by: Helge, published: May 12, 2009, in

Tales from the Crypt – EFS and the Upgrade to Windows 7 RC

How can you mess up a simple OS upgrade by using encryption? Simple. Here is what happened to me when I upgraded my Windows 7 beta system to the RC version.

Upgrade? I’ll do that in my Sleep, ha ha!

As you may have read (here, here and here), I had been using the beta version of Windows 7 for some time. Naturally, when the RC came out, I wanted to upgrade. That should be simple, I thought, knowing of a small trick posted on the blog “Engineering Windows7”.

Well, simple it should (and could!) have been had I paid close attention to what the setup program was doing. I started it right from the Windows 7 beta installation and it went to work, unpacking its files and generally doing stuff. I went away – that was boring stuff I had seen hundreds of times over the years. Or so I thought. Leaving my system unattended was a mistake, as it turned out.

Oh Hubris!

When I came back, all I could see was a blinking text-mode cursor on a blank screen. That surely was not the RC! Having suffered from impatience before, I waited for several minutes. The cursor was blinking away happily all the while. But nothing else happened, no hard disk activity or anything else discernible. I cycled the system power to see what would happen during the next boot. Everything as usual: some BIOS screens, but then – the blinking cursor again. No message “OS not found” or something of the like. Just the blinking cursor. Really strange.

And then it dawned on me what must have happened. To understand, you need to know that at sepago every laptop has a data partition on which every file is encrypted with EFS. Staring at the blinking cursor, I suddenly remembered that I had seen unpacked setup files on the encrypted data partition. The installer probably chose that drive because it has the largest amount of free space. Obviously, after unpacking the files, the installer tried to boot from the newly written files and continue with setup. That was not possible, of course, since everything on that partition is only scrambled garbage if you do not have the EFS key, which the installer does not even know exists.

That was the story of why I now have a brand-new installation of the Windows 7 RC. Here is another one from the category:

How to Fool Yourself

After I finally had the RC installed, I knew I had to import my EFS certificate with the private key for decryption. Of course, I had exported it long before and even knew where it was (eh, Nicholas *lol*). So, in with the USB stick, double-click on the PFX file and imported it was. To make sure everything was OK, I launched certmgr.msc where I found my certificate all right, but also a second one which the system must have generated on its own. Away with it, I thought (I do not like clutter on my system), and deleted it. Then I went to bed.

The next day at work was a bad one – Firefox, which I have customized heavily, lacked all its personalization and looked rather dull. And was nearly unusable, to me. With the help of Process Monitor I was quickly able to find out what was wrong: Windows had generated a new EFS certificate before I imported my old certificate. It then used the new certificate for encryption of new files and the old certificate for decryption of old files already on disk. That was why I had no problems surfing the web the evening before. But after I had deleted the new certificate, the files written in the meantime could not be decrypted any more. Luckily, I had only used Firefox with “dual certificates” and therefore only my Firefox profile was unusable. After work, I replaced the Firefox profile (partially encrypted with the deleted new key) with a backup from my home machine and all was well again.

Previous Article How to Find and List Unsigned Executable Files
Next Article Cleaning up the Mess Left Behind by Multiple EFS Certificates