|access lists but not able to open them by this account!
-|
-|And as I said, I guess that my 'ABC Certificate' is damaged because I
-|saw a red-box near the Certificate icon in the Certificate Information
-|window for account ABC.
-|
-|Note that I read something about Data recovery Agent, but I do not
-|understand how to do it, I need a simple step by step guide. Also I
-|have to say I have not any backup of my Certificate.
-|
-|Please help me to recover these files or recover my damaged
-|Certificate. I realy need these files.
-|
-|Thanks,
-|Mehdi

Herman D. Knoble

2006-04-06 15:43:50 UTC

Permalink

A thought just occurred to me that you may be able to restore
your system using the System Restore utility, to a point where
you know things were working with the encrypted file.

Skip

On 6 Apr 2006 07:55:24 -0700, ***@gmail.com wrote:

-|Hi there,
-|
-|I need an ugent help on this problem, please let me know if you can
-|help me:
-|
-|I've encrypted some files in my Windows XP system by Windows encryption
-|feature for NTFS (the EFS file system). I am realy do not know how, but
-|after a reboot, I am unable to open any encrypted file for user 'ABC'.
-|I get 'Access Deined' message when try to open them. As I research for
-|this problem, I guess that my 'ABC' account's Certificate is damaged.
-|
-|I say again I realy do not know how this happen! by a virus? is this
-|possible? however, when I right-click on encrypted file -> Properties
-|-> General -> Advanced Attribures and then click Details, I see my
-|account 'ABC (***@MACHINE)' listed in users who can transparently
-|access lists but not able to open them by this account!
-|
-|And as I said, I guess that my 'ABC Certificate' is damaged because I
-|saw a red-box near the Certificate icon in the Certificate Information
-|window for account ABC.
-|
-|Note that I read something about Data recovery Agent, but I do not
-|understand how to do it, I need a simple step by step guide. Also I
-|have to say I have not any backup of my Certificate.
-|
-|Please help me to recover these files or recover my damaged
-|Certificate. I realy need these files.
-|
-|Thanks,
-|Mehdi

p***@gmail.com

2006-04-06 16:37:22 UTC

Permalink

system restore did not work, note that I have turned off the system
restore for those volume but it was turned on for Windows Volume. did
not work!

I have the password and it's my account and I can easily log into.
where I can download a full version of such program. and is there any
free solution/way?

*** I just find that 'ntuser.dat' of my account have 13.5 MB of size!
is this normal?

Herman D. Knoble

2006-04-06 17:20:12 UTC

Permalink

Your NTUSER.DAT file is the Hkey_Users portion of the Registry.
If you have lots of software installed it could be big. Mine is
about 1MB but I don't have that much software installed.

When was the last time you did a full system scan with an
up-to-date sypware and antivirus software with latest spyware and
virus definition files?

Are you sure the cap lock key was not down when you typed in the
initial password for this NTFS file object?

Are you certain that the encrypted object was created with your
current username and password. If you changed your XP password
you could change it back in order to open the encrypted file.

I am quite certain that there are no commercial (nor free) programs
to decrypt a Windows XP encrypted file.

In the future, I recommend using Winzip or equivalent with extended
encryption to zip (compress) files that you want reasonable protection for.
This method of encryption is not dependent on anything but the
pass phrase.

Skip

On 6 Apr 2006 09:37:22 -0700, ***@gmail.com wrote:

-|system restore did not work, note that I have turned off the system
-|restore for those volume but it was turned on for Windows Volume. did
-|not work!
-|
-|I have the password and it's my account and I can easily log into.
-|where I can download a full version of such program. and is there any
-|free solution/way?
-|
-|*** I just find that 'ntuser.dat' of my account have 13.5 MB of size!
-|is this normal?

persiancity

2006-04-06 17:44:29 UTC

Permalink

I have installed notron antivirus 2005 and zonealarm pro (with anti
spyware). I continuously scan my system and have not got any virus/spy
alert.

I have not changed my password, did not login with CAPS ON. I just
remember that I unchecked the 'Use simple file sharing' option in
Folder Options yesterday to change permission of a web-folder. But
problem cause after I reboot my system. I usually 'Hibernate' my
system several times for more than two weeks without any shutdown. So,
I guess that Windows, re-assign a Certificate to my account after
changing this option and reboot the system.

At this point, I need a way to decrypt these files (just two folders,
but very important). I need them, there are several source codes of
programs I wrotes that I need to recover them.

How I recover them? I did not change any thing in my account and now I
can not access to my files! so bad! Just Microsoft tell me what happen
in my system that I can not access to my file after a reboot only one!?

