Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Recovering EFS files after computer was securely wiped

  • Filter
  • Time
  • Show
Clear All
new posts

  • Recovering EFS files after computer was securely wiped

    OK, I have an administrative user who securely wiped their PC (after backing up the critical files etc...). Then they realized that they hadn't copied the registry keys for decrypting their EFS files. (I assume that it was EFS since they were using a fully patched XP Pro and hit the right-click>Encrypt).

    Anyway, to make a long story short, they have backed up files without any keys. It would appear, that I could potentially extract the DFA key (which I would assume by default is the Administrator from the old box) and use that to decrypt the file. Maybe if the file is dropped on a box with the same username/password?

    I'm a little out of my league on this one. Could I get some assistance?

  • #2
    Re: Recovering EFS files after computer was securely wiped

    The files are gone, dude. Unless he backed up the entire workstation? If he did he can restore onto a spare disk and boot that disk to export the keys. Or, if the computer was part of a Domain, the Domain administrators will have access to a Domain Key Recovery account which may be able to decrypt the files.

    If not they're gone.

    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you


    • #3
      Re: Recovering EFS files after computer was securely wiped

      There's a tool (not a free one though) listed on this forum that *might* be able to recover the files, or so they claim. I'd love to know if it actually works or not... Just do a search for EFS on this forum.

      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services


      • #4
        Re: Recovering EFS files after computer was securely wiped

        I experimented a bit w/ EFS Certs here:

        These EFS Certs are touchy. You should probably publish a tech note to your users on how to export the cert should they wish to encrypt.

        So your admin user encrypted while logged on as a local or domain account?

        No old Ghost (or equiv) backup of the old machine? Don't know how much of the machine identity vs. user identity is tied to the cert but it may be worth a try.


        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.