680 Study Guide

Contents Page
Installing .........................................................................................................................................................................4 Version Support .........................................................................................................................................4 Minimum Specifications ............................................................................................................................4 Clean Installs...............................................................................................................................................4 Upgrading...................................................................................................................................................4 Dual Booting ..............................................................................................................................................5 Migration.....................................................................................................................................................5 Deployment .........................................................................................................................................................................6 Windows SIM System Image Manager...................................................................................................6 Imaging.......................................................................................................................................................6 Unattended installs .....................................................................................................................................................................6 Configuration .........................................................................................................................................................................8 Hardware ....................................................................................................................................................8 GPOs .........................................................................................................................................................8 Services ......................................................................................................................................................8 Booting........................................................................................................................................................8 Slmgr...........................................................................................................................................................8 Applications................................................................................................................................................9 Networking...................................................................................................................................................10 Services.....................................................................................................................................................10 IP ..............................................................................................................................................................10 Remote Control / Admin...........................................................................................................................10 Firewall.....................................................................................................................................................11 Wireless.....................................................................................................................................................11 Resource Access .......................................................................................................................................................................12 NTFS ........................................................................................................................................................12 Share Permissions.....................................................................................................................................12 Caching.....................................................................................................................................................12 Branch Caching (Page 427-431)...............................................................................................................12 EFS............................................................................................................................................................12 Printing......................................................................................................................................................12 Mobile Computing........................................................................................................................................14 NAP...........................................................................................................................................................14 Offline Files..............................................................................................................................................14 Remote Desktop........................................................................................................................................14 Power management...................................................................................................................................14 Remote access...........................................................................................................................................14 Direct Access............................................................................................................................................14 Bit Locker.................................................................................................................................................14 Maintenance..................................................................................................................................................15 Windows Update.......................................................................................................................................15 Credentials Manager ................................................................................................................................15 IIS..............................................................................................................................................................15 Certificate Manager..................................................................................................................................15 Auditing....................................................................................................................................................15 UAC..........................................................................................................................................................15 Monitoring................................................................................................................................................15

Disk...........................................................................................................................................................15 Backup & Recovery......................................................................................................................................17 Backup .....................................................................................................................................................17 System Protection.....................................................................................................................................17 Restore .....................................................................................................................................................17 Recovery...................................................................................................................................................17 Appendix.......................................................................................................................................................19 Certificates................................................................................................................................................19 EFS password Recovery...........................................................................................................................21

Installing
Version Support
Windows 7 comes in many flavours but primarily for the exam concentrate on the more advanced features supported within Ultimate and Enterprise (page 12 - 14) o Home Basic Meant for emerging markets and lacks Aero support and Media Centre o Home Premium Meant for home user market therefore full media centre support but no Domain capabilities o Professional Standard professional version but includes Media Centre, Remote desktop, XP Mode, Folder Redirection and Domain support o Ultimate Full package Including DirectAccess and BitLocker o Enterprise Full package for Volume licensing

Minimum Specifications
This is the minimum specification for both versions of Windows 7 (Page 15) o o o o 1Ghz or faster 1GB (32bit) or 2GB (64 bit) RAM 16GB (32 bit) or 20GB (64 bit) free HDD space DirectX 9 supported video adapter

4GB is the largest amount of memory supported with the 32 bit version

Clean Installs
Preferred over upgrades due to performance improvements (page 29) o Check to make sure if booting from the DVD that BIOS has the correct boot order (page 35) o If installing a 64 bit client from a 32 bit previous OS then you will need to boot from the media and not install from inside the OS, then choose Custom(Advanced) (page 58) o Partitions can be created during installation and can be created on un-partitioned disk space o If not enough disk space is available look to shrink other partitions on the disk o LoadDriver is used to install RAID drivers not supported by Windows 7 (page 42)

o Upgrading
Only Vista is capable of being upgraded to Windows 7

o Windows 7 Upgrade Advisor is the easiest way to identify if a machine is capable of being upgraded (page 20) o To upgrade start with Windows Vista, insert DVD and choose the Upgrade option o You may only upgrade Vista with Service Pack 1 or 2
(http://windows.microsoft.com/en-US/windows7/help/upgrading-from-windows-vista-to-windows-7) choose step 2

o To upgrade Windows 7 to a different edition, i.e. from Professional to Ultimate the easiest method is the Windows Anytime Upgrade (page 58)

