I have an untouched (but unbootable) installation of Windows XP with
syskey installed which has efs data that I need to retrieve. I know
the password for the user whose data that I need to retrieve, but have
forgotten the main administrative password (but do not need to
retrieve data from that account).

I recently purchased a new motherboard (the old one failed and the new
one utilizes a different chipset than the old one) and new hard drive.
I installed windows on the new hard drive, and then stuck my old hard
drive in the computer, hoping to be able to access my data. I was not
able to access the encrypted data, but had hoped to be able to enter
the password to access it. This (after some research) is not the way to go. 

I attempted to use Elcomsoft's Advanced EFS Data Recovery tool without
success (it refused to show any decryptable files, even though it
would allow browsing of the encrypted files from the file tree tab - the "Add
file(s) into list" button was never selectable and none of the things
it found in the "EFS related files" tab ever turned green).

After trying this, I thought that I might just be able to boot the
windows installation itself, and copy the data that way, or at least
disable the EFS. When I try, however, I get the windows XP bluescreen
"stop 7b" message (from both safe mode and regular boot). I believe
this is a difficulty with the miniport drivers for the new motherboard
chipset. I attempted to fix this problem by running a windows
installation on the drive in recovery mode, but after an error-free
installation, the drive still will not boot (same 7b message in both
regular and safe mode). I also tried using the software here:
http://home.eunet.no/~pnordahl/ntpasswd/
but was unable to find a solution to my problem that I was sure would
not destroy the keys to my data. I am unable to use the recovery
console because I do not remember the administrative password. Would
using the aforementioned tool to blank the administrative password so
that I could use the recovery console be a possiblity which would not
make the user data unrecoverable?

Is there some way (besides the in-windows wizard that all the
tutorials talk about using) to export the efs keys, particularly from
a non-booted installation, so I could import them into my current
installation and use them to access the data?

An answer will either allow me to retrieve my data or will provide
unambiguous proof that the data is irretrievable.

We could approach this in several ways:
-retrieve the data directly with some tool
-figure out how to boot my old hard drive (even safe mode will do the trick)
-some other novel approach I haven't considered yet

Thanks for your help!
Paul

---

Request for Question Clarification by webadept-ga on 15 Jul 2004 15:41 PDT

Hi, 

This is one of those touchy feely diagnosit problems that ..  well..
get icky, :-) but i feel for you so I'm going to drop you a suggestion
and fade away.

Frist a new hard drive, and then a download of Knoppix
http://www.knoppix.org/

I don't remember and refuse to even consider guessing how many times
Knoppix has saved my ... job. just leave it at that.

Knoppix is a full version of Linux, on a Bootable CD. It boots and
runs all from the CD ROM. No file copy or install.

So what you say? Yeah its cool, but .. big deal I'm missing data
here.. .. just hold on a moment.

To get to root you just use 'su' no password. You need to be Su to
mount the hard drives in read and write mode.

Open the knosole, su, and then 
mount /dev/hda1 /mnt/hda1
cd /mnt/hda1
mount /dev/hdb1 /mnt/hdb1  ((um, you did get that other drive and
installed it right?) good)

now there are several ways to make this copy, If you think it was a
drive problem that is keeping you from booting and back up, then you
are going to format and lowlevel copy over there, log out of knoppix
and reboot(take the CD out yes?) and be back up.

if you think it was a system crash failure with corrupted system
files, then format the new drive and copy over the efs files. Then try
using that util and see if you can access them from there, away from
surrounding filesystems. Chances are, with what you said before, it
will.

"The use of EFS file sharing in Windows XP provides another opportunity
for data recovery by adding additional users to an encrypted file. "
-- How funny is that, just got it off the Microsoft website... is that
really a good thing?

This is the last ditch effort. Unfortunatly making a back up to the
new drive is probably usless with EFS, But you were saying you didn't
have the Admin password and that may be why this tool of your's isn't
working. Well... if all is already lost, then you could try this with
the Knoppix there too.

http://www.petri.co.il/forgot_administrator_password.htm

Now, only .. as a last resort would I try that. When you and your
customer are pretty sure, its gone. Gone and lost forever. Then, that
on EFS. Very plainly you will be able to get a Administrator Access to
the file system, but you pay for that by loosing every file owned by
Administrator. Under stand that, and think really hard what those
things are going to be. Cause they are gone, with no recovery. He says
its possible if you remember the Admin password later. I doubt it.

