tag:blogger.com,1999:blog-1746946614390371171.post7985619398289727565..comments2009-07-23T23:52:43.590-07:00Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-1746946614390371171.post-7563763571492975102009-07-23T23:52:43.590-07:002009-07-23T23:52:43.590-07:00Thanks you very much for this useful information.<br />Please keep on blogging.<br />I am looking forward to read your next great article.<a href="http://www.alkemi.com.au/" rel="nofollow">SEO</a>Tauqeerhttp://www.blogger.com/profile/05829038056997522031noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33829403915425619382009-06-10T18:34:10.944-07:002009-06-10T18:34:10.944-07:00This was a pleasure to read. Thank You!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-39464861642954467702008-05-06T09:55:13.518-07:002008-05-06T09:55:13.518-07:00http://www.youtube.com/v/CmA2oily65ALance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33349790871268395812008-05-06T08:29:26.271-07:002008-05-06T08:29:26.271-07:00Frizzi,<BR/><BR/>That is a very *strong* statement, and not entirely true. I have tested this and there are a couple of conditions that exist that allow you to access the EFS data using the techniques I described, and then ther are some conditions in which you can't.<BR/><BR/>I had not yet updated the blog to include them since I discovered them after my intial comment about being able to access EFS data. <BR/><BR/>You are correct that if a user has a password set and then encrypts some data using EFS then using the above technique does not give you access to the EFS data. <BR/><BR/>You are incorrect that if a user does not initialy have a password set then encrypts some data, then sets a password, the above technique will work. <BR/><BR/>Thanks for your commentsLance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-5809173429904049582008-05-06T03:21:20.329-07:002008-05-06T03:21:20.329-07:00you CANNOT access EFS encrypted files on XP and Vista if you hex edit the SAM and do the 0x14 to 0x04 SAM conversion trick.Frizzinoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-41861685436893081332008-04-15T02:06:22.414-07:002008-04-15T02:06:22.414-07:00I did some followup testing on this and found that when there are encrypted files using the EFS feature, and a password is set on the user account, you can use the technique I described to bypass the password and you can STILL GET ACCESS to the encrypted files!Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-58507681758060556482008-03-28T06:14:11.692-07:002008-03-28T06:14:11.692-07:00Another (simple) way to get around user authentication is to use Dreampack : http://www.d--b.webpark.pl/dreampackpl_en.htm<BR/><BR/>To make it even more convenient there's a plugin to use it with BartPE.<BR/><BR/>Works flawless with XP, haven't tried it with VISTA yet...Christiannoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-22977453097026919242008-03-16T08:51:28.206-07:002008-03-16T08:51:28.206-07:00Jeff,<BR/><BR/>I knew I felt a presence in the darkness ;)<BR/><BR/>That's a good question. I have never had the need to get access to protected storage this way so I have not tested it, but it would be a simple thing to test. As soon as I get a little time to test, I will post the results.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-1040199141550653372008-03-15T10:11:39.919-07:002008-03-15T10:11:39.919-07:00Long time e-stalker, first-time poster...<BR/><BR/>Utilizing the second method you described - telling Windows that no password is set for a given account - will this method disallow you from accessing the protected storage when doing a live boot? I know that blanking the password value would have this effect, but I'm curious what would happen if the password hash remains and you use a utility to dump the protected storage.<BR/><BR/>Thanks! And great blog, BTW.<BR/><BR/><BR/>JeffJeffreyhttp://www.blogger.com/profile/07560213599990360565noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-52991495558937829982008-02-22T21:39:50.732-08:002008-02-22T21:39:50.732-08:00Awesome stuff as usual. Thanks for the link to 'beginningtoseethelight', I have never seen this before.<BR/><BR/>Cheers.Paul Bobbynoreply@blogger.com