How to Use Dell Encryption LSARecoveryDecrypt Tool

Summary: This article describes in what situations that you must use the LSARecoveryDecrypt tool to generate the appropriate registry keys or batch files to enable or disable one of the configuration changes. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Affected Products:

  • Dell Encryption Enterprise
  • Dell Encryption Personal
  • Dell Encryption External Media

Affected Versions:

  • v10.9 and Later

The LSARecoveryDecrypt tool can be used to rebuild the active service list at boot time that the Shield maintains to protect from offline service injections. The LSARecoveryDecrypt tool can also be used to enable or disable Service Monitoring (SRVMONFF).

Sceneries that can occur:

  • The computer stops responding during boot with: Stop 0xB4 VIDEO_DRIVER_INIT_FAILURE and has Dell Encryption Enterprise, Personal, or External Media installed.
  • During the boot process, the computer may experience a problem and cause the computer to stop responding with a stop code of Bug Check 0xB4: VIDEO_DRIVER_INIT_FAILURE this indicates that the computer is unable to load an appropriate display driver during boot.

Dell Encryption maintains a list of active services to prevent services from being injected offline. When the computer is booted the list of active services is compared to the list from the previous boot for differences, and services that appear to have been suspiciously installed may be blocked from starting.

In this instance, the Dell Encryption registry driver is preventing the Microsoft TSDD display driver from starting because it believes that the service is malicious.

Note: If you are experiencing this issue on multiple computers, contact Dell Support to assist with preventing the issue from occurring and any assistance that is needed in recovering affected computers.
Warning: The next step is a Windows Registry edit:

Possible Workaround:

If the computer is in Dell Encryption External Media mode only, it may be possible to boot the computer to WinPE, rename the C:\windows\system32\drivers\cmgffe.sys driver, and the device may boot back into Windows so that the below regkey can be applied to fix the issue.

Caution:
  • While the driver is renamed then files that are copied to external media is not encrypted.
  • Renaming the driver is only a temporary step to get the computer booted back into Windows to apply the registry key generated below.

Recovery Steps:

For the computer to boot properly again the active service list must be cleared and rebuilt during boot time. An encrypted registry key must be created using the tool below and applied to the computer.

The LSARecoveryDecrypt tool can be used to rebuild the active service list at the boot time Dell Encryption maintains. Sometimes, the active service list does not match the previously recorded service list and the Dell Encryption believes that services may have been injected offline. This could result in the computer to stop responding with 0xb4, VIDEO_DRIVER_INIT_FAILURE.

To obtain the LSARecoveryDecrypt.exe tool contact Dell Data Security Support.

A recovery bundle for the endpoint that is downloaded from the server along with the password for the bundle to generate the correct registry entries by the LSARecoveryDecrypt tool.

  1. Copy the LSARecoveryDecrypt.exe tool to a computer that has Dell Encryption that is installed to it already. The computer that generates the registry key must have Dell Encryption that is installed because the Dell Encryption driver is required to generate the registry key.
  2. Download the LSARecovery bundle exe from the Dell Security Management Server for the endpoint that must have the service list rebuilt.
  3. Copy it into the folder where LSARecoveryDecryptTool.exe exists.
  4. Open an admin cmd prompt. Go to where the LSA folder exists.

To rebuild the service list from within Windows:

Use these steps if you can boot the affected Computer into Windows. This command line creates an .reg file for use if the affected computer can still boot into Windows.

The regkey that is created with this command can be imported from within Windows. On the next reboot the service list that CMG maintains will be rebuilt.

LSARecoveryDecrypt [-f <LSA Recovery Bundle>] -p <password> -RebuildServiceList -OnlineRegEntry -d <full path to registry file>
Note: The following command creates an .reg file that is called rebuildservicelist.reg in the C:\LSA folder that can be imported using regedit onto the affected computer from within Windows. After it has been imported and the computer is rebooted, the service list that Dell Encryption maintains will be rebuilt, and the computer should boot without issues. 
LSARecoveryDecrypt -f <LSA Recovery Bundle file> -p <password to recovery bundle> -RebuildServiceList -OnlineRegEntry -d C:\LSA\rebuildservicelist.reg

To use the .reg file, double-click the generated file and allow the entry to be processed.

Recover and rebuild service list from WinPE:

If you are trying to recover a computer but can only boot into WinPE, you use the following command that creates a batch file to be run from WinPE. It will insert the encrypted regkey into the proper registry hive so that the service list that CMG maintains will be rebuilt on the next boot.

This command line creates a .bat file for use in WinPE:

LSARecoveryDecrypt [-f <LSA Recovery Bundle>] -p <password> -RebuildServiceList -d <full path to batch file>
Note: This creates a batch file that is called rebuildlist.bat in C:\LSA that can be run from within WinPE on the affected machine to insert the registry key to rebuild the service list. If you have the C:\windows\system32\drivers\CMGFFE.sys driver that is renamed to something else, you must rename it back to CMGFFE.sys for this to take effect on the next boot. 
LSARecoveryDecrypt [-f <LSA Recovery Bundle> -p <password> -RebuildServiceList -d C:\LSA\rebuildlist.bat

To use the .bat file, copy the file to a location where WinPE has access. Boot to WinPE. Run the .bat file with one argument, the path to the SYSTEM registry hive. This is usually c:\windows\system32\config\SYSTEM.

Note: The drive letter may change in WinPE, so examine the drives to find the correct drive letter.

You can use the diskpart utility to see a list of drive volume letters and their size by entering list vol at the diskpart prompt.

In both cases, reboot the computer and the active service list is rebuilt and should boot again without issues.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000204606
Article Type: How To
Last Modified: 02 Oct 2023
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.