Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: EFS Encryption nightmare (new certificate removing old private keys?)

31 Dec 2018   #1
ScrewheadJones

Windows 7 Pro x64
 
 
EFS Encryption nightmare (new certificate removing old private keys?)

I'm working on my sister's computer (Windows 7 Pro x64) for her (I'm not a professional IT tech in any sense of the word, she just asked for help because I've been able to fix stuff for her before), she has a very weird problem that I'm very concerned is unfixable and would really, really appreciate any help with.

So, when she bought the computer a few years ago, she was told from someone at the store all about Windows 7 encryption service, and how easy and effective it was. She had some files on the computer she considered really important (she said it's for her art which she does as a part-time job) that she didn't want to lose in case of hacking/whatever so she encrypted them. So far as she can remember, she never backed up the key (and, of course, no backups in general).

A few days ago, she got a notification in the system tray talking about encryption and that she should backup the certificate. She said that she went through it and it ended up exporting a .pfx key file, which I have found on the computer. The problem is, immediately after this happened, all of her encrypted files no longer gave her access. Going into certmgr.msc, I'm seeing that she has not one but three certificates for encryption, one dating from when she first set it up after buying, the others from a few days ago when she had the problem/followed the menu. Unless I'm misunderstanding something, it looks like she set up a new certificate when she went through the system tray notification and that somehow removed the function of the previous "actual" certificate all her files have. My hope was that I could just get a private key for the "actual" certificate and decrypt everything, but when going to export them the private key option is greyed out in the wizard.

I've been working on this for quite a while now and would really like to get some results as my sister is extremely upset. I've tried the command line prompts outlined here (Cleaning up the Mess Left Behind by Multiple EFS Certificates • Helge Klein) and have tried the trial version of Advanced EFS Data Recovery but it just has a Not Responding crash on the decrypting key section (which is extremely frustrating, as I have the user password and was hoping that would be a potential fix). I've also tried system restore to a point before any certificates were made, but I get a (0x80070005) error (there's no antivirus, and I've tried in safe mode).

I'm writing this more than a little sleep deprived, so if anything doesn't make sense but you think you can help please just ask.


My System SpecsSystem Spec
.
01 Jan 2019   #2
ScrewheadJones

Windows 7 Pro x64
 
 

Update: Using Recuva, have a long list of old versions of key/certificate(?) files in AppData/Roaming/Microsoft/Crypto and ProgramData/Microsoft/Crypto. Could these be useful? How can I figure out which files are connected with which certificate for recovery (thumbprint/serial number or something else)? I'm really going crazy looking for stuff at this point. Any help/pointers or even just "nope, not what you're looking for" would be greatly appreciated.

Does anyone know if certutil in command prompt could be useful here? If so, I would really appreciate letting me know how.
My System SpecsSystem Spec
01 Jan 2019   #3
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi

there is a Vista/W7/W8 tutorial written by @Brink, im not sure if the tool he suggests in it is still valid
Passwords, forensic, security and system recovery software. Crack lost passwords. Download password crackers and password recovery utilities.

Roy
My System SpecsSystem Spec
.

02 Jan 2019   #4
ScrewheadJones

Windows 7 Pro x64
 
 

Thank you for the tip! Do you have a link to the tutorial itself? It looks like that software is what I've already attempting / am still trying to get functioning (Advanced EFS Data Recovery). I've tried to contact the company for help getting it functioning, but as I am using the trial edition I'm worried they won't respond.
My System SpecsSystem Spec
02 Jan 2019   #5
iko22

Windows 7 x64, Vista x64, 8.1 smartphone
 
 

Quote:
My hope was that I could just get a private key for the "actual" certificate and decrypt everything, but when going to export them the private key option is greyed out in the wizard.
a) Had you tried moving all Encrypted files to a FAT32 (USB memory stick) formatted disk? EFS Files would automatically decrypt if moved off a NTFS formatted disk.

b) If the option is greyed out, it was marked as not exportable by the certificate publisher.

