I had to recently re-install Windows 7 and I lost my exported private key for EFS. I however have the entirety of my user directory and my figuring that the key must be in there SOMEWHERE. The only question is how to get it out.
I did find the PUBLIC keys in AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
If I import them using certmg.msc it says I do have the private key in the information, but if I try export them it says I do not have the private key. Also, decryption of files doesn't work.
There is also a "keys" folder at AppData\Roaming\Microsoft\SystemCertificates\My\Keys. After importing the certificates I copy those over into my new installation but it has no effect.
I am starting to believe they are either in AppData\Roaming\Microsoft\Protect\S-1-5-21-…\ or AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-…\ but I am unsure how to use the files in those folders. Also, since my SID has changed, will I be able to use them? The other parts of the account have remained the same (name and password). I also have complete access to the user registry hive and most of the old system files (including the old system registry hives).
I do keep seeing references to "Key Recovery Agent" but have not found anything about using, just that it can be used.
Thanks!
Best Answer
I have found out that your user password, user+machine SID, and a salt are used to encrypt the Master Password (stored in AppData\Roaming\Microsoft\Protect) which is in turn used to encrypt all private keys with another salt (in AppData\Roaming\Microsoft\Crypto\RSA). There are some guides out there on the basic format of the files in these folders and how they are encrypted. However there are missing pieces so a complete solution will take tinkering.
A free solution is to create a machine with the same machine SID (need to use XP and the program newsid - newsid does not work on Vista and later) and then a user with the same SID, copy the files over (the entirety of the Crypto, Protect, and System Certificates folder), and export from there. I did this with a virtual machine.
These assume you have access to all the original files. The Elcomsoft Advanced EFS Data Recovery program mentioned by Brian can also search sector-by-sector for the proper information. It also does not require creating a new installation or re-making the SID. So for most cases that one will be MUCH easier, however for people who want to do it free, see above.