I recently reinstalled WinXP Pro - unfortunately the 'My Documents' folder was on another NTFS drive with the result that I can no longer access it. (Access Denied) I cannot move/copy/delete this folder - as this is encrypted by default apparently, I've been told that the hash for this folder was stored with the previous installation and recovery/access is now impossible even though I have the same username/password - Someone please tell me this is wrong and there is some way of getting my documents back - I would even be prepared to use a brute force cracker for months to do this.
And before anybody lectures me about backing up - I did backup, but the 'My Docs' folder was on another drive which XP backup apparently takes no notice of - therefore all the user accounts were backed up but the 'Docs' folders were omitted.

Living in hope !!

And while we're on the subject of XP - why can't I import my messages from OE5? - Microsoft shoved it down our throats for long enough.....

you need to give your account "recovery agent" rights and take control of the folder. You can also change the permissions to allow "Everyone" access to it.

It sounds like you are having a permissions issue, NOT an EFS issue, and EFS is not enabled by default.

If you did check the little "Encrypt this folder's contents" checkbox, then you are SCREWED. That uses a 128 bit key that is impossible to crack.

I am assuming that you have XP Pro, not home:

But you would not get an access denied message, you would just get gibbereish for the file's contents. If you are getting access denied, then you need to log on as an administrator and give yourself access to the folder.

In Explorer, Click Tools --> Folder Options --> View --> and uncheck the last option: Something like "Use Simple File Sharing"

Now right click on the folder and click properties --> Security. Click the advanced button and then under the owners tab, change it to you. CLick OK. Also make sure you are listed in the security list.

BTW I thought I would give you all a little overview of EFS.

When your account is created, it gets assigned an EFS key that is partly random. This 128 bit key is what is used to encryt the documents when you check "Encrypt this file's/folder's contents to secure the data."

You should ALWAYS export your EFS key if you are using it. That way if something happened to your computer, and you needed to reinstall, you can still recover your data.

When you reinstall, a new account with a DIFFERENT efs key is created. That account may have the same username and password, but it WILL have a different EFS key. That is why you will not be able to recover the files, even if you use the same username and password.

In a domain environment, the Administrator and any others that he designates can be a Recovery Agent. This is a user that has an optional domain specific key that can ALSO access those encrypted files. That way if someone left the company, we could still recover their encrypted data.

[quote]Originally posted by ShadowKing:
<strong>BTW I thought I would give you all a little overview of EFS.

You should ALWAYS export your EFS key if you are using it. That way if something happened to your computer, and you needed to reinstall, you can still recover your data.

</strong><hr></blockquote>


Great info, thanks! BTW, how would you export the EFS Key? I don't have XP, so I thought I would ask.

As well, the domain option you had referred to, I know it is a bit more complex than the stand-alone, however could you go into more detail if you have time? By the way you described it, it sounds as though it may not enabled by default either. I wonder how to ensure it can be used.

Is it only available through a part of Active Directory in Win2K? I am guessing NT4 domains are not capable of doing this.

Thanks.

[quote]Originally posted by Ya_know:
<strong>


Great info, thanks! BTW, how would you export the EFS Key? I don't have XP, so I thought I would ask.

As well, the domain option you had referred to, I know it is a bit more complex than the stand-alone, however could you go into more detail if you have time? By the way you described it, it sounds as though it may not enabled by default either. I wonder how to ensure it can be used.

Is it only available through a part of Active Directory in Win2K? I am guessing NT4 domains are not capable of doing this.

Thanks.</strong><hr></blockquote>

For starters, to export your EFS key, goto Start --> Settings --> Control Panel --> Administrative Tools --> Local Security Policy
In the MMC Click the + next to Public Key Policies and click on the "Encrypted Data Recovery Agents" container. You will see Administrator there. Right click on his name and click "All tasks" and then "Export" to export the key.
Also you can right click in a blank area and click "Add" to add an additional recovery agent.

The option to USE EFS is always available, but by default, NO folders are encrypted. You have to manually choose "Encrypt this folder's contents" under the advanced properties menu to encrypt stuff.

As for a Domain, it is very similar to an individual workstation, except it is important to remember that only a recovery agent from the domain can recover EFS stuff encrypted with a domain account. So if you log onto your workstation with a DOMAIN account and encrypt a file, then log on as the local administrator, you will NOT be able to recover that file, because the efs recovery agent for your domain account is the DOMAIN administrator, not the local one. The opposite also applies.

Sidenote: The ONLY way that I know of to truly protect data on a laptop is to log on with a DOMAIN account and use EFS to encrypt any data you want safe. That way if it is stolen, they cannot copromise the local accounts and recover the data...

Interesting Links to Learn More:
<a href="http://support.microsoft.com/support/kb/articles/Q223/3/16.ASP" target="_blank">Best Practices for Encrypting File System</a>
<a href="http://support.microsoft.com/support/kb/articles/Q230/5/20.ASP" target="_blank">How to Encrypt Data Using EFS in Windows 2000</a>
<a href="http://support.microsoft.com/support/kb/articles/q241/2/01.asp" target="_blank">How to Back Up Your Encrypting File System Private Key</a>
<a href="http://support.microsoft.com/support/kb/articles/Q242/2/96.ASP" target="_blank">How to Restore an EFS Private Key for Encrypted Data Recovery</a>

BTW. XP and 2000 do not differ in this area, so all that info also applies to Win2k.

[quote]Originally posted by ShadowKing:
<strong>BTW. XP and 2000 do not differ in this area, so all that info also applies to Win2k.</strong><hr></blockquote>

Boy, now I feel stupid.

Thanks for all of the info. This will keep me busy for a few hours!