c) Has the windows user account details changed in any way? Use EFSInfo to find Info on which users can decrypt, and determine if there is any recovery agent available.

d) If you know the password of the user account that encrypted them, then you can ask microsoft product support for a utility called reccerts.exe. Reccerts.exe can be used to recover EFS certificates/keys from a user profile if you know the password for that profile.
My System SpecsSystem Spec
02 Jan 2019   #6
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

My System SpecsSystem Spec
02 Jan 2019   #7
ScrewheadJones

Windows 7 Pro x64
 
 

torchwood — Thank you for the link, I appreciate it very much!

iko22 —

a) This idea of moving all the files is really promising, thank you so much! Unfortunately (and I'm worried this is part of EFS's security measures), I am unable to move/copy the files (it's telling me that I need my own permission to do so, which perfectly sums up this entire situation). Any ideas on how to get past this?

b) This is so bizarre, as when my sister went through the Windows menu that started all of this, it sounded like exporting the certificate is what it was trying to do in the first place (but instead, it created a new certificate and exported that .pfx).

c) Not that I'm aware of, which is the really strange part. There were no major windows updates around the time of the update. Actually, looking at the computer, I've noticed that it hasn't received a windows update for quite a while (a few months)—would doing so help? The only reason I haven't already is that I'm afraid it would delete an older restore point, or experience some sort of error and make everything worse. I can't find any information about EFSInfo—is this something that should already exist on the computer, or offered by microsoft/third-party?


d) This sound really promising too! I've contacted microsoft via support chat but they denied any existence of such a service (I highly suspect from ignorance on the part of the person I was talking to). Do you know any better way to go about contacting them to get this tool? It sound like exactly what I'm looking for!
My System SpecsSystem Spec
02 Jan 2019   #8
iko22

Windows 7 x64, Vista x64, 8.1 smartphone
 
 

EFSInfo.exe was part of the Windows 2000/XP Resource kit which can be found by searching the Web. A direct link to this download can be found at: https://www.microsoft.com/en-us/download/ . I hope it still works on 64-bit systems. You might need to run the exe in windows compatability mode.
RECCERTS.exe was a service offered by Microsoft in the Windows 2000/XP era. Maybe they don't offer that service for EFS decryption anymore. This Forum post might be of assistance : experts-exchange.com - Lost-Certificate-and-Private-key-of-EFS-XP-Pro-laptop
My System SpecsSystem Spec
03 Jan 2019   #9
ScrewheadJones

Windows 7 Pro x64
 
 

Thank you for providing the link to the resource kit! I've tried in and out of compatibility mode but I'm not getting anything. I suspect that reccerts.exe hasn't been an option for a while, but if absolutely nothing else works I may be forced to bite the bullet and try a paid support call with microsoft. I just want to make sure I've exhausted all other options before doing so.

On that note—this is more than a little embarrassing (it's been staring me in the face for days now), but I think I found the system file that is the key of the certificate I'm trying to get working. It was created on the exact same date/time as the cert and is in appdata/roaming/microsoft/crypto/rsa. If my understanding is correct and that file is the private key that is missing, I just need to find a way to have the system recognize the connection (certutil?).
My System SpecsSystem Spec
Reply

 EFS Encryption nightmare (new certificate removing old private keys?)




Thread Tools




Similar help and support threads
Thread Forum
what is the use of certificate without private key in efs
Now with a lot of files having encrypted with the EFS, I got a backup of my certificates in order to prevent any data loss in the future... But while doing so I got an option whether to export private keys as well...Well you will need the private keys to decrypt the header...isn't it??? Then why...
System Security
How Public and Private Encryption Key Works???
Hi guys, I need to understand how PGP or GPG keys works! 1) I need to send a email encrypted for a person. I have to send to her my public key and my secret password? 2) I encrypts and signs my message with my private key and my password? 3) My password is needed only to encrypted...
Software


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:54.
Twitter Facebook