In need of help for xp pro sp2

Can someone please help me, i'm at my wits end.
I have XP Pro with SP2, been away for 2-3 years, now i've come back and forgotten the password. So i used EBCD and got into my system but stupidity forgot that i had used the EFS on my files and folders and now as you can imagine i can't get into them.
What i would like to know is there anyway of finding out the password that i originally had through the hashes or anywhere in the registry PLEASE HELP ME!
I've tried to add the Admin user to the certs but nothing, it's such a pain but i'm hoping that some Microsoft Genius that frequents Katz must know a back door or something, they couldn't be that wicked and not left a way in.

I really need my files now that i'm back as i can't do any work without them.

Please anybody????

 

Hey dhalix,

De-crypt Encrypted files on Windows XP

1. Login as Administrator

2. Go to Start/Run and type in cmd and click OK.

At the prompt type cipher /r:Eagent and press enter

This prompt will then display:

Please type in the password to protect your .PFX file:

Type in your Administrator password
Re-confirm your Administrator password

The prompt will then display

Your .CER file was created successfully.
Your .PFX file was created successfully.

The Eagent.cer and Eagent.pfx files will be saved in the current directory that is shown at the command prompt. Example: The command prompt displays C:\Documents and Settings\admin> the two files are saved in the admin folder. (For security concerns, you should house the two files in your Administrator folder or on a usb stick).

3. Go to Start/Run and type in certmgr.msc and click OK. This will launch the Certificates Manager. Navigate to Personal and right click on the folder and select All Tasks/Import. The Certificate Import Wizard will appear. Click Next. Browse to the C:\Documents and Settings\admin folder. In the Open dialog box, change the Files of Type (at the bottom) to personal Information Exchange (*.pfx,*.P12). Select the file Eagent.pfx and click Open. Click Next. Type in your Administrator password (leave the two checkboxes blank) and click Next. Make sure the Radio button is active for the first option (Automatically select the certificate store based on the type of certifcate). Click Next. Click Finish. (You'll receive a message that the import was successful). To confirm the import, close Certificates Manager and re-open it. Expand the Personal folder and you will see a new subfolder labeled Certificates. Expand that folder and you will see the new entry in the right side column. Close Certificate Manager.

4. Go to Start/Run and type in secpol.msc and click OK. This will launch the Local Security Policy. Expand the Public Key Policies folder and then right click on the Encrypted File System subfolder and select Add Data Recovery Agent... The Wizard will then display. Click Next. Click the Browse Folders... button. Browse to the C:\Documents and Settings\admin folder. Select the Eagent.cer file and click Open. (The wizard will display the status User_Unknown. That's ok). Click Next. Click Finish. You will see a new entry in the right side column. Close the Local Security Policy.

You, the Administrator are now configured as the default Recovery Agent for All Encrypted files on the Local Machine.

To Recover Encrypted files:

Scenario #1

If you have completed the above steps BEFORE an existing user encrypted his/her files, you can log in to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.

Scenario #2

If you have completed the above steps AFTER an existing user has already encrypted his/her files, you must login to the applicable User's User Account and then immediately logout. Next, login to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.


*Warning

Do not Delete or Rename a User's account from which will want to Recover the Encrypted Files. You will not be able to de-crypt the files using the steps outlined above.

Techsent

 

Cheers mate, i'll try that out right now, i was just looking at checking out the console root to see if i could do anything there but your method sounds good to me!

 

Ok so i did everything step by step but it didn't work, i had the files encrypted before so i did the whole log in to the account i had which initially put the efs on the files and folders and when i logged out and back into the admin account it still wouldn't allow me access.

I didn't change the name of my account just the password and i'm really kicking myself for not remembering it. Is there not a way of deciphering the certificates or any hashes that might be still lurking around somewhere?

 

De-crypt Encrypted files on Windows XP/Vista/7

hmmm, that's strange. That should have worked.

Maybe someone else has the fix.

Techsent

 

Re: De-crypt Encrypted files on Windows XP/Vista/7

Hi Techsent,

I would have PM'd you but it says I need 50 posts or more to so I'll add something here and hope you read it, would you possibly know any MCSE's or even better MCP's that maybe able to help with my problem?
Thank you in advance mate

 

it's not a problem dhalix. there's no need to ever PM me. Unless you have a good stock tip , I prefer public interaction.

yes, the help that I gave was directly from a chapter located within one of the books that I've read in the past. It was either XP under the hood or Mike Myers XP certification passport.

Techsent
_______________________
Don't let others define who you are!

 

alright techsent,

i have been still searching for the solution to this dilemma and found that the private keys are stored in the C:\Documents and Settings\%USER_NAME%\Application Data\Microsoft\Crypto\ folder and i have some in there from 2006-2008, yep that's how long i've been abroad for so would having those help me with disabling EFS?

 

hey dhalix,

I have no idea. For that question, Im in unchartered waters.

 

Hello,
Some additional info on EFS.

http://www.beginningtoseethelight.org/efsrecovery/index.php

Also there is software, though not cheap, that is supposed to decrypt EFS files. I believe the demo version lets you see if you can decrypt a file.

http://www.elcomsoft.com/aefsdr.html

But, once you reset the password with EBCD, I am not sure if it is possible.