Fog Creek Software
Discussion Board




EFS Data Recovery

Recovering data from EFS is easy as long as you backup your certificates.  Run "certmgr.msc" and you'll be able to export and import certificates.  Export your user certificate to some sort of safe external storage.  When you move to a new system, import this certificate and you'll be able to access the encrypted files. 

I did a quick search and found this article that seems to have some good info:
http://www.compulink.co.uk/~davedorn/computing/windows/xpencrypt1.htm

Somebody
Sunday, January 26, 2003

I appreciate the thought but the only way I can follow those instructions is to go backwards in time :)

Joel Spolsky
Sunday, January 26, 2003

That's why I said "as long as you backup your certificates" : )  Hopefully you'll find this information useful in the future.  At the very least, others who use EFS who read this will learn to backup their certificates.

Somebody
Sunday, January 26, 2003

Were you logged on to the domain when you set up the EFS files. If you were the recovery agent would be the domain administrator, so you could log on as domain administrator and recover the files that way.

Stephen Jones
Sunday, January 26, 2003

One should not blindly use features of an OS without an understanding of what they do.  Unfortunately, with EFS this is a hard lesson learned almost daily at  microsoft.public.security

Crusty Admin
Sunday, January 26, 2003

<quote>
One should not blindly use features of an OS without an understanding of what they do.  Unfortunately, with EFS this is a hard lesson learned almost daily at  microsoft.public.security
</quote>

You seem to imply that the user is stupid in this case.

If loads of users run into the same trap then you can:
A) Tell all your users that they are stupid. Let them get frustrated and run of to the competition.
B) Improve the design and make everybody happy.

I call the fact that Windows does not show a warning about certificates when encrypting a file or folder a GUI blooper. It's the same as not having a waste basket. You don't tell your users that they should have read page 346 before they perform a seemingly trivial action like encrypt a file.

GUI bloopers are well prevented by letting the developers handle at least some of the support. If they get annoyed enough by the stupid users they are much more likely to prevent the stupid users from asking the same dumn question over and over again.

Jan Derk
Monday, January 27, 2003

Ok then, the user should never have to think.

I did not mean the user is stupid.  He is ignorant of how EFS works though.  EFS is like a combination padlock.  You better save the numbers somewhere so when you forget...

Crusty Admin
Tuesday, January 28, 2003

<quote>
Ok then, the user should never have to think.
</quote>

Yes indeed. Although it's not likely that one will ever reach this nirvana, it is what developers should strive for.

Steve Krug's excellent book "Don't make me think" is named like that for a reason.

Jan Derk
Tuesday, January 28, 2003

*  Recent Topics

*  Fog Creek Home