I have encrypted a lot of files.
Now I can't decrypt them because maybe I changed my password.
And that's the problem, I forgot the password on which I used when I encrypted those files.
It says that I'm not trusted.
I badly need help. I want the solution to be simple.
What can be done to remove the encryption?
Related posts:
1 response so far ↓
1 funmansk // Apr 14, 2008
copy all the encripted files….
and save it to a FAT partitionded drive..
EFS is NTFS specillity… FAT will remove this..
so thats it..
or if u don know much about the file systems.. do this
Removing EFS from Windows 2000 and XP workstations
If you decide that EFS is not right for your environment, you’ll need to disable EFS on Windows 2000 or Windows XP. I'll look at this process on Windows 2000 first.
Windows 2000
Microsoft wanted to ensure that recovering encrypted data was possible, even if you accidentally deleted the user who encrypted it. To do this, a user is assigned as a recovery agent on each Windows 2000 system. By default, this user is the administrator. This means that, by default, the administrator can decrypt any files encrypted on the local system. This also opens up Windows 2000 systems to an easy EFS hack. If a laptop is stolen and contains encrypted data, simply logging on as the admin could provide that thief with access. Obtaining admin access is as simple as booting the system with a floppy containing the NTFSDOS utility from Winternals and deleting the SAM file, making the admin password null. Even if a different account is used as the recovery agent, the thief who is now the admin can change that account’s password and log on as that account. Not only would the private keys for the user using EFS on the laptop need to be stored on a floppy or smart card, but so would the recovery agents, making EFS highly impractical to use.
Why not just delete the recovery agent then? Because that disables EFS on Windows 2000 systems. And that, of course, is how you also intentionally disable EFS. Simply bring up the local system security policy and remove the administrator certificate from the folder marked Encrypted Data Recovery Agents, as shown in Figure B.
Figure B
Windows XP
Windows XP is designed to allow for the deletion of the recovery agent to address Windows 2000’s weakness and, while that's good news for those wanting to put EFS to use on their laptops, it means that you must find a different way to disable it on Windows XP. Group Policy is still used to disable EFS on XP systems in an Active Directory network, but an admin template must be imported into the Domain Group Policy first. If you've never created an .adm file before, don’t worry; it's a simple process. First, cut and paste the text found in Listing A into a text file in Notepad.
Now save the file with the name efs-diable.adm. Bring up the Group Policy for the domain. (If you're not familiar with this, right-click on the domain inside the AD Users And Computers tool, and choose Properties. Click on the Group Policy tab and then click Edit.) After bringing up the Group Policy for the domain, open the computer configuration section. Right-click on the Administrative Templates folder. You should have the option to Add/Remove Templates. Choose that option and then click on the Add button. Browse to the .adm file you just created and click on Open. Now click on Close. You’re all set. You'll now find a folder under Administrative Templates called Special EFS Handling.
Figure C
Enable the Disable XP and .NET EFS (as shown in Figure C), and all XP systems in the domain will have their EFS disabled. This process works on the local system Group Policy for Windows XP Professional systems that are not running in an ADS environment if they're running SP1. You should now get the error shown in Figure D.
Figure D
If you test it and find it not working on your local XP system, you can hack the registry manually using the following text as the .reg file:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Efs]"EfsConfiguration"=dword:00000001
Just double-click on the .reg file and choose to import it into the registry. I've had better success with this method on XP systems not running SP1.
Used properly and with the right preparation, EFS can add the additional security you may need on your network. Hopefully, making that decision is easier after reading this article. If you do decide that EFS is needed, definitely take a look at Microsoft’s white papers on the subject and review its best practices. Microsoft makes EFS sound easy in its ads, but the white papers will give you a much better idea on what's needed for proper implementation.
Luv
SK
Mail me :funmansk (at) yahoo.com
Join my group: http://groups.yahoo.com/group/funmansk
My blog : http://firstcitizen.wordpress.com
Fun blog : http://funmansk.blogspot.com
Get paid to view ad: http://www.advercash.net/index.php?ref=funmansk
Leave a Comment