Fog Creek Software
Discussion Board




Murphy's Law

Well, at least Joel's article has given us the explanation of where those 2 days went to (and here was me thinking he went on a binge around all the New York clubs!).

>>>>>>>>a few files which I let Windows encrypt for me (using EFS) are inaccessible. This has something to do with public keys and certificates. When you restore a file that was encrypted I guess you can't read it. I still haven't found the solution to this. If you know how to fix this I will be forever indebted to you.<<<<<<<<<<<<<

Before you set up encrypted folders you are supposed to make a restore diskette and keep it somewhere safe. The reason I believe is that the abiltiy to open is tied to your SID on the W2000 machine, and that will obviosly be lost if you use a new profile.

Using EFS without making the restore diskette first is like having unprotected sex with the local darts board smoking a cigarette in a garage full of jerrycans of petrol. Not advisable.

I never use EFS simply because I have read too many pleas on NT forums from people who have lost all their data.

Restoring to laptops takes a lot longer than restoring to a desktop because you can't simply put in the other hard drive as a master and clone to the slave. One thing is clear though. Much of the time wasting is caused by the fact you are dealing with a laptop and you can't set up RAID with a laptop.

Now you appear to be wasting a lot of time with your backup restore. You don't tell us how large the original disk is but I would presume less than half the 60GB of the new one. The time you are spending is too much. If you were using cloning software you wouldn't need to install the OS to start with (though maybe with a laptop since getting Ghost to work in networked DOS on laptops is not too easy). And even if you did, when you later installed the Ghost image it would overwrite the other OS.

You could then simply copy over your data at normal speed. That way you shouldn't have lost much email either (I am presuming that you keep your email on the data partition and not in the default location).

I know I appear to be harping on, but the reason is that I have done these two day reinstalls, and have seen the W98 install movie more often than my favourite video. And the time that can be saved by a judicious combination of Ghost and partitioning is not to be sneezed at.

Whatever you do for your workstatiion setups you need to decide on a back up strategy for your laptops (consider making sure they all have DVD wriiters for data backup, and try and make sure that you always have a partition with a lot of free space where you can keep a clone of the C drive for a fast restore).

And think of the three way plan I suggested in another post: cloning for the OS and apps; backup for the data; specialized backup for the email server and database server.

Stephen Jones
Sunday, January 26, 2003

Ghost would have made the laptop drive clone project about a two hour operation, start to finish (assuming the target image was not already available - subtract one hour if it was).

Ghost costs about $65 ... probably a fraction of the fancy-schmancy PCMCIA laptop drive adapter.

No problems running Ghost on various laptops here at Mitch & Murray.

We true believers in the God of Ghost rest our case.

Mitch & Murray (from downtown)
Sunday, January 26, 2003

<quote>
Before you set up encrypted folders you are supposed to make a restore diskette and keep it somewhere safe. The reason I believe is that the abiltiy to open is tied to your SID on the W2000 machine, and that will obviosly be lost if you use a new profile.
</quote>

To be more specific you need to export/backup your certificate. It's described pretty clearly in the Windows Help files.

To restore encrypted files the certificate that was used to encrypt the file has to be restored first. Without that all your encrypted files are toast. That is, of course, unless you have access to the NSA backdoor.

Windows should raise a big red warning (3 times) about the certificate issue before a file/folder is encrypted.

Jan Derk
Sunday, January 26, 2003

OK, I didn't export or backup my certificate. I understand that. But I did backup my entire hard drive. So the certificate must be there somewhere, right? Where is it stored if not in a file?

Joel Spolsky
Sunday, January 26, 2003

I'm not a Windows security expert so I shouldn't really talk about this, but sometimes I can't resist to guess ;)

Common sense says that if there was any way to recover a certificate (private key) without logging in as the certificate holder or the recovery agent, then the world would call that a major security breach.

So my guess is that the only way to retrieve you encrypted files is to make your system backup work again and login as the certificate holder or the recovery agent (default administrator on local machines).

But then again you are much better of asking this on the correct security or Microsoft newsgroups.

Jan Derk
Sunday, January 26, 2003

Drive Serial # incorporated somehow?  This is one component in my Licence scheme...  Just a thought!

Brad Siemens
Sunday, January 26, 2003

I've seen this issue come up on W2000 forums a few times, and I suspect the answer is that you are hosed.

The problem is that the default  recovery agent for a non-networked or workgroup setup is the local administrator but it is neither the name nor the password that identifies but a Security Identification Number which is created every time a user is created.

Now if you reinstall W2000 BEFORE YOU USE THE BACKUP then the local administrator will have a different SID, and it looks as if your backup is not erasing that setup (another good reason for using cloning software).

Now bear in mind that you are not allowed to encrypt your files unless you designate a recovery agent. Possibly you have simply forgotten who it is. If you are on a domain the domain administratror will be the recovery agent. Have you tried that?

Stephen Jones
Sunday, January 26, 2003

*  Recent Topics

*  Fog Creek Home