Win XP Hidden Shares
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Win XP Hidden Shares

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    37

    Win XP Hidden Shares

    When Windows XP is installed, hidden administrative shares are created. They can be found by going to Start>>Administrative Tools>>Computer Management. Open the System tools folder, Shared Folders, and finally open up the Shares. Recently my machine was completely compromised because of this crap. I ended up losing everything as someone else gained admin privleges to my entire OS. THese shares ARE a secutiry risk.

    http://support.microsoft.com/default...EN-US;q314984&

    Microsoft describes the shares:

    Windows XP computers create hidden administrative shares that administrators and operating system services can use to manage the computer environment on the network. By default, administrative shares such as ADMIN$ are enabled by the system. Any share that is created by the system (such as C$), can be disabled, but it is then re-enabled by the system after you restart your computer. Shares that are created by users can be disabled, and they are not recreated after you restart your computer. Administrative shares include the following shares:

    Root partitions or volumes
    The system root folder
    The FAX$ share
    The IPC$ share
    The NETLOGON share
    The PRINT$ share

    Root partitions and volumes are shared as the drive letter name appended with the $ sign. For example, drive letters C and D are shared as C$ and D$.

    The system root folder (%SYSTEMROOT%) is shared as ADMIN$. This administrative share provides administrators with easy access to the system root folder hierarchy over the network.

    The FAX$ share is used by fax clients in the process of sending a fax. This shared folder caches files and accesses cover pages that are stored on a file server.

    The IPC$ share is used with temporary connections between clients and servers by using named pipes for communications among network programs. It is primarily used for remote administration of network servers.

    The NETLOGON share is used by the Netlogon service to process log on requests.

    The PRINT$ share is used for the remote administration of printers.

    __________________________________________________________________________

    Each time you logon you can disable the shares but it's only temporary. To disable the shares for good it has to be done thru the registry.

    Windows Tech support emailed this to me:

    You want to delete your Admin$ share.

    Cause:
    Your system is not secure. You'd like to make it more secure.

    Resolution/Recommendation:
    Edit the key
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

    ___________________________________________________________________________

    Now what? I dont know much about the registry. I found the Parameters folder now what do I do with it?

    I found this on thru a websearch: http://is-it-true.org/nt/atips/atips2.shtml

    There's nothing in my Parameters folder Named AutoShareServer or AutoShareWks.


    Can anyone give me any help on this?


    Thanks

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    831
    Your meant to create them.....

    Right click on the branch (folder) and choose new -> DWORD.

    Set it to a value of 0 or 1... I can't remember which one it is.....
    -Matty_Cross
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  3. #3
    Member
    Join Date
    Feb 2002
    Posts
    37
    What do you mean? They are already there. I wanna get rid of them.

    I just manually dekleted ADMIN$ and C$ and there seems to be no effect on performance. For some reason the IPC$ share wont delete. As soon as I reboot ADMIN$ and C$ will be there again. I want these off of my msystem.

    Edit: There;s 6 DWORDS in that Prameter folder. Which one do I use. I know it should be set to 0.

    Edit: Ok, I think I know hwta you mean. I created "New Value #1 Reg_DWORD 00000 (0). But it didnt seem to work. the shares are still there.

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    831
    Okay..

    If you've done it properly, and edited/created the AutoShareServer/AutoShareWks registry key, when you delete the shares and reboot, they should not come back....

    BTW, Windows XP shouldn't have the AutoShareServer key by default.....
    -Matty_Cross
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  5. #5
    Junior Member
    Join Date
    Sep 2002
    Posts
    6
    What M$ says now:

    http://support.microsoft.com/default...;en-us;Q314984

    What they said then:

    http://support.microsoft.com/default...;en-us;Q288164

    Notice, the 2nd one does say it works with XP Pro.
    -kid-

  6. #6
    Member
    Join Date
    Feb 2002
    Posts
    37

    Thumbs up It worked

    It worked!

    I got rid of the ADMIN$ and the C$ share. I guess the ICP$ (or whatever it's called) is impossible to delete. I;m just glad to get rid of that admin share....and edit the registry for the first time.

    Thanks!

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Do rememeber that removing the admin shares provides no security improvement.

    Someone who gets local admin rights remotely can still connect to the server service and create whatever shares they like remotely.

    Also the admin shares can only be accessed by users with local admin rights - so there really is no difference if they're present or absent.

    If you're not using it, stop the server service. That will keep everybody out.

  8. #8
    Member
    Join Date
    Feb 2002
    Posts
    37
    Distiguish tween the administrator account that you own and the hidden admin account that you have no real access to, cept for when you go into safe mode. They are two different accounts.

    Someone got local admin rights remotely on my pc thru the hidden admin account that MS creates. That admin accont overrides the admin account that we all use. He had the control of the most powerful account on my OS, which happened to be hidden from me. Needless to say, I was at his mercy and eventually ended up being completely locked out of even simple user accounts.

  9. #9
    Junior Member
    Join Date
    Sep 2003
    Posts
    11
    i'm little confused, we have lan in our hostel and i know my friend's both admin and guest password but still when i go to this- \\his comp's name\C$ it asks for password and none of these password actually works with the option- allow to be used remotely being enabled.
    one thing is sure he doesn't have any other account on his comp so can any one help us(yes, this has frustrated both of us) ??
    dion

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    you got rid of that crap...

    but..remember : ServicePacks,Updates and patches will bring'em back.
    ...and (RWMADX)access to C: for ALL.

    or am i not right?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •