Please help, restoring keys in xppro

Discussion in 'other security issues & news' started by desperate, Mar 11, 2005.

Thread Status:
Not open for further replies.
  1. desperate

    desperate Guest

    hi, i have a problem, i did a fresh install of win xpprosp2, and now i cant open some files i had encrypted on my backup drive.
    Im using the same username and password, but my old xppro was sp1.
    I scanned my hard drive for any keys and it found a few, but where would i put these keys in my current install, so i can decrypt the files?

    any help would be greatly appreciated.
  2. GlobalForce

    GlobalForce Regular Poster

    Jun 30, 2004
    Garden State, USA
    Hi desperate,

    Pardon if I'm not real sure about what you have or haven't done, including the sequence.
    Were these files encrypted through EFS or third party software?

    As much as I'd like to help, I lack the appropriate experience to supply a definitive answer for you...
    but do have a page that may provide insight and answer some questions until someone more
    knowledgable addresses you're thread.

    Hang in there. :)

  3. desperate

    desperate Guest

    hi globalforce, yeah ive already been to but i just find it abit hard to follow, although i have tried some things mentioned there.

    Ok this is what i have done.

    1. I had 2 hdd, one with xpprosp1(c:) and the other my backup hdd(e:). I have a .txt file encrypted using xp's encryption on my e: drive.

    2. I gave my c:drive to a friend and he formatted it with xpsp2.

    3. I bought a new c: drive and installed xpprosp2, and i have the same e: drive.
    Now i can no longer open the encrypted file.

    4. I scanned my old c:drive(now owned by my friend), using active@undelete and file scavenger etc.. and found many single files that looked alot like keys used by xp. Some even start with S-1-5-21 etc..

    5. I used Newsid to change the machine number(from what i read, using the keys i found on my old hdd) on my new c:drive. Im also using the same username and password that i used on my old hdd, the last time i accessed and save the encrypted file.

    6. i still cant open the encrypted file on my e: drive, so now im not sure if i have to put some of the keys(on my old hdd) i found in any of the folders on my current c:drive.

    im not sure what to do from here.
  4. GlobalForce

    GlobalForce Regular Poster

    Jun 30, 2004
    Garden State, USA
    Hi again desperate,

    Viewing statements one and two, I need to ask if you exported those encryption keys from the *C* drive prior to you're friend formatting it? If not, this could very well be the cause of you're inability to decrypt the file not being able to import
    the saved keys onto you're new install. As for utilizing the keys recovered by @ctive, I couldn't say if changing the files attributes through the recovery console would help here or any other system method for that matter.

    You're mention of this file...S-1-5-21.., is a registry key I'm sure you're aware...
    I just don't know how feasible it would be to merge these to the new install (lack of expertise here :D ).
    *edit* - Oop's, I noticed this relates to Drive\Docs and Sets\USER\App.Data\M$\Crypto.

    From what I've read (and believe me it's frustrating not finding enough support for any one solution)...
    it's difficult to determine if the SAMS registry file holds the answer, Syskey, XP's Security and Administration ,
    or even Other Resourses (down the page).

    I also couldn't say if any of the topics listed here would be of service.

    If no luck with these or other input on this thread, you might consider posting over at the DevShed Forums
    (registration is free). Likewise but not free, there's informative but limited searching over at Experts-Exchange
    (searches there have supplied me many answers in the past). is another site I've found to be useful.

    Whatever happens, I'll keep you in mind.
    If you find a workaround, I would so much like to hear about it.

    Best on you're quest desperate, :)
    *edit* 2 - I'm still on this BTW...having a closer look at that page from "Beginning to see the light."

    Last edited: Mar 14, 2005
  5. desperate

    desperate Guest

    hi GlobalForce,

    at first i used advanced EFS data recovery by elcomsoft, thinking that it would just find the right keys(from the ones i recovered from my old hdd) to decrypt my file, but it would only find one pair of master/private keys(highlighted in green), and then scanned my drive for encrypted files but would only be able to decrypt a test file i had done(with the current install), and not the file i want to decrypt. So the pair it found, must be my current xp keys.

    But when i used Newsid and input one of the keys i had recovered(S-1-5-21...), i then used advanced EFS data recovery again, this time it found two pairs of master/private keys, and it could decrypt a few more files it found on my e:drive, but still not the one i want to decrypt.
    I did this process again, and another pair of master/private keys were found, but my file still could not be decrypted.

    So i feel im on the right track, but im just missing a vital step, that will either allow me to decrypt this damn file or show me that it cant be done, and i might aswell stop trying.

    So thanks for those links, i'll look at them soon, although i might have to put this on hold for abit, as i have to return a faulty piece of hardware in my pc which is causing instability, so i'll continue as soon as it returns(hopefully not long).

    once again thanks for your help, and those links.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.