Missing administrative shares typically indicate that the machine has been
compromised somehow. These issues may occur when a malicious program
removes the administrative shares on a Windows Server 2003, Windows XP,
Windows 2000, or Windows NT 4.0 computer.
Often, computer hackers connect to these administrative shares by taking
advantage of weak passwords, missing security updates, direct exposure of
the computer to the Internet, or a combination of these factors. The
hackers then install malicious programs to expand their influence over the
computer and over the rest of the computer network. In many cases, these
malicious programs remove the administrative shares as a defensive move to
prevent other competing hackers from taking control of the infected systems.
Infection by one of these malicious programs may come directly from the
Internet or from another computer on the local network that is infected. It
generally indicates that security on the network is weak. Therefore, if you
see these symptoms, I recommend that you check all other computers on the
network for malicious programs by using anti-virus software and spy ware
detection tools.
An example of a malicious program that removes administrative shares is
the Trojan horse program Backdoor.IRC.Flood.E. After it infects a computer,
it runs a batch file that removes the administrative shares. For technical
details about how this works, visit the following page on the Symantec
Security Response Web site:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.e
.html
Note: Be aware that Backdoor.IRC.Flood.E is only an example. This
particular program is old and may not be used currently by hackers.
However, hackers frequently develop new programs and variants to avoid
detection by anti-virus software.
To verify whether a computer is affected by this problem, follow these
steps (These steps require accessing the registry):
Warning: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
1. Check the AutoShareServer and AutoShareWks registry values to make sure
they are
not set to 0:
a. Click Start, click Run, type regedit, and then press ENTER to
start the Registry
Editor
b. Locate the following registry sub-key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
c. If the AutoShareServer and AutoShareWks DWORD values in the
LanmanServer\Parameters sub-key are configured with a value data of 0,
change that value to 1.
Note: If these values do not exist, you do not need to create them because
the
default behavior is to create the administrative shares
automatically.
d. Quit the Registry Editor.
2. Restart the computer. During normal operation, a Windows Server 2003,
Windows XP, Windows 2000, or Windows NT 4.0 computer will create the
administrative shares automatically during startup.
3. After the computer restarts, check whether the administrative shares are
active. To check the shares, use the net share command:
a. Click Start, click Run, type cmd, and then press ENTER.
b. Type net share at the command prompt, and then press ENTER.
c. Look for the administrative shares Admin$, C$, and IPC$ in the
list of shares.
If the administrative shares are not listed, the computer is
running a malicious program that removes the shares during startup.
To check for malicious programs, use the following steps:
1. Run a thorough anti-virus scan on the computer using the latest virus
definitions. You can use your anti-virus software or use one of several
free virus
scanning services that are available on the Internet. See the More
Information section of this article for links to virus definition updates
and free online scans
from popular anti-virus software vendors.
Important: If you suspect that a computer is infected with malicious code,
I recommend that you remove it from the network as soon as possible. We
recommend this because a hacker may be using the system to launch
Distributed Denial of Service (DDoS) attacks, to send unsolicited
commercial e-mail, or to share illegal copies of software, music, and
movies.
2. If the anti-virus scan identifies a malicious program on the system, use
the anti-virus vendor's removal instructions. Additionally, review the
threat assessment and the technical details about the program on your
anti-virus vendor's Web site. In particular, check to see if the program
includes backdoor capability. Backdoor capability means that the program
provides a way for the hacker to regain control of the system if the
program is discovered and removed.
If the technical details about the program indicate that it has backdoor
capability, I recommend that you format the computer's hard drive and
reinstall Windows securely. For information about securing Windows systems
and servers, visit the following Web site:
Hardening Systems and Servers: Checklists and Guides
http://www.microsoft.com/technet/Security/topics/hardsys/default.mspx
3. If the anti-virus scan does not identify a malicious program on the
system, it does not mean that the computer is not infected by malicious
code. More likely, it
means that the malicious program is a new program or variant, and the
latest virus definitions do not detect it. In this case, contact the
anti-virus vendor to report
the problem, or open a support incident with Microsoft product support
services to investigate.
Thank you,
Bruce Monroe (MSFT)
Platform Support
Microsoft Corp.
----
This posting is provided "AS IS" with no warranties, and confers no rights
Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
Thank you,
Bruce Monroe (MSFT)
Platform Support
Microsoft Corp.
----
This posting is provided "AS IS" with no warranties, and confers no rights
Please do not send email diredtly to this alias. This alias is for
newsgroup purposes only.
