Cannot work with my own files after system change (XP Pro SP3)

Discussion in 'Computer Security' started by drivesmecrazy, Mar 22, 2010.

  1. From: "drivesmecrazy" <>




    | Hi Shenan,
    | I found out the mistake: %ProgramFiles% was okay, but "administrators" was
    | the syntax error. It had to be "administratoren" (german). Now the program
    | has done its whole work and in the log file there is no "failed"-entry, but
    | alas, it did not help. I have the same situation as before. The system gives
    | a dreck for my owner rights. Think I need a good hacker ... :)
    | Thanks nevertheless for your attention.

    Have you tried taking Ownership over the files/folders you can't access ?
     
    David H. Lipman, Mar 22, 2010
    #21
    1. Advertisements

  2. <snipped>

    <archived conversation>
    http://groups.google.com/group/microsoft.public.security.homeusers/browse_frm/thread/eb1841bc6909b741/
    </archived conversation>

    David,

    I believe that is the first thing tried...

    From the original post:

    "I changed properly its owner to Administrators/COMPUTERNAME
    and made it to be inherited by all subfolders and -files. Now I
    can read the folders and subfolders and all the files' names but
    not open any file, be it doc or xls or jpg or pdf or any of the CS2
    files."

    I could have mistaken that to mean everything on the E: and M: drives as
    well.

    DrivesMeCrazy,

    Apologies - I did not catch you had a German version of Windows. ;-) I
    probably wouldn't have known the names of the system variables - but could
    have detailed how to get them.
     
    Shenan Stanley, Mar 22, 2010
    #22
    1. Advertisements

  3. drivesmecrazy

    fixfox Guest


    yes, of course. As you can read in my first post, I have done that
    excessively before I ever asked anybody for help.
     
    fixfox, Mar 22, 2010
    #23
  4. drivesmecrazy

    fixfox Guest


    Well, what I would still like to know: I hope the registry change did
    not affect the security standard of my system? Would it be better to
    get back to the previous version?
     
    fixfox, Mar 22, 2010
    #24
  5. The registry permissions (along with the file/folder perms) are essentially
    the defaults and/or what would be best to ensure that the System and
    Administrative level accounts can indeed do everything they should be able
    to do. They should be fine.
     
    Shenan Stanley, Mar 22, 2010
    #25
  6. Unless I am mistaken, taking ownership does *not* grant you permission
    to access a file. It grants you the ability to change the permissions on
    the file so that you *can* access the file (the "change permission"
    attribute). If you have taken ownership and inheritance is propagated,
    what's left is to grant the proper permissions to the proper groups.
     
    FromTheRafters, Mar 22, 2010
    #26
  7. From: "fixfox" <>




    | yes, of course. As you can read in my first post, I have done that
    | excessively before I ever asked anybody for help.

    What about using XCACLS.EXE or not using 'MACHINE\Administrators' to take Ownership but by
    using 'MACHINE\NAMED_ACCOUNT' where NAMED_ACCOUNT is one you would normally use under XP
    ?

    Do the files and folders appear in GREEN colour ?
     
    David H. Lipman, Mar 22, 2010
    #27
  8. drivesmecrazy

    fixfox Guest


    Yes you are right, but don't worry, I have checked "full access" (or
    what is the english expression?) for the whole lot for both of us:
    Administrators (which I am) and for my identity (with admin rights).
    There must be something beyond the ACL entries. I have read a
    professional report ppt about a bug in Win 2000 which prevented users
    getting back to their own files even without changing the OS.
    The next thing I will try is install Win2K as VMware, then try to open
    the files "under the glass lid".
     
    fixfox, Mar 23, 2010
    #28
  9. drivesmecrazy

    fixfox Guest


    Yes, I wrote it somewhere: Today I connected my external disk with my
    sound studio PC, and it showed the enchanted files and folders green.
    I managed to blacken all folders which had subfolders, but that was
    just artistic fun.

    I have just read the XCALS.exe page but it seems that program is for
    win2k. Nevertheless, I will try it together with my VMWare try. I do
    not quite understand your suggestion concerning the following with
    MACHINE/ ... what? where? how?
    I try anything unless it is not obviously for the birds.
     
    fixfox, Mar 23, 2010
    #29
  10. From: "fixfox" <>


    | Yes, I wrote it somewhere: Today I connected my external disk with my
    | sound studio PC, and it showed the enchanted files and folders green.
    | I managed to blacken all folders which had subfolders, but that was
    | just artistic fun.

    The point here, and I think you missed it, is when files are displayed by Explorer in
    GREEN they are encrypted and thus will block access if you don't have the EFS Certificate.
    {Just a stab in the dark}

    | I have just read the XCALS.exe page but it seems that program is for
    | win2k.
    | Nevertheless, I will try it together with my VMWare try. I do
    | not quite understand your
    | suggestion concerning the following with
    | MACHINE/ ... what? where? how?
    | I try anything
    | unless it is not obviously for the birds.

