Guest Oxo Posted July 19, 2007 Posted July 19, 2007 Hi, I am experiencing a strange problem on a large number of XP machines on our domain. At least half of our PCs (both notebooks and desktops) are missing the administrative shares in Windows XP (C$ and Admin$) on a daily basis. It seems that the following key gets reset back to 0 (instead of 1) on a regular basis, with no intervention from us or the user. This key enables or disables the Admin shares:- Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWks for workstations Type: REG_DWORD Value: 1 (on) 0 (off) As far as I'm aware, we have no virus infection that could cause this and have nothing in any logon scripts at start-up which could cause this. I cannot see anything in Group Policy which could do this, but will be happy to be proved wrong! Any help in resolving this would be greatly appreciated, we're tearing our hair out here! Regards Ox Quote
Guest Roger Abell [MVP] Posted July 19, 2007 Posted July 19, 2007 Have you used GPMC to do a resultant policy view for an affected system to make sure it is not carried by policy ? "Oxo" <Oxo@discussions.microsoft.com> wrote in message news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com... > Hi, > > I am experiencing a strange problem on a large number of XP machines on > our > domain. > > At least half of our PCs (both notebooks and desktops) are missing the > administrative shares in Windows XP (C$ and Admin$) on a daily basis. It > seems that the following key gets reset back to 0 (instead of 1) on a > regular > basis, with no intervention from us or the user. This key enables or > disables > the Admin shares:- > > Hive: HKEY_LOCAL_MACHINE > Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters > Name: AutoShareWks for workstations > Type: REG_DWORD > Value: 1 (on) 0 (off) > > As far as I'm aware, we have no virus infection that could cause this and > have nothing in any logon scripts at start-up which could cause this. I > cannot see anything in Group Policy which could do this, but will be happy > to > be proved wrong! > > Any help in resolving this would be greatly appreciated, we're tearing our > hair out here! > > Regards > > Ox Quote
Guest Oxo Posted July 20, 2007 Posted July 20, 2007 Thanks for replying Roger, Yes we have run a resultant policy settings view, and could find nothing that could affect the admin shares in this way. I'm not even sure that this option is available in Group policy anyway (happy to be corrected on this point if anyone knows different!) Cheers Ox "Roger Abell [MVP]" wrote: > Have you used GPMC to do a resultant policy view for an > affected system to make sure it is not carried by policy ? > > "Oxo" <Oxo@discussions.microsoft.com> wrote in message > news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com... > > Hi, > > > > I am experiencing a strange problem on a large number of XP machines on > > our > > domain. > > > > At least half of our PCs (both notebooks and desktops) are missing the > > administrative shares in Windows XP (C$ and Admin$) on a daily basis. It > > seems that the following key gets reset back to 0 (instead of 1) on a > > regular > > basis, with no intervention from us or the user. This key enables or > > disables > > the Admin shares:- > > > > Hive: HKEY_LOCAL_MACHINE > > Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters > > Name: AutoShareWks for workstations > > Type: REG_DWORD > > Value: 1 (on) 0 (off) > > > > As far as I'm aware, we have no virus infection that could cause this and > > have nothing in any logon scripts at start-up which could cause this. I > > cannot see anything in Group Policy which could do this, but will be happy > > to > > be proved wrong! > > > > Any help in resolving this would be greatly appreciated, we're tearing our > > hair out here! > > > > Regards > > > > Ox > > > Quote
Guest Roger Abell [MVP] Posted July 21, 2007 Posted July 21, 2007 It is not "built into" group policy as shipped, but the Windows Server 2003 Security Guide provides this as one of the setting one might want to add to the Security Options section, with full instructions on modifying sceregvl.inf, so I was thinking perhaps you had an exploring junior admin around. I realize you have indicated belief that the machines are clean, but I have only heard of the kind of thing you report when it is due to malware. So I am out of ideas for you -( other than placing an audit on the containing reg key to see if that traps any time/account info of use. Roger "Oxo" <Oxo@discussions.microsoft.com> wrote in message news:D9FCDB38-36A9-4DE2-AD49-E7A0CA97DFB4@microsoft.com... > Thanks for replying Roger, > > Yes we have run a resultant policy settings view, and could find nothing > that could affect the admin shares in this way. I'm not even sure that > this > option is available in Group policy anyway (happy to be corrected on this > point if anyone knows different!) > > Cheers > > Ox > > "Roger Abell [MVP]" wrote: > >> Have you used GPMC to do a resultant policy view for an >> affected system to make sure it is not carried by policy ? >> >> "Oxo" <Oxo@discussions.microsoft.com> wrote in message >> news:DDFD4D37-5779-4A82-9E74-AE63D2CEA0C7@microsoft.com... >> > Hi, >> > >> > I am experiencing a strange problem on a large number of XP machines on >> > our >> > domain. >> > >> > At least half of our PCs (both notebooks and desktops) are missing the >> > administrative shares in Windows XP (C$ and Admin$) on a daily basis. >> > It >> > seems that the following key gets reset back to 0 (instead of 1) on a >> > regular >> > basis, with no intervention from us or the user. This key enables or >> > disables >> > the Admin shares:- >> > >> > Hive: HKEY_LOCAL_MACHINE >> > Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters >> > Name: AutoShareWks for workstations >> > Type: REG_DWORD >> > Value: 1 (on) 0 (off) >> > >> > As far as I'm aware, we have no virus infection that could cause this >> > and >> > have nothing in any logon scripts at start-up which could cause this. I >> > cannot see anything in Group Policy which could do this, but will be >> > happy >> > to >> > be proved wrong! >> > >> > Any help in resolving this would be greatly appreciated, we're tearing >> > our >> > hair out here! >> > >> > Regards >> > >> > Ox >> >> >> Quote
Guest Eddie Bowers [MSFT] Posted July 24, 2007 Posted July 24, 2007 This is pretty typical of a lot of malware. You should scan at least of few of these machies with various online scanners to see if anything picks something up (safety.live.com housecall.trendmicro.com). Eddie Bowers Security Support Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.