Dual Booting
Allows the use of more than one OS on a single computer o Windows does not support multiple OS on a single partition (page 59) o To edit the boot sector use BCDEdit Use the /Default switch to set the default OS
(http://technet.microsoft.com/en-us/library/cc709667(WS.10).aspx)

o To replace a boot sector you will need to boot from the Windows 7 media and choose Startup repair
(http://www.ehow.com/how_4836283_repair-mbr-windows.html)

o Migration
This is the process of moving over user and machine settings from a previous OS such as XP or Vista o Windows Easy Transfer (page 44) Used to move settings and files over on a single computer Graphical interface makes it easiest to use Make sure to use an administration account o User State Migration Tool (USMT) (Page 55) Command line Utility Scanstate (run on the source computer) This is the process of saving settings and files When you have upgraded from XP or Vista to Windows 7 the old OS files will be in a folder with .OLD extension e.g. c:\windows.old Understand all switch commands and .xml files below o /Genmigxml Use to review what will be exported o /Nocompress /p Use to check how much space will be taken up on compressed profiles o /Efs Use to migrate encrypted files o Migdocs.xml Use for files stored off the root drive (good for users who save info all over their drive) o Config.xml - Use to exclude files from migration o Migapp.xml Use for custom application settings o MigUser.xml Use to migrate all User files and folders (http://technet.microsoft.com/en-us/library/dd560764(WS.10).aspx) Loadstate (run on the destination computer) Will not bring over the installed applications, these will need to be reinstalled onto the new Windows 7 installation /lac this will import accounts but they will be disabled, therefore before use will have to be enabled (use /lae to import fully enabled)

(http://technet.microsoft.com/en-us/library/cc749015(WS.10).aspx )

Deployment
Windows SIM System Image Manager o Imaging
o ImageX Command line utility used to capture and deploy an image from inside Windows PE (page 72) Can be used to mount an image in order to modify it (page 66, 71-72) Applying install.wim will force OOBE (Out Of Box Experience) Switch commands /Append allows you to add a volume to an existing image /Mountrw allows you to update an image. Once mounted other commands can be run as normal e.g. BCDEdit /Split allows you to spread an image over media to small to take entire image file (WIM file)
http://technet.microsoft.com/en-us/library/cc749447(WS.10).aspx

o Graphical utility to create answer files for automated installs (page 66)

o DISM Deployment XXXX Command line utility that allows you to edit and modify an existing image (Page 66, 89-91) Can be used to reset an altered image Can be used to add services such as Telnet to an image Can be used to remove games via setting InBoxGames to disabled /Get-Drivers will show which drivers are contained within an image /Add-Driver allows you to add a driver to an image easily /Set-Edition allows you to change the version of windows in an image e.g. Windows 7 Professional to Windows 7 Ultimate This is the primary tool for editing the Windows PE environment http://technet.microsoft.com/en-us/library/dd744533(WS.10).aspx o Windows PE A minimal environment used to capture and deploy images System must be started in WindowsPE in order to capture image Drivers can be dynamically loaded via the DRVload utility
http://technet.microsoft.com/en-us/library/cc766390(WS.10).aspx

Image can only be deployed onto a created and formatted partition o SysPrep (Page 71) Used to remove machine specifics from an image file, for example SIDs, ready for duplication and re-deployment /generalize to remove machine specific data /oobe to ensure Out Of Box Experience o VHD Applying install.wim inside ImageX will force OOBE (Out Of Box Experience) on next boot up Fixed sized disks have the least impact on performance o WDS Windows Deployment Service Images need to be added to the WDS manager before you are able to select and deploy them. (page 78, 94)

Unattended installs
o Use AutoUnattend.xml for a none-prompting install

o This can be placed on a USB disk or network share if needed

(http://support.microsoft.com/kb/933495 )

Configuration
Hardware
o To view all unsigned driver run Driverquery /si o Hardware Assisted Virtualization in the computers BIOS must be enabled for XP Mode to work o To change the default actions for optical drives modify auto play settings o As display drivers are set at machine level in the local policy you would need to modify the machine settings and not user settings o If hardware device wont start try troubleshoot from Devices and Printers o To permanently set which applications open a certain file type use Control Panel / Programs and Set Your Default Programs option o Printing 32 and 64 bit drivers are different therefore you will need to install additional drivers for printer support for all equipment o USB Pnputil.exe i a allows you to add plug and play hardware (such as USB Sticks) http://technet.microsoft.com/en-us/library/cc732408(WS.10).aspx To ensure only approved USB sticks can be used you can set the following GPO settings: Enable prevent installation of devices not described by other policies Enable Allow installation of devices that match these IDs (and then enter those device IDs) To prevent any new USB drives being used set Prevent installation of Removable media