    Actually, 'xcacls.exe' is a NT Resource Kit utility and works on XP and is distributed in
    the "Windows XP Service Pack 2 Support Tools" which are basically Resource Kit utilities.

    http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

    Early on in this thread you used; Administrators/COMPUTERNAME the sysntax is really the
    opposite COMPUTERNAME\Administrators and I was eluding to using
    'COMPUTERNAME\NAMED_ACCOUNT' where NAMED_ACCOUNT is YOU, the logged on user.


    NOTE: Lines that follow may wrap...

    xcacls.exe /?
    Displays or modifies access control lists (ACLs) of files

    XCACLS filename [/T] [/E|/X] [/C] [/G user:perm;spec] [/R user [...]]
    [/P user:perm;spec [...]] [/D user [...]] [/Y]
    filename Displays ACLs.
    /T Changes ACLs of specified files in
    the current directory and all subdirectories.
    /E Edit ACL instead of replacing it.
    /X Same as /E except it only affects the ACEs that the
    specified users already own.
    /C Continue on access denied errors.
    /G user:perm;spec Grant specified user access rights.
    Perm can be: R Read
    C Change (write)
    F Full control
    P Change Permissions (Special access)
    O Take Ownership (Special access)
    X EXecute (Special access)
    E REad (Special access)
    W Write (Special access)
    D Delete (Special access)
    Spec can be the same as perm and will only be
    applied to a directory. In this case, Perm
    will be used for file inheritence in this
    directory. If not omitted: Spec=Perm. Special values
    for Spec only:
    T Not Specified (for file inherit,
    only for dirs valid)
    At least one access right has to follow!
    Entries between ';' and T will be ignored!

    /R user Revoke specified user's access rights.
    /P user:perm;spec Replace specified user's access rights.
    for access right specification see /G option
    /D user Deny specified user access.
    /Y Replace user's rights without verify

    Wildcards can be used to specify more that one file in a command.
    You can specify more than one user in a command.
    You can combine access rights.
     
    David H. Lipman, Mar 23, 2010
    #30
  11. drivesmecrazy

    fixfox Guest

    Do I understand this tool well if I suppose that principally it cannot
    do more than what I do manually in the property boxes?
    And, as I have whipped my registry today with that Subinacl.exe, I
    suppose XCACLS would be a placebo more or less ...
     
    fixfox, Mar 23, 2010
    #31
  12. drivesmecrazy

    fixfox Guest


    Ah I saw this only now. This is exactly what I think all the time. I
    did not know the meaning of the green colour and I wonder why it is
    not green on my office PC.
    I will search in Microsofts support for EFS and how to get or to fake
    that certificate.
     
    fixfox, Mar 23, 2010
    #32
  13. You need the certificate from the security principal that created the
    file, or from a recovery agent assigned at the time of that creation.
     
    FromTheRafters, Mar 23, 2010
    #33
  14. From: "fixfox" <>

    | Do I understand this tool well if I suppose that principally it cannot
    | do more than what I do manually in the property boxes?
    | And, as I have whipped my registry today with that Subinacl.exe, I
    | suppose XCACLS would be a placebo more or less ...

    That I can't tell you. But I do believe the XCACLS Command Line utility has more
    capability than the GUI Security Tab in Explorer.

    It is often used in situations where the GUI won't work such as when malware takes control
    of a particular NTFS path.
     
    David H. Lipman, Mar 23, 2010
    #34
  15. From: "fixfox" <>





    | Ah I saw this only now. This is exactly what I think all the time. I
    | did not know the meaning of the green colour and I wonder why it is
    | not green on my office PC.
    | I will search in Microsofts support for EFS and how to get or to fake
    | that certificate.

    OK...

    Did you or do you see the folders giving "access denied" in the colour GREEN within
    Explorer ?
     
    David H. Lipman, Mar 23, 2010
    #35
  16. drivesmecrazy

    Peter Foldes Guest

    FTR

    You want to check that again. My post did not go through. Check my posting
    properties there as you should yours. BD is working
     
    Peter Foldes, Mar 23, 2010
    #36
  17. drivesmecrazy

    fixfox Guest


    I just tried something described on this page

    http://windows.microsoft.com/de-DE/windows7/Create-a-recovery-certificate-for-encrypted-files

    because my files are indeed encrypted (I don't remember to have done
    that! The funny thing is, the certificate is classified as not very
    reliable and is valid backwards, i.e. from 21.3. 2010 to 25.2.2010.)
    Well, on the 21.3. I had caught (by Skype!) a little well known trojan
    called XPACK.Gen. I managed to extinct it, but this TR was the reason
    why I formatted my disk and switched to XP. Maybe that Trojan gave me
    that certificate which I never wanted? On the other hand, (only!) the
    same files on my external hard disk are encrypted as well. But it was
    not connected before I found out that I could not open the other files
    anymore, that was when XP was already installed. I made the last
    backup on Jan,22nd and had never before any virus or trojan. So how
    got those files encrypted on that hard disk?

