Tales from the Crypt - EFS and the Upgrade to Windows 7 RC

How can you mess up a simple OS upgrade by using encryption? Simple. Here is what happened to me when I upgraded my Windows 7 beta system to the RC version.

Upgrade? I’ll do that in my Sleep, ha ha!

As you may have read (here, here and here), I had been using the beta version of Windows 7 for some time. Naturally, when the RC came out, I wanted to upgrade. That should be simple, I thought, knowing of a small trick posted on the blog “Engineering Windows7”.

Well, simple it should (and could!) have been had I paid close attention to what the setup program was doing. I started it right from the Windows 7 beta installation and it went to work, unpacking its files and generally doing stuff. I went away - that was boring stuff I had seen hundreds of times over the years. Or so I thought. Leaving my system unattended was a mistake, as it turned out.

Oh Hubris!

When I came back, all I could see was a blinking text-mode cursor on a blank screen. That surely was not the RC! Having suffered from impatience before, I waited for several minutes. The cursor was blinking away happily all the while. But nothing else happened, no hard disk activity or anything else discernible. I cycled the system power to see what would happen during the next boot. Everything as usual: some BIOS screens, but then - the blinking cursor again. No message “OS not found” or something of the like. Just the blinking cursor. Really strange.

And then it dawned on me what must have happened. To understand, you need to know that at sepago every laptop has a data partition on which every file is encrypted with EFS. Staring at the blinking cursor, I suddenly remembered that I had seen unpacked setup files on the encrypted data partition. The installer probably chose that drive because it has the largest amount of free space. Obviously, after unpacking the files, the installer tried to boot from the newly written files and continue with setup. That was not possible, of course, since everything on that partition is only scrambled garbage if you do not have the EFS key, which the installer does not even know exists.

That was the story of why I now have a brand-new installation of the Windows 7 RC. Here is another one from the category:

How to Fool Yourself

After I finally had the RC installed, I knew I had to import my EFS certificate with the private key for decryption. Of course, I had exported it long before and even knew where it was (eh, Nicholas lol). So, in with the USB stick, double-click on the PFX file and imported it was. To make sure everything was OK, I launched certmgr.msc where I found my certificate all right, but also a second one which the system must have generated on its own. Away with it, I thought (I do not like clutter on my system), and deleted it. Then I went to bed.

The next day at work was a bad one - Firefox, which I have customized heavily, lacked all its personalization and looked rather dull. And was nearly unusable, to me. With the help of Process Monitor I was quickly able to find out what was wrong: Windows had generated a new EFS certificate before I imported my old certificate. It then used the new certificate for encryption of new files and the old certificate for decryption of old files already on disk. That was why I had no problems surfing the web the evening before. But after I had deleted the new certificate, the files written in the meantime could not be decrypted any more. Luckily, I had only used Firefox with “dual certificates” and therefore only my Firefox profile was unusable. After work, I replaced the Firefox profile (partially encrypted with the deleted new key) with a backup from my home machine and all was well again.

CertificateEFSEncryptionSecurityUpgrade

Comments

Related Posts

Free Services to Send Files End-To-End Encrypted

Free Services to Send Files End-To-End Encrypted
There are a number of services for sending files to someone else that are both free and secure. This post provides an overview. What is End-to-End Encrypted File Sending? File sending services work similarly to file synchronization & sharing services, except there is no synchronization part. You navigate to the service’s website, select the files you want to send, and they’re encrypted on your machine while being uploaded. You get a link to be shared with the files’ recipient. The service stores the files for a certain time, typically seven days. That is how long the link remains valid. It is important to note that end-to-end encrypted sending services cannot decipher your data, for them it’s just meaningless bits.
Applications

New Articles, Tools, Tips and Tricks: Bugs, Annoyances, PowerShell and some other Stuff

New Articles, Tools, Tips and Tricks: Bugs, Annoyances, PowerShell and some other Stuff
Bugs and Annoyances ICA connections initiated over the ICA client object (ICO) SDK fail because 128-bit encryption cannot be enabled. Apparently, setting EncryptionLevelSession does not work. Annoyingly, this bug is more than a year old, was fixed in the ICA client 10.2 and reappeared in the current version 11.0. Bugs like this one are bad for the entire Citrix ecosystem, because they break cool tools like Citrix Quick Launch, xConnect and others I may not even know about. [Update 2009-09-30: this bug has been fixed in ICA client 11.2.]
Tips and Tools

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware