I reinstalled Windows and now I can't access my encrypted files on my NTFS external drive...
February 25, 2006 11:41 AM   Subscribe

I reinstalled Windows and now I can't access my encrypted files on my NTFS external drive...

I dont know too much about this stuff: I didnt personally export the key to another computer on my network... Can I crack the encryption?
posted by who else to Computers & Internet (12 answers total)
 
What was used to encrypt the files?
posted by atrazine at 11:56 AM on February 25, 2006


If you erased your old Windows installation, and you were using NTFS encryption, you're boned.
posted by Malor at 11:58 AM on February 25, 2006


A friend of mine told me he was able to recover key files from somwhere, I think an old pagefile. Windows encryption dosn't really do much to protect your files, but it does do a lot to annoy the hell out of people.

Do you still have the old folder

[old documents and settings folder]\ [username]\ ApplicationData \ Microsoft \ SystemCertificates \ My \ Certificates?

If so, you might have a shot if not, you're probably boned.
posted by delmoi at 12:08 PM on February 25, 2006


By the way, you don't actualy have to un-install your old windows install to put on a new windows install. A lot of people like to reformat their hard drives, but I honestly have no idea why they do it. You can install windows wherever you want, just type in something other then C:\winnt during setup.
posted by delmoi at 12:09 PM on February 25, 2006


I just used the Windows encryption...
posted by who else at 12:12 PM on February 25, 2006


I got around this once by rebooting into Safe Mode and then logging in with the Windows-created Administrator account. I don't remember the exact process, but I think by right-clicking on the encrypted directory and choosing properties there was an option that's only available in Safe Mode that allows you to reassign file ownership. After I had done that, I was able to turn off the encryption.
posted by stopgap at 12:19 PM on February 25, 2006


Yeah I assume I'm not actually boned. I mean its Windows encryption we are talking about... I'll try some of these suggestions later on and post if something works...
posted by who else at 12:41 PM on February 25, 2006


Delmoi's link has it—Windows Encryption is totally key based, but if you've permanently killed your keys, then it's probably gone, actually.

You might want to back up your keys next time around.
posted by disillusioned at 1:30 PM on February 25, 2006


The keys used for file encryption are developed from user passwords. Non-free utility programs exist which try to guess the actual keys if given likely passwords, or administrative passwords. If you can remember what user passwords you were using when the files were encrypted, you may be able to use these to recover your files.
posted by paulsc at 2:07 PM on February 25, 2006


Malor writes "If you erased your old Windows installation, and you were using NTFS encryption, you're boned."

Windows encryption depends on the user's SID, unless you've backed up your SAM your boned. I don't think there is a brute force attack for this, only for changing the user password not recovering the SID.

After you format your drive TrueCrypt doesn't depend on the wholeness of your windows install, you just need the password and header files.
posted by Mitheral at 4:56 PM on February 25, 2006


Seconding everyone else's vote above, you're probably boned. Windows has the ability to export and backup the decryption keys, but that's something you have to do before the reinstall. Some of the work arounds above might work, but, I wouldn't hold my breath.

I've learned this the hard way in the past. :)
posted by jeversol at 6:29 PM on February 25, 2006


Something you might try, if your external drive has some non-encrypted files on it, is using Sysinternals's NewSID utility to make the machine SID on your new Windows installation match the machine SID you used to have.

IIRC, user SIDs are just machine SIDs with a smallish user ID appended; if you look in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, you'll see a bunch of them. On my machine, I see subkeys

S-1-5-21-776561741-1202660629-1957994488-1004
S-1-5-21-776561741-1202660629-1957994488-1005
S-1-5-21-776561741-1202660629-1957994488-1006
S-1-5-21-776561741-1202660629-1957994488-1007

among others, so my current machine SID is

S-1-5-21-776561741-1202660629-1957994488

The two built-in users, Administrator and Guest, have fixed user ID's 500 and 501, so on my machine their full user SIDs are

S-1-5-21-776561741-1202660629-1957994488-500
S-1-5-21-776561741-1202660629-1957994488-501

If you go poking around the file system on your external drive looking at the Security tabs on file and folder Property sheets (use Safe mode to get to these if you're saddled with XP Home), you'll likely see some permission entries for users with names that look like those above. Those are the SIDs for users from your previous Windows installation, shown to you in their raw form because Windows can't translate them to "friendly" names.

Write down the machine SID part from one of those, then disconnect the external drive, then use NewSID (preferably while still in Safe mode) to set the machine SID on your new Windows installation to match the one you wrote down.

If you're lucky, that will let the Administrator user in to your old encrypted files (if you give Administrator the same password it had on your old installation, anyway).

If that's not enough, try creating new users. New user ID's start at 1000 and work up, so each new user you create will get a user SID that matches one of the ones from your old installation. Once again, use the same password you originally did (IIRC, both user SID and password get used in NTFS encryption).

I'd be interested to find out if any of this works for you. If not, you're probably SOL.
posted by flabdablet at 6:39 AM on February 27, 2006


« Older I can see your worrrrrds....   |   Academic paper repositories. Newer »
This thread is closed to new comments.