Mehdi

Herman D. Knoble

2006-04-06 18:04:13 UTC

Permalink

By changing permission of a Web folder (change to Simple File Sharing)
cannot affect Encryption. Likewise, staying logged on for two weeks
(via hibernation) cannot affect Encryption. You can reboot the system
many times, and if you login with the same username and password that
you had when choosing to encrypte the files, you should be able
to view the files. One thing that could be a problem is a corrupt
file system or a "bad" sector on the fixed disk.

You can address the latter problem by running CHKDSK.
Click Start/Run=CMD
and at the command prompt issue: CHKDSK /?
for brief help.
Then issue: CHKDSK C: /R
When it prompts you: CHKDSK cannot run ...
Reply Yes; then issue the Exit command.
Then Shutdown/Restart the system.

When the system restarts you will see a blue screen
with CHKDSK running. Try to take note if any errors were
fixed.

The sector test could take from several minutes to several
hours (depending on disk size and speed) to
check for a corrupt file system and check every sector.
Repairs are made in such a way so as to preservere file
integrity as much as possible.

When done it will reboot again. Login with the username
and password that you had used when encrypting the files.
Then retry accessing them.

I can appreciate that you really want to recover these files.
But unless the above procedure fixed a problem with your
file system or fixed disk, there simply is not any other
way to decrypt these files. If the above helped you recover
your files, wonderful. If not, you learned a hard lesson,
namely the dangers of RSA encryption and the dangers of
not backing up on external media valuable data.

Good luck with it.

Skip

On 6 Apr 2006 10:44:29 -0700, "persiancity" <***@gmail.com> wrote:

-|I have installed notron antivirus 2005 and zonealarm pro (with anti
-|spyware). I continuously scan my system and have not got any virus/spy
-|alert.
-|
-|I have not changed my password, did not login with CAPS ON. I just
-|remember that I unchecked the 'Use simple file sharing' option in
-|Folder Options yesterday to change permission of a web-folder. But
-|problem cause after I reboot my system. I usually 'Hibernate' my
-|system several times for more than two weeks without any shutdown. So,
-|I guess that Windows, re-assign a Certificate to my account after
-|changing this option and reboot the system.
-|
-|At this point, I need a way to decrypt these files (just two folders,
-|but very important). I need them, there are several source codes of
-|programs I wrotes that I need to recover them.
-|
-|How I recover them? I did not change any thing in my account and now I
-|can not access to my files! so bad! Just Microsoft tell me what happen
-|in my system that I can not access to my file after a reboot only one!?
-|
-|Mehdi

persiancity

2006-04-07 08:45:16 UTC

Permalink

No error and bad sector from chkdsk found!
Thank you very much about your helps but problem continue.

I guess that I lost lot of my works! :(

Thanks again,
Regards,
Mehdi

Herman D. Knoble

2006-04-07 12:07:05 UTC

Permalink

One last question on this.

When you right-click one of the encryped files and choose: Properties,
and then click the button: Advanced

Can you UNcheck the box labeled: Encrypt contents to secure data

Skip

On 7 Apr 2006 01:45:16 -0700, "persiancity" <***@gmail.com> wrote:

-|No error and bad sector from chkdsk found!
-|Thank you very much about your helps but problem continue.
-|
-|I guess that I lost lot of my works! :(
-|
-|Thanks again,
-|Regards,
-|Mehdi

persiancity

2006-04-07 13:04:34 UTC

Permalink

No, I finally get an Access Deined message with Ignore, Ignore All,
Retry, Cancel buttons.

I am sure that's what account I used to encrypt them and I have not
changed any account information/password.

Mehdi

persiancity

2006-04-07 13:19:10 UTC

Permalink

And I find a new amazing change:
I encrypt files for now and they opens correctly.
I right click -> Properties -> Advanced -> Details

in first list I see:
User Name Certificate Thumbprint
ABC(***@MACHINE) xxxx yyyy zzzz

I old encrypted files that I can't open:
User Name Certificate Thumbprint
ABC(***@MACHINE) yyyy zzzz xxxx

The thumprints are different! I guess that's the problem, but how
happened and how I can change new Certificate thumbprint to old one.

