EFS Registry Key Different on Different Machines   

Sorry for cross-posting. I posted this message on 
microsoft.public.win2000.security by mistake.

-------------------------------------

We are trying to follow this file to read the Encrypted File System
settings:
http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-GPEF%5D.pdf

So far we have two questions:

1. The file says that the registry keys for the EFS recovery agents are
under:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\EFS\Certificates

We did some testing on two Windows XP machines by:
i) manually examining the registry structure in RegEdit
ii) traversing the registry structures with code, with the root key returned
by
the group policy object:
    pGroupPolicyObject->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY);

    hr = pGroupPolicyObject->GetRegistryKey(2, &hGPOSectionKey);

On the first machine, both in Regedit, and in the display of the code,  we
see a key
structure as described in the PDF file.

On the second machine, we see a key structure as described in the PDF file
from RegEdit. Howerver, in the code output, the keys exist in a different
registry key:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\AutoEnrollment\SystemCertificates\CA\Certificates\CRLs\CTLs\EFS\Certificates

Is this by design? Or is it that we are not doing this right?


2. To read and write the EFS settings, is it necessary to use the \Software
registry key handle
that I get from  pGroupPolicyObject->GetRegistryKey()? Can I instead
directly access
the registry by opening this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS

It seems that with the \Software key we get from GP object, we can only see
the GP
related keys. Of course if we open \Software directly with registry APIs, we
see a whole
bunch of others. So we assume that using the \Software key from GP object is
the
correct way. Then we are rather confused about the fact that we are getting
different
key structures when using GP \software key, than when we browse manually.

Thanks.

date: Tue, 15 Apr 2008 15:38:39 -0700   author:   JH am

RE: EFS Registry Key Different on Different Machines   

Hi JH,

I will spend some time on this issue and get back to you ASAP. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to 
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues 
where an initial response from the community or a Microsoft Support 
Engineer within 1 business day is acceptable. Please note that each follow 
up response may take approximately 2 business days as the support 
professional working with you may need further investigation to reach the 
most efficient resolution. The offering is not appropriate for situations 
that require urgent, real-time or phone-based interactions or complex 
project analysis and dump analysis issues. Issues of this nature are best 
handled working with a dedicated Microsoft Support Engineer by contacting 
Microsoft Customer Support Services (CSS) at 
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

date: Wed, 16 Apr 2008 10:52:10 GMT   author:   (Jeffrey Tan[MSFT])

RE: EFS Registry Key Different on Different Machines   

Hi JH,

Sorry for letting you wait.

A Group Policy Object is a collection of settings. Lots of GPOs can apply 
to any given machine, and each GPO may contain different sets of settings.

A machine's registry is the result of all configuration applied to that 
machine, by any mechanism including GPOs.

The two are not equivalent in any way. Depending on what you are trying to 
do, one of them will be more suitable than the other. There is no reason to 
expect the two to agree.

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

date: Thu, 17 Apr 2008 07:42:44 GMT   author:   (Jeffrey Tan[MSFT])

RE: EFS Registry Key Different on Different Machines   

Hi JH,

Have you reviewed my reply to you? Does it make sense to you? If you still 
need any help, please feel free to feedback, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

date: Wed, 23 Apr 2008 03:34:03 GMT   author:   (Jeffrey Tan[MSFT])

Re: EFS Registry Key Different on Different Machines   

Jeffery,

What you said was not exactly what I was asking but don't worry
about it for now because I'm not sure if there is bug somewhere in
our code so I don't want to waste your time before we are clear
that it is not a bug. I sent you a reply to ask you to hold on on your
investigation but someone the reply didn't show up.

Thanks!

""Jeffrey Tan[MSFT]""  wrote in message 
news:jtsWrLPpIHA.2252@TK2MSFTNGHUB02.phx.gbl...
> Hi JH,
>
> Have you reviewed my reply to you? Does it make sense to you? If you still
> need any help, please feel free to feedback, thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
>

date: Wed, 23 Apr 2008 14:26:28 -0700   author:   JH am

Re: EFS Registry Key Different on Different Machines   

Hi JH,

Thanks for your confirmation. 

Yes, I also find that the newsgroup is not stable recently which lost some 
replies in our internal support tool. Anyway, thanks for your kindly 
remind. 

If you need further help, please feel free to post, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

date: Thu, 24 Apr 2008 02:26:25 GMT   author:   (Jeffrey Tan[MSFT])