GPOs
o Before you can prevent a specific hardware device from being installed first you need to know it Class GUID o Local Policy Settings Set Folder Auditing to configure Object Access Can be used to disable Control Panel access for users User rights can be used to prevent shutdown of a computer Can be used to prevent the name of the last user that was logged on being displayed

Services o Application Identity

Needed to start both Bit Locker and to Enforce Application Control Policies (App Locker)

Booting
o Use BCDEdit to change the boot order of OSs combined with the default switch o VHDs can also be selected as a bootable OS using this tool

o Slmgr
o /dli will display Detailed Licensed information

 Applications o App Locker (aka Application Control Policy)

Can be used to control which local groups can run an application To control application version use a Publisher rule To prevent the running of certain applications use executable rules o MsiExec can be used in logon scripts to call .msi files for quiet installations. It can also be used with .mst files to customize (transformed) the way an application is installed. o ACT To ensure an application SHIM is applied next time the application is run use SDBInst Use ACT to check for application compatibility with Windows 7 o IE Add a site to the Local intranet zone if you dont want the user to enter authentication information Check the Title bar for things like Working Off line Compatibility View allows you to view web pages meant for older versions of IE Ratings are controlled inside Content Advisor When in In Private browsing is on suggested sites wont appear, open up an new IE windows to see them ActiveX controls can be prevent via the Security settings You can Make IE the default web browser via the Programs Tab sheet, followed by Make Default To reset IE select the Advanced sheet followed by Reset 3rd party toolbars are controlled via Manage add-ons To prevent form based credential be filled in from previous users modify the AutoComplete settings

Networking
To join a machine to a Home Group set network location to home network (Page 199)

Services

o Client for Microsoft Networks allows a machine to attach to resources on a network (Page 161)

o IP
o IP 4 o IP 6 o CIDR Notation is used to describe the number of bits used for the network ID for example /27 uses 27 bits for the network ID and 5 bits for the Host ID (page 151-152) Must be enabled in order to use IP v4 Addressing

The loopback address for v6 is ::1 In order to ping with v6 add the -6 command e.g. ping hostname -6 A DNS record is AAAA For ISATAP to be successful you must be running the IP Helper service To view an IP v6 IP address either IPConfig or checking the network connection status details IPCONFIG If it returns no information check that the network card is enabled /all shows extra info such as MAC address, DHCP & DNS Servers DHCP Used to assign IP addresses automatically If it fails and an APIPA address is seen (169.254.x.x) set a static IP address for connectivity Name resolution Host files can be used to preload IP address against Host name useful when a machine has 2 addresses and you wish only 1 to be identified with a name Default gateways Are exit points from a network and as such are often combined with Firewalls. Its often a good rule to follow that router / Firewall end with the last address available e.g. 192.168.0.254 To prevent WAN capabilities delete the Default Gateway

Remote Control / Admin

o Powershell New-PSSession allows you to connect to a machine and carry out administration tasks To auto load a new snap-in each time, create a new MMC console file
http://technet.microsoft.com/en-us/library/dd347668.aspx

o Netsh (NetShell) - Used to run network configuration commands on another computer and therefore is useful for running inside login scripts o WinRM /quickconfig is used to quickly setup the rules on a target computer for remote management o WinRS

Used to run command lines on remote machines

Firewall
Used to control access to a machine and which subnets can see a particular machine (or from which it will respond to) o Outbound rules control which programs (e.g. FTP) or services (e.g. RPC) can access resources on other machines including resources on the internet o Rules can be exported and you can set the system to log successful access via Advanced Security o Setup Advanced security rules to control protocols or services o IPSec policy controlled by Connection Security Rules o To record successful connections look to the firewalls Advanced Security properties and set the appropriate log settings.

o Wireless
o You can export your settings by saving the wireless network properties o SSID broadcasts can be disabled so to attach to a network without broadcasts set from the Networking and Sharing Centre, modify the appropriate network connection settings o With multiple wireless networks, affinity to a single one can be set via the Network and Sharing Centre (Page 165) o WPA2 WPA-Enterprise does not require a pre-shared key and instead uses a RADIUS Server (Page 450) o Modes Ad-hoc Allows 2 computers to easily and quickly join to each other Infrastructure Attach to a WAP

Resource Access
NTFS
o Permissions Only available on NTFS formatted partitions Modify will allow deletion of files (Page 192) Write allows the adding of files to a folder but NOT deletion of files o Disk Quotas can be set to limit disk usage by users (Page 116)

o Share Permissions
o Default permissions are Everyone Read o Share permissions are combined with NTFS permissions and the most restrictive will apply. So if share permissions are open but the resource is still inaccessible then look at NTFS permissions (Page 205) o Only apply when users are attached to a share, not in affect if the resource is accessed from the local, physical machine

o Caching
o To ensure that files are automatically cached when attaching to a share modify the properties of the share to auto-cache
http://technet.microsoft.com/en-us/library/cc755136.aspx

o Cached files can be encrypted to ensure security of data, both settings (offline files and encryption) are set on the client side(Page 467)

o Branch Caching (Page 427-431)

o On the clients ensure the Content Retrieval rules for the firewall are setup correctly o Make sure that you have firewall rules setup that will allow caching to work o If experiencing performance problems try flushing the Cache so that clients will not retrieve data from a particular machine

o EFS
o Cipher Command line utility to control access to encrypted files Cipher Folder Name displays all files encrypted within that folder To backup your Cipher certificates - Cipher /x To create a new Cipher key Cipher /k /r creates a new recovery agent (which can be added from the local security policy)
http://articles.techrepublic.com.com/5100-10878_11-5030732.html http://technet.microsoft.com/en-us/library/cc938948.aspx

o Set a Data Agent in Local Policy to ensure being able to decrypt EFS files o Password recovery in a work group You can either create a Password Reset Disk or re-import an exported certificate o EFS Key recovery If machines are on a single domain they will use the same recovery agent certificate , so you can export it first from one machine and then import to another to recover EFS files

Printing
o Access controlled through Printer Security Permissions

o Users need to have the print permission in order to delete their own jobs, but not others. However check to make sure if when having difficulties deleting their own print jobs that creator/owner has the Manage permission

Mobile Computing
NAP
o To configure a NAP client first you will need to start the Protection agent service at start-up followed by enabling the DHCP Quarantine Enforcement Client

o Offline Files
o Use transparent Caching to reduce bandwidth and forces machine to be on the network
http://technet.microsoft.com/en-us/library/dd637828(WS.10).aspx

o To check whether the file is an offline version use explorer o Use SyncCenter to verify if you have an offline copy of a folder available to you on your computer

o Remote Desktop
o Remote assistance allows users to share their current desktop with administrators if connecting from a home PC to a machine modify the Connect from anywhere settings on the host o To access resources on the target machine configure the Local devices and resources setting on the machine you are sitting at

o Power management
o Run powercfg from a command prompt to check why a machine may not be entering hibernation mode

o Remote access
o VPN Use Network and Sharing to setup a new connection followed by connection type e.g. Connect to workplace To be able to use Smart Cards for authentication you must be using the EAP protocol If once connected to a VPN internet browsing fails to work, disable Use Default Gateway on remote network Certificates If the root certificate fails due to not being trusted then import root certificate into the computers Trusted ROOT Authorization store o SSTP Secure Sockets Tunnelling Protocol uses ports 80 (HTTP) and 443 (HTTPS) If you are having trust issues with certificates import the servers certificate to the Trusted Root Certification Authorities store

Direct Access
http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx

o A certificate must be installed to establish a connection

o Bit Locker
o Used to protect, via encryption, data stored on local disks and removable media o If the boot partition is encrypted and the recovery key is lost then you will need to re-install the OS o It is not supported by XP so you will first need to disable it via a Windows 7 machine if enable on something like a USB pen drive. o Only supported by Ultimate and Enterprise editions of Windows 7

Maintenance
Page file size can be set from System, Advanced System settings To improve graphics performance modify the Visual Effects settings in Performance Options When using Readyboost you can restrict how much space is taken up via the USB drives Properties Windows Update
o To allow/disallow a user to manually change update settings can be set via Local Group Policy o Windows Update will record the updates that have been applied o To get a client to update run Wuauclt /detectnow (this will also ensure it appears in the WSUS snap in) o Selecting Allow all users to install Updates will notify users when an update is available o Office updates can also be enable this can be done by selecting Get updates for other Microsoft products o You can remove an update via the Programs and features tool in Control Panel o The location that you received the update from is logged in windowupdate.log file

o Credentials Manager
o Extra credentials can be added to allow running as a different user o Used to remove credentials that have been stored via the /savecred parameter (Page 373)

o IIS
o To control access to a intranet website modify the NTFS file permissions to the wwwroot folder and modify the authentication method used

o Certificate Manager
o Self Certified Certificates need to be stored in Trusted root (see appendix)

o Auditing
o Set local policy for Object Access to track folder usage

o UAC
o Used to start applications at a higher privilege (even can be used as an administrator)

o Monitoring
o Reliability Monitor can be used to view which Applications have been installed recently and which Hardware has failed recently o Resource monitor can be used to view Network, CPU, Disk or Memory usage for individual processes o Subscription events (setup on all client machines) can be used in the event of a application failure to notify a central machine which can then run tasks based on set criteria o Wecutil is an application that will set up Windows Event Collection. To quickly set up add the qc switch

o Disk
o If you have no free space left but still need to create a partition you will first have to shrink one of the other partitions in order to create more free space o If there is no free space next to the volume you wish to extend, due to another partition being next to it, then you will need to backup that 2nd volume, delete it, extend the volume you need to then recreate (if wished) the 2nd volume and restore the data o To configure disk remotely, if WinRM is enabled, then you can run a command line utility such as Diskpart via WinRS

o Mount points can extend a drive without enough space onto another physical disk o Dynamic Disks To set up RAID 0 and or RAID 1 (not RAID 5) the disks must be dynamic and not basic disks Dynamic disks, if moved between machine, will be seen as foreign disks and will need to be imported before they can be used Mirrored disks preserve data in the case of a single disk failure and more than one disk can be mirrored within a system

Backup & Recovery

Backup
o To backup to a local disk make sure that it is connected properly (including removable disks) o Disks need to be partitioned and formatted before they can be used for backup. o Multiple system can be saved to an external HDD for safe keeping and to reduce local disk usage o You can change the backup routine to include new disks by changing the setting in Backup and Restore o Automatic-Backup can be set to run via Task Scheduler in such a way so that the task will not run if the machine is running on battery

o System Protection
o Snapshots To remove unwanted snapshots run Disk Cleanup for System Restore and Shadow Version copies o Previous Versions System Protection must be turned on before this feature is available. It can be turned on by configuring the System Protection settings in System Properties To view the space taken up by previous versions, check the System Protection settings in system o Make sure you have sufficient space to perform backup, if not add an external HDD or some other medium

o Restore
o System Restore points feature can be used to restore a file to a previous version once a system restore point has been created o It can also be used to restore a folder o If you have a system image and need to restore a single file then attach the VHD from disk management o To reduce the space taken up by system restore points run disk clean up

o Recovery
o Repair disks are created on CD/DVD disks therefore you will need the appropriate hardware to create them o If system images have been created and now need to be used, boot from the Windows 7 installation medium and choose System Image Recovery o WindowsRE Boot via a WRE disk and restore system image quickly as long as you have created a system image via backup o If an application is failing to uninstall, then as long as you have been saving system images a quick method to restore to restore a system restore point o Driver recovery For bad video drivers boot into safe mode and try RollBack driver In order to roll back a driver you will need to be an Administrator (or run command as Administrator) o Advanced Start-up options LastKnownGood If a faulty or corrupted service stops the system from booting (and no user has logged on) then use LastKnownGood option Repair Your Computer option can tell you if your RAM is causing a problem by running Memory Diagnostics

