Agent_of_Knowledge Posted December 13, 2003 Share Posted December 13, 2003 Yesterday I had windows 2000 installed and was getting weird activity on my computer. I started norton anti-virus and ran a complete system scan. Norton found viruses, and they were all deleted. I have all my files backedup to my other partition(family pics, phone numbers of friends, music files, etc....) and ready to format my partition to install windows xp. After I installed xp, I load all the files I backed up, low and behold, most of the files were green! They some how got encrypted while I was backing them up. And now I have xp and can't access them! :angry: Please guys, I can't lose these files! There has to be a way to open them or to crack them. Anything will do. Please post any ideas ya'll might have. :( Thank you very much. Cheers! Link to comment Share on other sites More sharing options...
John Veteran Posted December 14, 2003 Veteran Share Posted December 14, 2003 not really, unless you backed up the encryption key beforehand :no: sorry... Link to comment Share on other sites More sharing options...
Redestium Posted December 14, 2003 Share Posted December 14, 2003 Ouchies...that's why you always backup to removable media as well.. Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 OMG! Heck no......There has to be a way dang it! Those are important and priceless family photos and such! "What's made by humans, is crackable by humans." If ANYONE has any idea what I can do, no matter it be legal or illegal pm please. I need to recover those files. Any Help would be appreciated! I don't have any CDRS and I had no choice the virus was spreading fast.....I'm glad I saved what I could. Thanks in advance. Cheers! Link to comment Share on other sites More sharing options...
GAM Posted December 14, 2003 Share Posted December 14, 2003 I have all my files backedup to my other partition A backup to a different partition is not a backup.....sorry you had to learn it the hard way....you may want to add an external harddisk or perhaps a DVD burner to your X-mas wish-list..... If you are really desperate you may want to contact a company that can reconstruct data, the only one I know of is ibas at http://www.ibas.no (see regional links at the bottom of the page). Link to comment Share on other sites More sharing options...
Sux Posted December 14, 2003 Share Posted December 14, 2003 umm u can try contacting microsoft but support would be hell meanwhile i will look around Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 Thanks you guys so much! I'll be waiting here for any results. Cheers! Link to comment Share on other sites More sharing options...
Sux Posted December 14, 2003 Share Posted December 14, 2003 This thing should work: http://www.lostpassword.com/efs.htm You'll need password or SAM file from "old" installation. Link to comment Share on other sites More sharing options...
Sux Posted December 14, 2003 Share Posted December 14, 2003 if that doesn't work did u save ur Documents and Settings? if so there is a way to get your encyption certificate back, then import it. Look in C:\Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates from your old user profile. There should be a file named with a bunch of letters and nubmers. To make it importable however, requires a little hex editing. With a hex editor look for the first instance of 30 82 in hex. Delete everything before it, and save the file as whatever.cer Then right click on the file, and if the hex edit worked correctly, it should bring up a certificate window that has a button to install the certificate. There's no guarantees this will work, but it's worth a shot. Link to comment Share on other sites More sharing options...
Sux Posted December 14, 2003 Share Posted December 14, 2003 Actually ignore the hex edit part. Instead do a Start|Run certmgr.msc Click on Personal, then Certificates. Right click on certificates, and select import. Then browse to the file mentioned before in Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates. You'll have to change the drop down list to All Files to see it. Hit next, leave it at the default Certificate store of personal. Hit next and finish. With any luck your old encryption certificate will then be imported and you can open the encrypted file. Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 No, what I did was format that partition that had windows 2000 on it and I moved my important files to a differnet drive. After I formatted the partition that had this "auto encrypt" virus, I moved started moving the files back from the drive that I backed them up and it told me access is denied. The files are still green. I never any encrpytion when I backed up my data to my other drive. Link to comment Share on other sites More sharing options...
Hawkeye Posted December 14, 2003 Share Posted December 14, 2003 If it is absolutely urgent, you can look into a program from Elcomsoft (the same company that makes the Advanced [fill in popular password-protected file type] Password Recovery) by the name of Advanced EFS Data Recovery. It decrypts files encrypted using EFS (the way yours were). There is a trial version on their website, but I'm not sure if its limitation would stop you from getting the results you desire. It costs $99 to register it, but it only needs to be registered once, and you'll have updates forever. If this is important enough for you, I think this method isn't such a bad idea. It's 100% legal too. While Microsoft might whine about it and say it defeats the purpose of EFS, I'm sure most people wouldn't use this, so EFS would still serve its purpose most of the time. Link to comment Share on other sites More sharing options...