Mehdi

Herman D. Knoble

2006-04-07 13:40:10 UTC

Permalink

0) Invoke Windows Explorer (Right click Start and choose Explore)
1) Right-click an encrypted file.
2) Choose: Properties
3) Click the tab: Security
(If you don't see the Security Tab then do 3.a thru 3.e:
a) From Windows Explorer, click Tools and choose: Folder Options
b) Click the tab: View
c) Scroll down in the Advanced Settings and
d) UNcheck: Use Simple File Sharing
e) Click OK
4) Click the button: Advanced
5) In the white space titled: Permission Entries
6) The table is organized and should read as follows:

Type Name Permission Inherited From
Allow YourUserName Full Control C:\

Where YourUserName is as follows:
LogonName(hostname\LogonName)

Where hostname should be the one displayed if you Run=CMD
and issue: ipconfig -all

7) Does the above table in Step 6 check out?
a) If so, retry turning off Encryption:
i) right-click one of the encryped files and choose: Properties,
ii) Click the button: Advanced
iii) Can you Now UNcheck the box labeled: Encrypt contents to secure data
b) If not, Click the entry for your userid and click the button: Edit
i) Make sure EVERY Allow button is checked; Click OK.
ii) Repeat step 7.a

Skip

On 7 Apr 2006 06:04:34 -0700, "persiancity" <***@gmail.com> wrote:

-|No, I finally get an Access Deined message with Ignore, Ignore All,
-|Retry, Cancel buttons.
-|
-|I am sure that's what account I used to encrypt them and I have not
-|changed any account information/password.
-|
-|Mehdi

persiancity

2006-04-07 14:07:41 UTC

Permalink

Thanks again Skip for your helps:
I do all steps as you said. I have had 'Allow, Everyone, Full Control'.
but I tried to add 'ABC Full Control' too. It assigned to file, but I
got "Access Deined" for decryption again.

As I said before I saw different Certificate Thumbprints in encryption
detail window for new encrypted files and old files. I guess that I
have a chance to correct it, but not sure how:

I opened 'certmgr.msc' in MMC. In the "Personal\Certificates" and
"Trusted People\Certificates" I have TWO Certificates named 'ABC'. One
of them have the correct thumbprint (I am very happy that it exists!),
and another have a new thumbprint and as I see the 'Valid Date' started
from the what date I got the problem.

So, I export both Certificates into a safe place. Then I delete new
Certificate and re-login to the account, it create a new one with a new
new thumbprint instead of using the old Certificate that I guess (I am
sure) slove my problem.

I right-click on the new created Certificate icon and select:
All Tasks -> Renew Certificate with New Key

I am sure it's what I need but I got this message: "The wizard cannot
be started because it failed to contact the active directory."

The message title named "Certificate Renewal Wizard", I have not seen
it yet but I guess it'll let me to import old (CORRECT) certificate key
for new certificate. I am not sure that WinXP have Active Directory
installed, and can not find any option in Add/Remove too.

I need a way to renew an auto-created Certificate with an old one or
replace it for my account. Wizard didn't work to do it! :-|

Mehdi

Herman D. Knoble

2006-04-07 14:53:26 UTC

Permalink

Try clicking Start/Help and Support
and key in the Search term: Certificate

Skip

On 7 Apr 2006 07:07:41 -0700, "persiancity" <***@gmail.com> wrote:

-|Thanks again Skip for your helps:
-|I do all steps as you said. I have had 'Allow, Everyone, Full Control'.
-|but I tried to add 'ABC Full Control' too. It assigned to file, but I
-|got "Access Deined" for decryption again.
-|
-|As I said before I saw different Certificate Thumbprints in encryption
-|detail window for new encrypted files and old files. I guess that I
-|have a chance to correct it, but not sure how:
-|
-|I opened 'certmgr.msc' in MMC. In the "Personal\Certificates" and
-|"Trusted People\Certificates" I have TWO Certificates named 'ABC'. One
-|of them have the correct thumbprint (I am very happy that it exists!),
-|and another have a new thumbprint and as I see the 'Valid Date' started
-|from the what date I got the problem.
-|
-|So, I export both Certificates into a safe place. Then I delete new
-|Certificate and re-login to the account, it create a new one with a new
-|new thumbprint instead of using the old Certificate that I guess (I am
-|sure) slove my problem.
-|
-|I right-click on the new created Certificate icon and select:
-|All Tasks -> Renew Certificate with New Key
-|
-|I am sure it's what I need but I got this message: "The wizard cannot
-|be started because it failed to contact the active directory."
-|
-|The message title named "Certificate Renewal Wizard", I have not seen
-|it yet but I guess it'll let me to import old (CORRECT) certificate key
-|for new certificate. I am not sure that WinXP have Active Directory
-|installed, and can not find any option in Add/Remove too.
-|
-|I need a way to renew an auto-created Certificate with an old one or
-|replace it for my account. Wizard didn't work to do it! :-|
-|
-|Mehdi

persiancity

2006-04-07 15:09:33 UTC

Permalink

Thanks for your helps.

Regards,
Mehdi