help me avoid losing a lifetime of data

Hairymonster · Monday at 7:53 PM

Hairymonster said:
It did ask me to back up the key when it was first encrypted which I did and I used it successfully without issues for a while until the computer hardware issues leading to the clean Windows reinstall seems to have caused a silent recovery key deletion and reassignment or Recreation of a new key this is a known bug from what I understand in one of the windows releases in the last year . So that's why there's no backup of only this one bizlocker ID

Yes I do. Those are the ones and more that I grabbed before reinstalling. However the thing that's missing is a private key and...., i have been using my fingerprint and a PIN to log into Windows for quite some time so when I changed the motherboard which was unplanned windows no longer accepted my fingerprint and asked me for the password which was a long deliberately not easy to remember password which existed only in the EFS encrypted file so I had to reset my Windows password which I think is the main obstacle at this point to opening those

pseymour said:
Alright so, with the files in the Certificates and Keys folders... first make a folder somewhere. I'll use C:\EFS-Recovery.

Then copy into that folder:

The certificate file (usually a long hex filename, no extension or .crt)

The key file (same long hex filename, but stored in the Keys folder)

They must have the same base filename, so like

Code:

C:\EFS-Recovery\3A4F2B1C2D3E4F5A6B7C8D9E0F123456 C:\EFS-Recovery\3A4F2B1C2D3E4F5A6B7C8D9E0F123456.key

Change directories to the folder you're using, e.g., cd C:\EFS-Recovery. Then merge the files to create the PFX. The dot tells certutil to look in the current directory, so adjust if you didn't CD into it. You will be prompted to set a password for the PFX. If the certificate and key match, certutil will generate the efs.pfx file.

Code:

certutil -mergepfx . efs.pfx

Then, you should be able to double‑click the efs.pfx file, choose Current User, enter the password, and finish. Windows should immediately be able to decrypt the EFS files.

You said copy the certificate file and the key file but in the certificate and key folders I have multiple files but none in each folder matches any file in the other folder

pseymour · Monday at 7:55 PM

Then unfortunately the certificate for the EFS identity exists without its matching key, or vice-versa, or the EFS identity was never backed up. Obviously I wouldn't know which is the case.

pseymour · Monday at 8:02 PM

The way you would know which certificate you need is cipher /c "X:\path\to\your\encryptedfile". The certificate thumbprint will be printed out, with spaces in it. Just take the spaces out, and that's the thumbprint of the certificate you need to find.

Some other places to look for certs:

C:\Users\<OldUser>\AppData\Roaming\Microsoft\Crypto\RSA\
C:\Users\<OldUser>\AppData\Roaming\Microsoft\Crypto\Keys\
C:\Users\<OldUser>\AppData\Roaming\Microsoft\Protect\<SID>\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

Also, look in any other user account folders. They could have been backed up under a different account, maybe.

Edit: When you find a certificate file to check, use certutil -dump <filename> to see what the thumbprint is. Hopefully you find a match for the thumbprint for your EFS-encrypted file.

Hairymonster · Tuesday at 2:22 AM

heres what it told me about the encrypted file:
Certificate thumbprint: 9579 D737 63A4 B164 1A2B C764 9376 9493 0F6C 2261

No recovery certificate found.

Key information cannot be retrieved.

The specified file could not be decrypted.

how do files end up in the my/key folder? why are there no keys that match any of the certificates in the my/certificates folder?

the folders are the ones from the machine when the file was opening

Hairymonster · Tuesday at 2:48 AM

pseymour said:
The way you would know which certificate you need is cipher /c "X:\path\to\your\encryptedfile". The certificate thumbprint will be printed out, with spaces in it. Just take the spaces out, and that's the thumbprint of the certificate you need to find.

Some other places to look for certs:

C:\Users\<OldUser>\AppData\Roaming\Microsoft\Crypto\RSA\

C:\Users\<OldUser>\AppData\Roaming\Microsoft\Crypto\Keys\

C:\Users\<OldUser>\AppData\Roaming\Microsoft\Protect\<SID>\

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

Also, look in any other user account folders. They could have been backed up under a different account, maybe.

Edit: When you find a certificate file to check, use certutil -dump <filename> to see what the thumbprint is. Hopefully you find a match for the thumbprint for your EFS-encrypted file.

in the cert folder i found a file with the same name as the thumprint and in the keys folder a file also named the same. cant put them in the same folder due to the name clash. are these the files im supposed to run the certutil -mergepfx . efs.pfx command with?

Hairymonster · Tuesday at 2:52 AM

Hairymonster said:
in the cert folder i found a file with the same name as the thumprint and in the keys folder a file also named the same. cant put them in the same folder due to the name clash. are these the files im supposed to run the certutil -mergepfx . efs.pfx command with?

C:\efscombo>certutil -mergepfx . efs.pfx
CertUtil: -MergePFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.

pseymour · Tuesday at 10:27 AM

The key file should have a .key extension, as in my example. It's common to give the certificate file a .cer extension, but not strictly necessary.

Also make sure you're running your command prompt or PowerShell with admin rights to avoid permission issues.

Hairymonster · Tuesday at 7:09 PM

pseymour said:
Alright so, with the files in the Certificates and Keys folders... first make a folder somewhere. I'll use C:\EFS-Recovery.

Then copy into that folder:

The certificate file (usually a long hex filename, no extension or .crt)

The key file (same long hex filename, but stored in the Keys folder)

They must have the same base filename, so like

Code:

C:\EFS-Recovery\3A4F2B1C2D3E4F5A6B7C8D9E0F123456 C:\EFS-Recovery\3A4F2B1C2D3E4F5A6B7C8D9E0F123456.key

Change directories to the folder you're using, e.g., cd C:\EFS-Recovery. Then merge the files to create the PFX. The dot tells certutil to look in the current directory, so adjust if you didn't CD into it. You will be prompted to set a password for the PFX. If the certificate and key match, certutil will generate the efs.pfx file.

Code:

certutil -mergepfx . efs.pfx

Then, you should be able to double‑click the efs.pfx file, choose Current User, enter the password, and finish. Windows should immediately be able to decrypt the EFS files.

fyi:
C:\efscombo>certutil -mergepfx . efs.pfx
CertUtil: -MergePFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.

Search

help me avoid losing a lifetime of data

Hairymonster

New member

My Computer

System One

pseymour

putting the mental back in experimental

My Computer

System One

pseymour

putting the mental back in experimental

My Computer

System One

Hairymonster

New member

My Computer

System One

Hairymonster

New member

My Computer

System One

Hairymonster

New member

My Computer

System One

pseymour

putting the mental back in experimental

My Computer

System One

Hairymonster

New member

My Computer

System One

Latest Support Threads

Latest Tutorials