John Veteran Posted December 14, 2003 Veteran Share Posted December 14, 2003 you could always make 2^128 different user accounts... sooner or later, one of them is bound to have the same SID as your other account. then you could just open the files like normal ;) :laugh: i know, i shouldn't joke about this :/ Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 So far, no results. Any other suggestions guys? Let's try not pick on me for chosing the wrong back up option. I didn't have a choice then. I can't lose these files. And yes this is very urgent. If I have to shell out money for a program that will work, I'll do it. Thanks in Advance. Cheers! Link to comment Share on other sites More sharing options...
John Veteran Posted December 14, 2003 Veteran Share Posted December 14, 2003 any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made. see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files... Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made.see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files... That might work! I have some files that aren't encrypted. Some html, picture, audio and video files too! They might have the SID. But how do I go through and find out? Thanks. Cheers! Link to comment Share on other sites More sharing options...
John Veteran Posted December 14, 2003 Veteran Share Posted December 14, 2003 the only thing i can think of that MIGHT work is if you can somehow get the SID of the owner of those files... but again, i don't know how you'd do this... Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 14, 2003 Author Share Posted December 14, 2003 I appreciate everyones input. I value all suggestions. I may have some results. I took a screen shot of what Advanced EFSnData Recovery found: What's circled in blue is the key that I need decrpyted. I don't know what it won't decrypt the key. But if I can just get that decryted, I can gt all my files decrypted. Please guys, I'd appreciate A little more help and suggestions. I'm so close to cracking this....... I'll be keeping up with the posts. Thanks in advance! Cheers! Link to comment Share on other sites More sharing options...
Agent_of_Knowledge Posted December 16, 2003 Author Share Posted December 16, 2003 **BUMP** Please guys, **tears up** I can't lose thos family photos, college applications, phone numbers of friends and family members, etc.. Please, some one must have a solution for this...even if there a way but not totally "legal". Please if anyone can PM me, I'd more than apperciate your help. Thank you all. Cheers! Link to comment Share on other sites More sharing options...
cnboi Posted December 16, 2003 Share Posted December 16, 2003 im so sorry 2hear that. :no: Link to comment Share on other sites More sharing options...
eXplosive Posted December 17, 2003 Share Posted December 17, 2003 Convert the drive from NTFS to FAT (to remove the protection). This has saved my butt a few times. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 17, 2003 MVC Share Posted December 17, 2003 Convert the drive from NTFS to FAT (to remove the protection). This has saved my butt a few times. Huh?? :blink: Um converting too FAT will not remove EFS!! And if you were converting to FAT to get access to files due to file permissions - next time you might want to just take OWNERSHIP of the directory or file, and then give whatever account you want permissions. Much FASTER and easier than converting a whole system because you do not understand NTFS file permissons, or are too lazy to click F1 and type "file persmissons" and then doing a couple of minutes of reading. Link to comment Share on other sites More sharing options...
eXplosive Posted December 17, 2003 Share Posted December 17, 2003 Why are you spelling out my whole scenario when you don't even know what happen? I'm trying to help; if I am wrong then I'm wrong. Link to comment Share on other sites More sharing options...
John Veteran Posted December 17, 2003 Veteran Share Posted December 17, 2003 get one of the file's properties. on the security tab, click advanced. on the owner tab, what does it say for the owner? a bit of a warning here: if you want any chance of getting your info back, don't change ANYTHING - this means click cancel whenever possible to close a window :yes: Link to comment Share on other sites More sharing options...
xRKx Posted December 17, 2003 Share Posted December 17, 2003 (edited) I don't have anything to offer you (yet,) but if you're going to use EFS on your new install, make sure to BACK UP YOUR KEYS - just in case something like this happens again. I've lost EFS protected stuff before too - it sucks. http://www.microsoft.com/technet/treeview/...nb_efs_uizt.asp EDIT: I've been looking to see if there /is/ any form of crack (which is doubtful, given the level of encryption used,) but... in a quote from Microsoft: NOTE: If you do not have access to a Recovery Agent's account with a valid recovery key, you cannot recover the data. There is no workaround in EFS. Edited December 17, 2003 by xRKx Link to comment Share on other sites More sharing options...
Recommended Posts