Defualt C$ Share

[SethGecko]

Hi All

I know that if one is on a network then it is possible for the
"Administrator" to \\computername\C$ and see your whole drive
due to the built in share on windows XP.

I would like to know if there is any way that one can detect whether this
has been done if one suspects it.
Is there any spyware or related software that I can install to track if this
is being done ?
Is there any way in the server environemnt where it is logged ?
Is there anything at all i can do on my PC to see if it was accessed in this
way.

Any help would be appreciated !


Thanks !

 

[Richard G. Harper]

(Crossposting reduced)

These are questions you need to take up with your network administrator.
Since s/he can (and probably has) limited the actions you can take on your
PC and on the network we don't have a good way to know what you might or
might not be allowed to do to monitor such access.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Micah E.]

No, an administrator will have to first define the C drive to be shared,
either through logon script, with an answer file during install, or if the
admin used an image.

If an admin did do this, most likely you will not have any rights to install
any apps or even be able to access a server in a client/server environment.

Even if you are not an admin, you will know that this share exists. And this
is not a "built in share" on windows XP. Sharing the C drive must be
defined, it is not automatic.

 

[David H. Lipman]

From: "SethGecko" <[email protected]>

| Hi All
|
| I know that if one is on a network then it is possible for the
| "Administrator" to \\computername\C$ and see your whole drive
| due to the built in share on windows XP.
|
| I would like to know if there is any way that one can detect whether this
| has been done if one suspects it.
| Is there any spyware or related software that I can install to track if this
| is being done ?
| Is there any way in the server environemnt where it is logged ?
| Is there anything at all i can do on my PC to see if it was accessed in this
| way.
|
| Any help would be appreciated !
|
| Thanks !
|
C$ is an automataically created share. It can't be removed but it can be disabled.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Double click on AutoShareServer and set it to 0 to disable it for a server.
Double click on AutoShareWks and set it to 0 to disable it for a
workstation.
If the entries are not present, Add Value of type REG_DWORD. The Range is 0
(disable) or 1 (enable - the default).

 

[Guest]

Also, doesn't removing File and Print Sharing Service from the Network
properties disable this? I could be wrong, please correct me if I am. Check
with your network admin before doing this, since this service can be used for
other things as well.

Jason Ryon

 

[Jetro]

This is rather a corporate etiquette than technical question. Administrative
shares are there on purpose and believe me, a network admin got a good
reason if she has to connect to hidden shares. Management can press an admin
to restrict this ability but you should have to convince them.
Use a corporate workstation for your job duties only and sleep well.

 

[Lord Gazwad of Grantham]

SethGecko, <[email protected]>, the gonadal, do-nothing heroin addict,
and employee responsible for building high stone walls from small pebbles
using dog shit for mortar, huffed:

Hi All

I know that if one is on a network then it is possible for the
"Administrator" to \\computername\C$ and see your whole drive
due to the built in share on windows XP.

I would like to know if there is any way that one can detect whether
this has been done if one suspects it.
Is there any spyware or related software that I can install to track
if this is being done ?
Is there any way in the server environemnt where it is logged ?
Is there anything at all i can do on my PC to see if it was accessed
in this way.

Any help would be appreciated !


Thanks !

Why not just disable all the default shares?
If only you had posted to alt.os.windows-xp rather than your shosen groups
which, quite frankly, are full of stupid cunts who have less than a clue
between them.

If you want to know how to sort this out then post where I mentioned.

--
For my own part, I have never had a thought which I could not set down
in words with even more distinctness than that with which I conceived
it. There is, however, a class of fancies of exquisite delicacy which
are not thoughts, and to which as yet I have found it absolutely
impossible to adapt to language. These fancies arise in the soul, alas
how rarely. Only at epochs of most intense tranquillity, when the
bodily and mental health are in perfection. And at those weird points
of time, where the confines of the waking world blend with the world of
dreams. And so I captured this fancy, where all that we see, or seem,
is but a dream within a dream.

 

[Guest]

If you want to see if anyone is on the share go to administrative tools/
computer management. Then select shared folders, then click shares. You can
view if there are any current connections to that share, or any share on your
computer.

Look at your local security settings for policies you would like to enforce.
If you are in an enviroment where you would/ should change these
configuration settings.

 

[Guest]

That reminds me, you can check if anybody is currently using your share with
the admin tools>computer management, but that only works if they are on it
right now. You can check the event viewer (run "eventvwr" from the run
command line) In the security log, it lists who has logged in or
authenticated with the computer...even if it's only to the shared drive.
You can sort by user name and check to see if any people have logged on that
shouldn't. There are possibly a lot of names like system, anonymous logon
and your username, but other than that, I would be suspicious.

Hope this helps,
Jason Ryon

 

[Triffid]

Hi All

I know that if one is on a network then it is possible for the
"Administrator" to \\computername\C$ and see your whole drive
due to the built in share on windows XP.

I would like to know if there is any way that one can detect whether this
has been done if one suspects it.
Is there any spyware or related software that I can install to track if this
is being done ?
Is there any way in the server environemnt where it is logged ?
Is there anything at all i can do on my PC to see if it was accessed in this
way.

Any help would be appreciated !


Thanks !

Auditing is disabled by default on XP.

You can enable auditing for logon events in Local Security Settings,
then the security event log will record all logons to your system
whether they occur locally or via the network.

Triffid

 

[Doug Knox MS-MVP]

So much for A+ certifications. This is not true. The $ indicates an Administrative share, and they are created by default on all Windows 2000/XP machines. Any user with the Administrator credentials on the machine can access these shares.

 

[Colin Nash [MVP]]

No, an administrator will have to first define the C drive to be shared,
either through logon script, with an answer file during install, or if the
admin used an image.

If an admin did do this, most likely you will not have any rights to
install any apps or even be able to access a server in a client/server
environment.

Even if you are not an admin, you will know that this share exists. And
this is not a "built in share" on windows XP. Sharing the C drive must be
defined, it is not automatic.

Windows NT, 2000, XP Pro and Server 2003 will automatically share the root
of all volumes as C$, D$ ,etc by default, for administrators only. This is
done by default but can be turned off with a registry setting. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;816524 - I'm not
sure about XP Home Edition

 

[George Hester]

I was going to say that but A++ couldn't argue with that.

--
George Hester
_______________________________
So much for A+ certifications. This is not true. The $ indicates an
Administrative share, and they are created by default on all Windows 2000/XP
machines. Any user with the Administrator credentials on the machine can
access these shares.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[pcbutts1]

His answer was not wrong. He stated that his work around was "not" the
built-in share as the OP already knew about the C$. What he said did not
exactly answer the question. What he should have said was to use Computer
management>shared folders to see that the shares are there and use the
event viewer>security to check if anyone has accessed it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



So much for A+ certifications. This is not true. The $ indicates an
Administrative share, and they are created by default on all Windows 2000/XP
machines. Any user with the Administrator credentials on the machine can
access these shares.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Doug Knox MS-MVP]

As I recall, its the same for Home.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Eric Cross [MVP]]

Special Shared Folders Are Missing from Windows XP Home Edition
http://support.microsoft.com/default.aspx?scid=kb;en-us;282209


--
Eric Cross
Microsoft MVP (Windows Networking)
http://mvp.support.microsoft.com


As I recall, its the same for Home.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Doug Knox MS-MVP]

Thanks, Eric. I hadn't run Home in quite a while, so wasn't certain.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Robert Moir]

So much for A+ certifications. This is not true. The $ indicates an
Administrative share, and they are created by default on all Windows
2000/XP machines. Any user with the Administrator credentials on the
machine can access these shares.

Minor point Doug, a "$" at the end of a share name indicates a *hidden*
share, one that doesn't show up when browsing a computer. Other than that,
hidden shares can behave like a normal share in any other way.

While the set (administrative shares) is a member of the set (hidden
shares), the reverse is not true - you can create your own hidden share by
sharing anything you like, setting NTFS and share permissions any way you
like (including removing access rights from admins), and placing a "$" at
the end of the share name.

--

 

[Doug Knox MS-MVP]

True

 

[Guest]

Windows NT, 2000, XP Pro and Server 2003 will automatically share the root
of all volumes as C$, D$ ,etc by default, for administrators only. This is
done by default but can be turned off with a registry setting. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;816524 - I'm not
sure about XP Home Edition

So I shouldn't have anything to fear from if I see such a share for my drives?? When I tried to remove it, it said that it's a share created for administrative purposes only and on restart the share will be turned on again. I'm asking to make sure because I recently made quite a big mess on my hard drives.