Getting the EFS Private Key out of system image
Posted
by
thaimin
on Super User
See other posts from Super User
or by thaimin
Published on 2013-11-01T00:04:11Z
Indexed on
2013/11/01
10:01 UTC
Read the original article
Hit count: 210
windows-7
|encryption
I had to recently re-install Windows 7 and I lost my exported private key for EFS. I however have the entirety of my user directory and my figuring that the key must be in there SOMEWHERE. The only question is how to get it out.
I did find the PUBLIC keys in AppData\Roaming\Microsoft\SystemCertificates\My\Certificates If I import them using certmg.msc it says I do have the private key in the information, but if I try export them it says I do not have the private key. Also, decryption of files doesn't work.
There is also a "keys" folder at AppData\Roaming\Microsoft\SystemCertificates\My\Keys. After importing the certificates I copy those over into my new installation but it has no effect.
I am starting to believe they are either in AppData\Roaming\Microsoft\Protect\S-1-5-21-...\ or AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-...\ but I am unsure how to use the files in those folders. Also, since my SID has changed, will I be able to use them? The other parts of the account have remained the same (name and password). I also have complete access to the user registry hive and most of the old system files (including the old system registry hives).
I do keep seeing references to "Key Recovery Agent" but have not found anything about using, just that it can be used.
Thanks!
© Super User or respective owner