Jun 7, 2009
Horrific week. NTFS Encryption (EFS) is the worst nightmare.
EFS or NTFS encryption can turn out to be your life’s worst nightmare in case you don’t fully read about it. I advice everyone not to use it unless you really know what you are doing and backup your certificates.
I, myself had this nightmare and it was not as bad as other people have it. I had many folders of mine encrypted and I forgot about them completely as encryption is transparent to user who encrypted the file. It was a usual day. I was working on my computer when I wanted to access some files from ‘My Documents’ (yes, I encrypted whole My Documents folder. Idiot me.) and was denied access. I thought it might be with just that file. I tried accessing other files, other folders but it gave same error. It dawned upon me. In an instant, I knew what was going on. I was shocked and confused at the same time. I didn’t know what was happening.
I remember opening a PDF file and I started getting spybot registry prompts. But PDF files were safe, weren’t they. It had a virus. The PDF had a virus. I don’t know what it did, but this PDF created all the problems.
I wasn’t able to access my files only after the infection. Also, it took away my admin rights. I couldn’t use softwares like Nero.. they gave me messages that I needed admin rights to run it. I found a site to remove encryption using hex modifications of registry and some files. This is the site:
http://www.beginningtoseethelight.org/efsrecovery/index.php
Its good and this guy was the first one to have found a way to recover. But the tutorial isn’t well written and I was just lost. I didn’t know how to do what he told. I downloaded Elcomsoft Advanced EFS recovery but it said that it needed admin rights. I tried Passware EFS key recovery and it gave “Error decrypting file”.
I couldn’t do anything. I couldn’t even format my computer. That’d have made the problem worse. My encryption certificates which might have been stored somewhere on computer would’ve gone forever rendering my encrypted files useless.
I tried running chkdsk and it found many errors. I scheduled it to run at startup as C drive was locked but it didn’t start. I was stuck from everywhere. Nothing was working. I ran Event Viewer to check any errors and wasn’t surprised to see Error 7 which said “Bad block on hard drive”. I assumed that the block on harddrive which had the SAM file and my certificates went bad proving me another user and not letting me to access my drive. Also, virus made the matters worse by removing my rights. I was no longer known to computer as the same user. I was different user for my computer.
I didn’t know what to do. Fortunately, I had another computer and I started downloading Vista Recovery CD which could run chkdsk. I thought that it may solve the problem. To make the situation worse, my internet stopped working and no matter what I do, it wouldn’t work.
I was stuck again. So, I told my friend Chandal (Binay) to download it for me. He did it and I got it from him. Burned into a DVD using another computer. I booted it on my laptop, and ran chkdsk. It found and repaired errors. I rebooted into Windows XP and checked but it didn’t solve any problems. I tried using chkdsk C: /B in recovery disk again but it was of no use too.
I had nowhere to go. I couldn’t do anything. Just then, I browsed to C:\Windows\system32\config and saw automated backups stored there. The latest one was of 24th may. I thought of giving it a shot. I booted into recovery disk again, and restored the backup and booted into Windows XP again. The problem wasn’t solved – I still couldn’t access my encrypted files. But, an idea struck my mind. I thought, that I must have got my admin rights back as I restored all the SAM files along with registry. To my amazement, I got the admin rights back. I ran the Elcomsoft EFS recovery, and it ran. I was so happy. At least, I got some hope. I had my rights back. I ran the software and recovered a test file and it succeeded.
I was in bliss. I had recovered the encrypted file. I spent next 5-6 hours recovering all the files. This nightmare was not as bad as some people who forget about the encryption and format their drives only to discover it later. At least, I hadn’t formatted the computer. I had the certificates somewhere on my filesystem but I didn’t know where.
So, it was really a nightmare.
Moral of the story: Do not encrypt files unless you read about it completely and know whats the worse that may come. You should also be ready to sacrifice those files in case something goes wrong.
Related posts: