3 Replies Latest reply on Jul 25, 2014 8:34 PM by SafeBoot

    How to recover data

    henry.x.tang

      Hi folks,

       

      One of my user has McAfee Endpoint Encryption installed on the computer with 1 HDD 2 partions, C and D. He got a BSOD and he tried to fix it on his own. What he did next started all the trouble. He ran a Windows Startup Repair and used Backup Image file to performed Windows recovery... It seems broke the encryption on the HDD. This cause the Safeboot process corruption and gets error 92h. We first tried to repair EEPC MBR but that doesn't seems fix the issue. We have tried to use WinTech and Authenticate from Database, SDB file, but the D drive is still inaccessible. We tried SafeTech and that can't even pick up the USB storage plugged in to Authenticat from SDB file. So we tried to remove EEPC. After removing it's able to boot into Windows but the D drive is still inaccessiable. Our EPE guy started a decryption from his end and synced EPE client on his computer. The all went though but the D drive is still inaccessible.

       

      Does anyone have any idea how could we recover the encrypted file?

       

      Thanks

        • 1. Re: How to recover data

          You can't have done a remove if the machine is giving a 92H and you could not read the SDB file - it's impossible. You need a key to do a remove.

           

          So, what step have you missed out telling us?

           

          To decrypt the D: drive, you just need to find the partition range (from disk information) and force decrypt it. You'll need the SDB file of course (leave the usb stick in the machine as EETech boots, or use a floppy, or use WinTech).

          1 of 1 people found this helpful
          • 2. Re: How to recover data
            henry.x.tang

            Thank you for the reply. What we did was following

            - Using WinTech, authenticate from SDB file successful, try to recover the file with file browser. But it doesn't seem decrypt the D drive.

            - Using WinTech, authenticate from SDB file successful, try repair disk information but get error message "0xe0050001 Endpoint Encryption for PC not actived"

            - Using WinTech, authenticate from SDB file successful, try repair EEPC MBR, successful but still receive 92h.

            - Using SafeTech, authenticate from SDB file failed, it doesn't detect the USB storage device. It only shows A, B and I. All of them are empty. We were trying to use SafeTech to repair disk information

            - Using WinTech again and authenticated from SDB successful. Removed EEPC and restart computer. Successfully loaded into Windows.

            - The McAfee EPE is still running and our EPE tech tryed to do a network decrypt and do a force sync with the EPE client. After it ran for an hour the D drive sitll inaccessible.

             

            Would you please give me some instructions on how to select the partition range to decrypte the D drive in the Wintech?

             

            Thanks

            • 3. Re: How to recover data

              If you did a remove, it would have undone all the encryption automatically.

               

              can you share the client log with us?

               

              if the whole D: drive was encrypted, you can get the partition information from the disk info screen of WinTech. You should though use the workspace to confirm the whole range is encrypted (test the beginning and end) before using the force decrypt option.

               

              You wont be able to use SBAdmin to change the encryption state, because you removed it with WinTech - this machine is now disconnected from the admin system.

               

              BUT you might have run into the situation where the machine has re-activated because you left the policy set in the admin system. That's why we need to check the client log.