Missing Admin Shares

  • Thread starter Thread starter Oxo
  • Start date Start date
O

Oxo

Guest
Hi,

I am experiencing a strange problem on a large number of XP machines on our
domain.

At least half of our PCs (both notebooks and desktops) are missing the
administrative shares in Windows XP (C$ and Admin$) on a daily basis. It
seems that the following key gets reset back to 0 (instead of 1) on a regular
basis, with no intervention from us or the user. This key enables or disables
the Admin shares:-

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 1 (on) 0 (off)

As far as I'm aware, we have no virus infection that could cause this and
have nothing in any logon scripts at start-up which could cause this. I
cannot see anything in Group Policy which could do this, but will be happy to
be proved wrong!

Any help in resolving this would be greatly appreciated, we're tearing our
hair out here!

Regards

Ox
 
Have you used GPMC to do a resultant policy view for an
affected system to make sure it is not carried by policy ?

"Oxo" <Oxo@discussions.microsoft.com> wrote in message
news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com...
> Hi,
>
> I am experiencing a strange problem on a large number of XP machines on
> our
> domain.
>
> At least half of our PCs (both notebooks and desktops) are missing the
> administrative shares in Windows XP (C$ and Admin$) on a daily basis. It
> seems that the following key gets reset back to 0 (instead of 1) on a
> regular
> basis, with no intervention from us or the user. This key enables or
> disables
> the Admin shares:-
>
> Hive: HKEY_LOCAL_MACHINE
> Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
> Name: AutoShareWks for workstations
> Type: REG_DWORD
> Value: 1 (on) 0 (off)
>
> As far as I'm aware, we have no virus infection that could cause this and
> have nothing in any logon scripts at start-up which could cause this. I
> cannot see anything in Group Policy which could do this, but will be happy
> to
> be proved wrong!
>
> Any help in resolving this would be greatly appreciated, we're tearing our
> hair out here!
>
> Regards
>
> Ox
 
Thanks for replying Roger,

Yes we have run a resultant policy settings view, and could find nothing
that could affect the admin shares in this way. I'm not even sure that this
option is available in Group policy anyway (happy to be corrected on this
point if anyone knows different!)

Cheers

Ox

"Roger Abell [MVP]" wrote:

> Have you used GPMC to do a resultant policy view for an
> affected system to make sure it is not carried by policy ?
>
> "Oxo" <Oxo@discussions.microsoft.com> wrote in message
> news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com...
> > Hi,
> >
> > I am experiencing a strange problem on a large number of XP machines on
> > our
> > domain.
> >
> > At least half of our PCs (both notebooks and desktops) are missing the
> > administrative shares in Windows XP (C$ and Admin$) on a daily basis. It
> > seems that the following key gets reset back to 0 (instead of 1) on a
> > regular
> > basis, with no intervention from us or the user. This key enables or
> > disables
> > the Admin shares:-
> >
> > Hive: HKEY_LOCAL_MACHINE
> > Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
> > Name: AutoShareWks for workstations
> > Type: REG_DWORD
> > Value: 1 (on) 0 (off)
> >
> > As far as I'm aware, we have no virus infection that could cause this and
> > have nothing in any logon scripts at start-up which could cause this. I
> > cannot see anything in Group Policy which could do this, but will be happy
> > to
> > be proved wrong!
> >
> > Any help in resolving this would be greatly appreciated, we're tearing our
> > hair out here!
> >
> > Regards
> >
> > Ox
>
>
>
 
It is not "built into" group policy as shipped, but the Windows
Server 2003 Security Guide provides this as one of the setting
one might want to add to the Security Options section, with full
instructions on modifying sceregvl.inf, so I was thinking perhaps
you had an exploring junior admin around.

I realize you have indicated belief that the machines are clean,
but I have only heard of the kind of thing you report when it is
due to malware.

So I am out of ideas for you ;-( other than placing an audit on
the containing reg key to see if that traps any time/account info
of use.

Roger

"Oxo" <Oxo@discussions.microsoft.com> wrote in message
news:D9FCDB38-36A9-4DE2-AD49-E7A0CA97DFB4@microsoft.com...
> Thanks for replying Roger,
>
> Yes we have run a resultant policy settings view, and could find nothing
> that could affect the admin shares in this way. I'm not even sure that
> this
> option is available in Group policy anyway (happy to be corrected on this
> point if anyone knows different!)
>
> Cheers
>
> Ox
>
> "Roger Abell [MVP]" wrote:
>
>> Have you used GPMC to do a resultant policy view for an
>> affected system to make sure it is not carried by policy ?
>>
>> "Oxo" <Oxo@discussions.microsoft.com> wrote in message
>> news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com...
>> > Hi,
>> >
>> > I am experiencing a strange problem on a large number of XP machines on
>> > our
>> > domain.
>> >
>> > At least half of our PCs (both notebooks and desktops) are missing the
>> > administrative shares in Windows XP (C$ and Admin$) on a daily basis.
>> > It
>> > seems that the following key gets reset back to 0 (instead of 1) on a
>> > regular
>> > basis, with no intervention from us or the user. This key enables or
>> > disables
>> > the Admin shares:-
>> >
>> > Hive: HKEY_LOCAL_MACHINE
>> > Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
>> > Name: AutoShareWks for workstations
>> > Type: REG_DWORD
>> > Value: 1 (on) 0 (off)
>> >
>> > As far as I'm aware, we have no virus infection that could cause this
>> > and
>> > have nothing in any logon scripts at start-up which could cause this. I
>> > cannot see anything in Group Policy which could do this, but will be
>> > happy
>> > to
>> > be proved wrong!
>> >
>> > Any help in resolving this would be greatly appreciated, we're tearing
>> > our
>> > hair out here!
>> >
>> > Regards
>> >
>> > Ox
>>
>>
>>
 
This is pretty typical of a lot of malware. You should scan at least of few
of these machies with various online scanners to see if anything picks
something up (safety.live.com housecall.trendmicro.com).

Eddie Bowers
Security Support
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
 
You must log in or register to reply here.

Similar threads

R
Locked out from computer, only prompted with Admin login
Replies
0
Views
3
RasmusKovacs
R
R
Locked out from computer, only prompted with Admin login
Replies
0
Views
4
RasmusKovacs
R
R
Locked out from computer, only prompted with Admin login
Replies
0
Views
4
RasmusKovacs
R
B
"New Share" option is missing on right click in local computer management\system tools\shared folders\ Shares
Replies
0
Views
3
BabakKamali
B
B
Cannot switch accounts at login, Windows 11.
Replies
0
Views
3
buggy68(2)
B
Back
Top