7/30/2019 Offline Files Windows7

1/1

I'm glad this thread is still alive or I would have missed it due to only skim-reading the forums

these last few days. Getting to the offline files cache is actually quite simple once you know

how, though it was easier in Vista than it is in 7.

First off, you'll need either your Windows 7 setup disc or something like ERD Commander. If

you're using whole-drive encryption with BitLocker (or something else), then you'll need to use

whatever tools are available to you to decrypt the volume first. I don't use BitLocker precisely

because it makes this sort of data recovery far more inconvenient than the protection is worth,so I can't help you with that step.

Reboot your machine into whichever of the above you have, and launch a command prompt.

To launch a command prompt from the Windows setup disc, wait until you're in the GUI and

then hit Shift+F10

cd to D:\Windows\CSC\v2.0.6\namespace

It's D:\ and not C:\ because C: will have been assigned to the normally-hidden BitLocker

partition while you're in this mode. This folder is well protected, with only the SYSTEM accounthaving access. What's more, when Windows 7 is running, you cant access this folder or its

content even if you use something like psexec -s cmd to run a command prompt under the

SYSTEM account (and even if you stop the Offline Files service first). This is why we're using a

separate environment.

Now simply run dir

You should see a list of directories corresponding to servers the machine has synchronised

from. cd into one of them and you'll see share names. From there, you can cd to whatever

folder is synchronised.

Now, if you have any sense whatsoever you will have configured Windows to encrypt the

offline files cache (which is what I do instead of using BitLocker), so even though you can see

these files as SYSTEM, you can't access them directly because they are encrypted with the

user's EFS certificate. The first step to having the files themselves is to use robocopy with the

/EFSRAW switch to copy whatever you need to a folder elsewhere on the disc.

Once you have all the files you need, reboot into Windows proper and find the folder you

copied stuff to. You still won't have immediate access to the files because they are stillencrypted with the user's EFS certificate, so you'll need to make these files available to the

user (or steal their EFS certificate and load into into your own certificate store) and have them

copy them back to wherever they are needed.

You're welcome.

AT's final thought: If the Offline Files cache has shafted itself for some reason, none of the

above may work. You're on your own.