When you do recover, back up the keys and make key disks. CD's preferably. 

good luck mate. Hopefully there are betrer ways. 

webadept-ga

---

Clarification of Question by thefire-ga on 15 Jul 2004 18:19 PDT

Thanks for the advice. Knoppix is indeed a useful tool, but it doesn't
solve my problem because I am pretty darn sure it isn't a hardware
problem (so the same data shouldn't boot any better on another disk).
The disk passes checkdisk as well as the manufacturer's diagnostic
suite.

I think the problem lies in the fact that I can't boot the system
because of the different motherboard chipset. The thing that perplexes
me is that the "repair" mode of windows installation should have fixed
that problem.

Still, I'll give your idea a try, and it will give me another copy of
the data to mess with, and try things that I wouldn't be willing to
try on the original.

As another clarification: I don't care at all about the encrypted
files from the administer account. Only the user's encrypted files
matter. I believe I should be able to access the user's files
regardless of the status of the administrative account.

Any ways to extract the key files while windows is not actually
running? That would solve my problem, I think...

Hi,

The old drive (with Encrypt files is ok ?!? Do you can boot with it
??). If the only change that occurs is the change is the motherboard
or the chipset, try to do this ::

http://support.microsoft.com/default.aspx?scid=kb;en-us;314082

Some diference between the procedures. Forget the files, just create
the Mergeide.reg with that information ::

********** Start copy here **********
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\primary_ide_channel]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\secondary_ide_channel]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\*pnp0600]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\*azt0502]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\gendisk]
"ClassGUID"="{4D36E967-E325-11CE-BFC1-08002BE10318}"
"Service"="disk"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#cc_0101]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_0e11&dev_ae33]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1039&dev_0601]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1039&dev_5513]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1042&dev_1000]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_105a&dev_4d33]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0640]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0646]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0646&REV_05]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0646&REV_07]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0648]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0649]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1097&dev_0038]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10ad&dev_0001]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10ad&dev_0150]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5215]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5219]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5229]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1106&dev_0571]
"Service"="pciide"
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_1222]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_1230]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_2411]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_2421]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7010]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7111]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7199]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"

;Add driver for Atapi (requires Atapi.sys in Drivers directory)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
"ErrorControl"=dword:00000001
"Group"="SCSI miniport"
"Start"=dword:00000000
"Tag"=dword:00000019
"Type"=dword:00000001
"DisplayName"="Standard IDE/ESDI Hard Disk Controller"
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,61,00,74,00,61,00,70,00,69,00,2e,\ 
  00,73,00,79,00,73,00,00,00

;Add driver for intelide (requires intelide.sys in drivers directory)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000004
"Type"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,6e,00,74,00,65,00,6c,00,69,\ 
  00,64,00,65,00,2e,00,73,00,79,00,73,00,00,00


;Add driver for Pciide (requires Pciide.sys and Pciidex.sys in Drivers directory)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000003
"Type"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,63,00,69,00,69,00,64,00,65,\ 
  00,2e,00,73,00,79,00,73,00,00,00
					
********** End copy here **********


As you need to import some reg keys toh another instalation you will
do that by using that command :

start /w regedit.exe /s a:\Mergeide.reg

After you put that information in problematic installation, the old hd
will be able to boot with your new motherboard (or any other
mainboard) and you will can decrypt the files and recovery the
information.

Due a performance issues, you need to reinstall the OS.

If you have some trouble, tell me.

Good Luck,

magrello:

Yes, I believe the drive is OK, but cannot boot to it. The first
sugguestion of that link is not possible (I don't have the hardware
necessary). The second is promising, but I don't see how your
recommended command will allow me to import the key into and
installation that is not booted. It was also my understanding that
re-installing the OS should do at least that, and possibly much
more... since re-installing the OS didn't help, I would be surprised
if that worked. I will give it a try, though, if you can show me how
to import it into the unbooted windows installation.