Appendix
In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. In typical public key infrastructure (PKI) arrangements, that a particular public key certificate is valid (i.e., contains correct information) is attested by a digital signature from a certificate authority (CA). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme. Obviously, the highest-ranking CA's certificate can't be attested by some other higher CA (there being none), and so that certificate can only be "self-signed." Such certificates are also termed root certificates. Clearly, the lack of mistakes or corruption in the issuance of such certificates is critical to the operation of its associated PKI; they should be, and generally are, issued with great care. In a web of trust certificate scheme there is no central CA, and so identity certificates for each user can be selfsigned. In this case, however, it has additional signatures from other users which are evaluated to determine whether a certificate should be accepted as correct. So, if users Bob, Carol, and Edward have signed Alice's certificate, user David may decide to trust that the public key in the certificate is Alice's (all these worthies having agreed by their signatures on that claim). But, if only user Bob has signed, David might (based on his knowledge of Bob) decide to take additional steps in evaluating Alice's certificate. On the other hand, Edward's signature alone on the certificate may by itself be enough for David to trust that he has Alice's public key (Edward being known to David to be a reliably careful and trustworthy person). There is of course, a potentially difficult regression here, as how can David know that Bob, Carol, or Edward have signed any certificate at all unless he knows their public keys (which of course came to him in some sort of certificate)? In the case of a small group of users who know one another in advance and can meet in person (e.g., a family), users can sign one another's certificates when they meet as a group, but this solution does not scale to larger settings. This problem is solved by Fiat in X.509 PKI schemes as one believes (i.e., trusts) the root certificate by definition.[dubious discuss] The problem of trusting certificates is real in both approaches, but less easily lost track of by users in a Web of Trust scheme. Display by Logical store Folder name Personal Contents Certificates associated with private keys to which you have access. These are the certificates that have been issued to you or to the computer or service for which you are managing certificates. Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft. If you are an administrator and want to add non-Microsoft CA certificates to this store for all computers in an Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization. A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. Certificates issued to subordinate CAs. If you are an administrator, you can use Group Policy to distribute certificates to the Intermediate Certification Authorities store. Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted People store. Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services such as Encrypting File System (EFS), where certificates are used for creating authorization for decrypting an encrypted file. Certificates from CAs that are trusted by software restriction policies. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted Publishers store. These are certificates that you have explicitly decided not to trust either by using software restriction policies or by choosing not to trust a certificate when the decision is presented to you in e-mail or a Web browser. If you are a domain

Certificates

Trusted Root Certification Authorities

Enterprise Trust

Intermediate Certification Authorities Trusted People

Other People

Trusted Publishers

Disallowed Certificates

administrator, you can use Group Policy to distribute certificates to the Disallowed Certificates store. Third-Party Root Certification Authorities Trusted root certificates from CAs other than Microsoft and your organization. You cannot use Group Policy to distribute certificates to the Third-Party Root Certification Authorities store.

Certificate Enrolment Pending or rejected certificate requests. Requests Active Directory User Certificates associated with your user object and published in AD DS. Object Purpose Server Authentication Certificates that server programs use to authenticate themselves to client computers. Client Authentication Certificates that client programs use to authenticate themselves to servers. Code Signing Secure E-mail Encrypting File System File Recovery Certificates associated with key pairs used to sign active content. Certificates associated with key pairs used to sign e-mail messages. Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by EFS. Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by EFS.

 EFS password Recovery

Recovering Access to Encrypted EFS Data If you have encrypted some of your files by using the Encrypting File System (EFS), you have additional options to recover access to those encrypted files. The following provisions apply only to EFS encrypted files, and will not recover access to saved credentials or certificates. If you have previously exported the user's EFS private key from the user's account, you may import the key back into the account and recover access to the encrypted files. If you did not export the private key and you have defined a Data Recovery Agent (DRA) prior to encrypting the files, you may regain access to EFS files as the Data Recovery Agent. For additional information about how to recover data in this case, click the article number below to view the article in the Microsoft Knowledge Base: 255742 (http://support.microsoft.com/kb/255742/EN-US/ ) Methods for Recovering Encrypted Data Files If you do not have the required items or information specified for the preceding recovery solutions, the data is permanently encrypted, and cannot be recovered. If your computer is not a member of a Windows 2000-based domain (it is a stand-alone server or a member of a Microsoft Windows NT 4.0-based domain), your local, built-in Administrator account may be the designated Recovery Agent for any users of your computer. To be able to recover encrypted information on a computer in this case, you must have backed up the Recovery Agent's private key before the loss of the key. For more information about using EFS and backing up and restoring the Recovery Agent's private key, see the following articles in the Microsoft Knowledge Base: 223316 (http://support.microsoft.com/kb/223316/EN-US/ ) Best Practices for Encrypting File System 241201 (http://support.microsoft.com/kb/241201/EN-US/ ) HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000