Recover encrypted files after performing Windows XP repair

December 20, 2014 at 12:26:38
Specs: Windows XP Pro
I was forced to repair my XP Professional using the original installation disk. Files I had encrypted are listed in green, but I cannot read them.

Is there a way to read the files or decrypt them? Can I recover the original encryption certificates or reconstruct them?

More info:
There were no hardware failures. The machine is exactly the same. After the repair, the original account and password was intact (I did not have to recreate the account or set a new password. When I booted, Windows' login screen had my original account name and accepted the password I always used).

The first thing that happened when trouble started - I was unable to boot at all because one of the hive files had become corrupt or missing according to the error message on the blue screen. I backed up the files in system32/config and replaced SOFTWARE with software.bak and software.sav on various attempts. That made no difference.

Strangely, when I put the original SOFTWARE file back in system32/config, the machine booted to the login screen but told me that it could not verify my Windows license (error80090019).

I think, but can't be sure, that rsaenh.dll had somehow become unregistered. I was unable to run regsvr32 in safe mode or recovery mode.

After trying to boot with the last known good configuration and many attempts at rolling back to a previous restore point (with windows boot disc, safe mode, UBCD4Win...), I did a repair installation.

All my documents appear to be intact. I need to re-install all my programs like Office and Notebook++, but otherwise everything appears to be fine.

(After all this, yes, I've learned I should have backed up my encryption certificates.)

See More: Recover encrypted files after performing Windows XP repair

Report •

December 20, 2014 at 12:38:10
Although this refers to windows-7... it may at least be a possible starting point?

And this one appears to be specific to XP...

A google trawl using the string:

recover encrypted files windows XP

brought those two and there are many more besides. Some are likely utilities to be downloaded (and some/very likely not free)...

And yes.. it is useful to have a backup (stand-alone drive) elsewhere; and unless absolutely essential that back up not encrypted - but at least password protected?

message edited by trvlr

Report •

December 20, 2014 at 17:48:22
For the future consider not using either encryption or compression for backing up unless absolutely essential. It often comes back and bites you.

Always pop back and let us know the outcome - thanks

Report •

December 23, 2014 at 15:34:00
Trvlr''s links require using a backed-up encryption certificate, which I don't have. However, in both cases the author of those articles assumed that someone was trying to recover encrypted files from an old machine or old disk that would no longer boot.

In my case, both the machine and disk are working, It's just that I had to essentially re-install Windows over the old files.

See my post below.

Report •

Related Solutions

December 23, 2014 at 15:39:47
I have learned enough to restate my question. The information that I don't have which would probably help is:
1) I know that Windows creates the encryption certificates using identifying information from the machine's hardware and the user's account/password. Is something like a random number also used in creating the certificate? If so, I am probably out of luck unless...
2) Does anyone know where encryption certificates are stored? I have searched for this but can't find it clearly stated anywhere. If it's in the registry, which I had to overwrite to repair my operating system, I am probably out of luck. If it is in some other part of the file system, I can probably recover it.

Report •

December 23, 2014 at 15:56:41
Did you read these?

Recover encrypted files or folders

Recovering Encryption Keys from Windows XP

To view the certificates in a PKCS #7 file

message edited by Johnw

Report •

December 23, 2014 at 16:36:35
Sorry me earlier suggestion(s) didn't pan out...

It is an area about which I really know zilch, but also inspires one to go hunt...

I found numerous references to an MMC snap-in, which it would seem is how to view assorted certificates... From this I tended to conclude they are are not in the registry itself, but had no idea where, until further research... See link below...

This link is but one of many around MMC snap-in, and may be of some help to start afresh in your search?

My trawl used assorted strings, one of them being:

efs certificates snap-in

Which perhaps you might repeat?

Other hits around your situation do seem pretty definite in that an OS re-install make it highly unlikely you can recover either certificate or the files... And if so the regrettably they are gone?

Advice from those who are into efs is to export a copy of the certificate to external storage, and keep safe... But none of them specified hot to do it... Presumably it's via the MMC snap-in?

