What are the Windows XP Password Reset Disk (PRD) and Forgotten Password Wizard features? What do I need to do to use the PRD with Encrypting File System (EFS) encrypted files?

XP's PRD feature lets users reset their passwords on a local machine without having to call the local administrator. Indirectly, this feature also protects users from losing access to their encrypted files on a standalone computer if they forget their passwords. A PRD only works for the local accounts on one machine—it doesn't work for global domain accounts, and you can't use the same PRD on different machines. Because the PRD is key to resetting a user’s password, the user should always keep the disk secure to prevent someone else from accessing it.

To create a PRD, run the Control Panel User Accounts applet to access the User account properties. To start the PRD Forgotten Password Wizard, click Prevent a forgotten password, as Figure 1 shows. The wizard will then guide you through the rest of the PRD-generation process.

When you create a PRD, XP creates a public-private key pair and a self-signed certificate. The PRD logic then uses the newly generated public key to encrypt the user’s password and stores the result of this encryption in the HKEY_LOCAL_MACHINE\SECURITY\Recovery\user SID registry subkey. Finally, the PRD logic exports the private key to a 3.5" disk and deletes the key from the local system.

With regard to EFS encrypted files, Microsoft changed the key hierarchy that the OS uses to protect the EFS private encryption keys in XP. XP stores EFS private keys in a user’s profile and uses a master key to cryptographically protect the private keys. XP uses a key that it derives from the user's credentials to securely store the master key. As a result, when a user changes his or her password, the OS must use the new key derived from the user's credentials to decrypt and encrypt the master key. If the latter doesn't occur, the user loses access to his or her master key. As with private keys, XP stores master keys in a user’s profile.

Let’s review what happens when you use the PRD to remember your forgotten XP password. When you enter the wrong password on the XP logon screen, XP prompts you with the message Did you forget your password? You can use your password reset disk. If you click this phrase, XP starts the Forgotten Password Wizard, which guides you through the password reset process. During this process, the wizard asks you to enter a new password and to supply the PRD. Behind the scenes, XP retrieves your PRD private key from the PRD and uses it to decrypt the encrypted copy of your password on the local machine: By supplying the correct PRD, you've proved to the system that your request to reset your password is authentic. Using your old password, the wizard can derive the key that XP uses to secure the master key. The master key can then give the EFS system access to your private keys, which lets you regain access to your encrypted files. Because you must change your password during this process, XP must use the new key derived from your new credentials to decrypt and reencrypt your master key.

When you use a PRD, you must update the PRD every time you change your password. To update the PRD, you must follow the same steps you took to initially create the PRD. If you don't update the PRD each time, you won't be able to access your EFS encrypted files the next time you run the Forgotten Password Wizard. Every time you change your password, XP uses a new key derived from your new password to reencrypt your master key. If you don’t update your PRD, the PRD’s private key will unlock an old set of credentials. As a result, the key derived from this old set of credentials won't be able to decrypt the master key encrypted with the new credentials.

A similar problem can occur when a local administrator resets a user's password. However, in this case, updating the PRD won't help. Instead, the user must obtain a backup of the EFS private key and certificate.