EFS Encryption nightmare (new certificate removing old private keys?)

I'm working on my sister's computer (Windows 7 Pro x64) for her (I'm not a professional IT tech in any sense of the word, she just asked for help because I've been able to fix stuff for her before), she has a very weird problem that I'm very concerned is unfixable and would really, really appreciate any help with.

So, when she bought the computer a few years ago, she was told from someone at the store all about Windows 7 encryption service, and how easy and effective it was. She had some files on the computer she considered really important (she said it's for her art which she does as a part-time job) that she didn't want to lose in case of hacking/whatever so she encrypted them. So far as she can remember, she never backed up the key (and, of course, no backups in general).

A few days ago, she got a notification in the system tray talking about encryption and that she should backup the certificate. She said that she went through it and it ended up exporting a .pfx key file, which I have found on the computer. The problem is, immediately after this happened, all of her encrypted files no longer gave her access. Going into certmgr.msc, I'm seeing that she has not one but three certificates for encryption, one dating from when she first set it up after buying, the others from a few days ago when she had the problem/followed the menu. Unless I'm misunderstanding something, it looks like she set up a new certificate when she went through the system tray notification and that somehow removed the function of the previous "actual" certificate all her files have. My hope was that I could just get a private key for the "actual" certificate and decrypt everything, but when going to export them the private key option is greyed out in the wizard.

I've been working on this for quite a while now and would really like to get some results as my sister is extremely upset. I've tried the command line prompts outlined here (Cleaning up the Mess Left Behind by Multiple EFS Certificates • Helge Klein) and have tried the trial version of Advanced EFS Data Recovery but it just has a Not Responding crash on the decrypting key section (which is extremely frustrating, as I have the user password and was hoping that would be a potential fix). I've also tried system restore to a point before any certificates were made, but I get a (0x80070005) error (there's no antivirus, and I've tried in safe mode).

I'm writing this more than a little sleep deprived, so if anything doesn't make sense but you think you can help please just ask.

Update: Using Recuva, have a long list of old versions of key/certificate(?) files in AppData/Roaming/Microsoft/Crypto and ProgramData/Microsoft/Crypto. Could these be useful? How can I figure out which files are connected with which certificate for recovery (thumbprint/serial number or something else)? I'm really going crazy looking for stuff at this point. Any help/pointers or even just "nope, not what you're looking for" would be greatly appreciated.

Does anyone know if certutil in command prompt could be useful here? If so, I would really appreciate letting me know how.

Hi

there is a Vista/W7/W8 tutorial written by @Brink, im not sure if the tool he suggests in it is still valid
Passwords, forensic, security and system recovery software. Crack lost passwords. Download password crackers and password recovery utilities.

Roy

Thank you for the tip! Do you have a link to the tutorial itself? It looks like that software is what I've already attempting / am still trying to get functioning (Advanced EFS Data Recovery). I've tried to contact the company for help getting it functioning, but as I am using the trial edition I'm worried they won't respond.

My hope was that I could just get a private key for the "actual" certificate and decrypt everything, but when going to export them the private key option is greyed out in the wizard.

a) Had you tried moving all Encrypted files to a FAT32 (USB memory stick) formatted disk? EFS Files would automatically decrypt if moved off a NTFS formatted disk.

b) If the option is greyed out, it was marked as not exportable by the certificate publisher.

c) Has the windows user account details changed in any way? Use EFSInfo to find Info on which users can decrypt, and determine if there is any recovery agent available.

d) If you know the password of the user account that encrypted them, then you can ask microsoft product support for a utility called reccerts.exe. Reccerts.exe can be used to recover EFS certificates/keys from a user profile if you know the password for that profile.

Hi

the link

Security System - Encrypted File System (EFS) Certificate Restore | Vista Forums


Roy

torchwood — Thank you for the link, I appreciate it very much!

iko22 —

a) This idea of moving all the files is really promising, thank you so much! Unfortunately (and I'm worried this is part of EFS's security measures), I am unable to move/copy the files (it's telling me that I need my own permission to do so, which perfectly sums up this entire situation). Any ideas on how to get past this?

b) This is so bizarre, as when my sister went through the Windows menu that started all of this, it sounded like exporting the certificate is what it was trying to do in the first place (but instead, it created a new certificate and exported that .pfx).

c) Not that I'm aware of, which is the really strange part. There were no major windows updates around the time of the update. Actually, looking at the computer, I've noticed that it hasn't received a windows update for quite a while (a few months)—would doing so help? The only reason I haven't already is that I'm afraid it would delete an older restore point, or experience some sort of error and make everything worse. I can't find any information about EFSInfo—is this something that should already exist on the computer, or offered by microsoft/third-party?


d) This sound really promising too! I've contacted microsoft via support chat but they denied any existence of such a service (I highly suspect from ignorance on the part of the person I was talking to). Do you know any better way to go about contacting them to get this tool? It sound like exactly what I'm looking for!

EFSInfo.exe was part of the Windows 2000/XP Resource kit which can be found by searching the Web. A direct link to this download can be found at: https://www.microsoft.com/en-us/download/ . I hope it still works on 64-bit systems. You might need to run the exe in windows compatability mode.
RECCERTS.exe was a service offered by Microsoft in the Windows 2000/XP era. Maybe they don't offer that service for EFS decryption anymore. This Forum post might be of assistance : experts-exchange.com - Lost-Certificate-and-Private-key-of-EFS-XP-Pro-laptop

Thank you for providing the link to the resource kit! I've tried in and out of compatibility mode but I'm not getting anything. I suspect that reccerts.exe hasn't been an option for a while, but if absolutely nothing else works I may be forced to bite the bullet and try a paid support call with microsoft. I just want to make sure I've exhausted all other options before doing so.

On that note—this is more than a little embarrassing (it's been staring me in the face for days now), but I think I found the system file that is the key of the certificate I'm trying to get working. It was created on the exact same date/time as the cert and is in appdata/roaming/microsoft/crypto/rsa. If my understanding is correct and that file is the private key that is missing, I just need to find a way to have the system recognize the connection (certutil?).