Managed to find this item - refers to windows 2000 but may apply for xp too? It "does" show where the certificates for each user are stored. Worth a look-see at least... But very likely as you have overwritten the previous installation, the certificates you seek are gone.

Whether or not a roll back of the installation is possible (thinking of an undo format etc. utility...) i wouldn't know. I have used such software in the past with regard to reversing a format...

This item"may" be of interest/help...

I have used easus successfully on a test basis., but not in any great depth. The critical item is that one should not have overwritten the files in question; that apart from the reinstall there has been little written to the drive thereafter...

message edited by trvlr

Report •

December 23, 2014 at 22:04:46
Johnw & trvlr,
Thanks to your links I have made some progress. In case anyone else needs to know, encryption certificates are stored in:

Documents and Settings\%user%\Application Data\Microsoft\SystemCertificates\My\Certificates\

I was also able to see the 'thumbprint' of the certificate used to encrypt my files by looking in the file properties. That certificate still resides in the folder above on my machine.

So far I have not been able to convince my machine to use the certificate, but I have a couple ideas. I just haven't been able to get them to work yet.

I may be able to use an administrator account to add my account to the list of people who can decrypt the file. If I can't do that, I need to re-read the details of how keys work. There is some stuff in one of the links about using the owner's public and private keys to decode the encryption certificate (The encryption certificate, which contains the encryption key, is itself encoded with the file owner's private key.)

Thanks for the help. I'll let you know how I'm doing when I have some more time to work on this in the next couple days.

Report •

December 23, 2014 at 22:23:47
" I'll let you know how I'm doing when I have some more time to work on this in the next couple days"
Thanks XPvictim.

"There is some stuff in one of the links about using the owner's public and private keys to decode the encryption certificate (The encryption certificate, which contains the encryption key, is itself encoded with the file owner's private key.)"
Yep, saw that, if you have that key, you have a chance.

Report •

December 24, 2014 at 01:58:27
Without going back through the links various above, and looking for other references anew, I seem to recall seeing info that may offer a way to to recover te files. That info does require the key of course, andthat you appear to have.

So it does see you may have a good chance of success...

Report •

December 26, 2014 at 12:37:47
Just so you won't think I gave up... I'm having trouble accessing the account where the file is stored. Windows does not recognize my password. I know I have the right one, and I haven't mistyped it. Makes me think there is a virus or ongoing registry damage. Fortunately, I still have access to the administrator account.

I'm going to run an anti-virus scan. If that doesn't fix things, I'll use the administrator account to reset the password in the main account.

Prior to my password problem, I discovered that after my operating system repair, no accounts on the computer have credentials to access encrypted files (not even the administrator account). This is a separate issue from the encryption key. The key is still stored in the computer, and I was working on how to restore or create credentials for the main account. I think that is the public/private key issue some of the links mentioned.

I'm going away for New Year's so it might be a few days before I get back to this.

message edited by XPvictim

Report •

December 26, 2014 at 14:06:52
After your AV run this freebie on it, it often finds and fixes what AV's miss:
(green button top right of website).

If it finds anything copy/paste its log on here so that we have an idea what's going on.

Always pop back and let us know the outcome - thanks

Report •

January 5, 2015 at 21:26:03
I've been away for a few days, but I kept working on decrypting my files while I was gone. Thanks for the suggestions and anti-virus files.

The virus scans found nothing.

I also learned that the encryption key for the files is itself encrypted using the file owner's encryption key. If I understood what I read, keys associated with user accounts are stored in the registry. Can anyone verify that? If that is true, I think there is no hope of decrypting my files because the registry was damaged by whatever happened to my computer.

The only thing that gives me any hope that I might somehow find the old user encryption keys is that after I "repaired" my operating system, I was able to logon to the old account with the old password - I did not have to recreate the account.

I say "repaired" my operating system because I booted with a Windows repair disk and told it to repair the Windows installation on the C drive. However, it appeared that all the system files were being re-written.

message edited by XPvictim

Report •

Ask Question