    Well, the solution with the self-created new certificate does not work
    either. Now I think it is not anymore a question of ownership but of
    getting a passepartout key for disencryption. Does anyone have an idea
    what I could do?
     
    fixfox, Mar 23, 2010
    #37
  18. <snipped>

    <archived conversation>
    http://groups.google.com/group/microsoft.public.security.homeusers/browse_frm/thread/eb1841bc6909b741/
    </archived conversation>


    The long and short of it, as I understand it, is if you do not have a backup
    of your certificate/key - you will not be getting back those encrypted files
    anytime soon (if ever.) After all - the point of encryption is to make your
    files safe from prying eyes. If there was some *easy* way around that (sans
    the key/etc), it would not be very effective.

    If you have formatted your disk and installed an OS (even the original) and
    did not backup your key... Things look very grim, indeed.

    http://support.microsoft.com/kb/223316

    Specifically, "Why you must back up your certificates: Because there is no
    way to recover data that has been encrypted with a corrupted or missing
    certificate, it is critical that you back up the certificates and store them
    in a secure location. You can also specify a recovery agent. This agent can
    restore the data. The recovery agent's certificate serves a different
    purpose than the user's certificate."

    So both of your copies (E: and M:) were encrypted?

    In your backup schema, did you backup the certificate?

    Given what you have - I cannot see that much will work unless some of your
    backups is an image of your old system drive... But...

    http://www.beginningtoseethelight.org/efsrecovery/
     
    Shenan Stanley, Mar 23, 2010
    #38
  19. From: "fixfox" <>



    | I just tried something described on this page

    | http://windows.microsoft.com/de-DE/windows7/Create-a-recovery-certificate-for-encrypted-
    | files

    | because my files are indeed encrypted (I don't remember to have done
    | that! The funny thing is, the certificate is classified as not very
    | reliable and is valid backwards, i.e. from 21.3. 2010 to 25.2.2010.)
    | Well, on the 21.3. I had caught (by Skype!) a little well known trojan
    | called XPACK.Gen. I managed to extinct it, but this TR was the reason
    | why I formatted my disk and switched to XP. Maybe that Trojan gave me
    | that certificate which I never wanted? On the other hand, (only!) the
    | same files on my external hard disk are encrypted as well. But it was
    | not connected before I found out that I could not open the other files
    | anymore, that was when XP was already installed. I made the last
    | backup on Jan,22nd and had never before any virus or trojan. So how
    | got those files encrypted on that hard disk?

    | Well, the solution with the self-created new certificate does not work
    | either. Now I think it is not anymore a question of ownership but of
    | getting a passepartout key for disencryption. Does anyone have an idea
    | what I could do?

    That page is in German -- sorry I can't read it. :-(
    { Nicht ferstein :-( }

    XPack.Gen is NOT a "well known trojan". It is a generic detection for an unusual EXE
    packer.
    Zbot, Vundo, SubSeven (aka; Sub7), LdPinch, Bredolab and BiFrose/BiFrost are examples of
    well known trojans.

    I did not see you specifically state you saw Files and/or Folders shown in GREEN by
    Explorer.

    However, if you did NOT export the Encryption File Certificate from your Personal
    Certificate Store by such command as CIPHER.EXE or some other command then, you are
    basically SOL. If you had, you may have some chance but without the certificate, forget
    about it. The files are most likley LOST.

    If the Files and/or Folders are NOT shown in GREEN by Explorer then you may still have a
    chance gaining control of ACLs.
     
    David H. Lipman, Mar 23, 2010
    #39
  20. drivesmecrazy

    fixfox Guest

    .... there is some light at the end of the tunnel - unfortunately I
    neglected my Acronis backups very much, but I do have images. My last
    full image is from Juli 09, updated incrementally Oct 09.

    Last night I was too tired to try there anything without danger of
    heaping new mistakes on top of an old one, but tonight I will try.
    Acronis has this secure zone, where you can try anything without
    touching the system, like in VMware. There is not much place left
    inside but I have read that you can make the place bigger by taking
    space from other partitions. So, I will try to reinstall Win2k within
    that secure zone. Where would I find a stored certificate?

    I don't know when the encryption started and if in october I already
    possessed a certificate (as all copies within "my documents" are
    encrypted, the very old ones too, logically I must have had one!), but
    I would be able to get into the system with my old SID and I could
    then try to use my fresh made cipher certificate again like described
    on the (sorry) german MS page I linked last night - maybe it works?

    The most peculiar thing is that yesterday, when I connected my extern
    hard disk to the other PC, I was somehow able to disencrypt all my
    lotus.123 files - so at least, I have my bookkeeping files back till
    Jan, 22nd. That's a big relief already. I will try do repeat that
    tonight with other files ...

    Well, I have to leave now, but I shall read your last link carefully
    when I come back. Usually I have always been a lucky dog, I must
    somehow have a way out of this mishap.
     
    fixfox, Mar 23, 2010
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.