Hidden Shares Disappear

[Guest]

Sometime over the weekend, the hidden shares that I have on my servers
disappeared and everytime I create one and then reboot the server, it
disappears. When you look in computer management, there are no shared drives,
unless it was created without an $ at the end. I also can't connect to the
server using the computer management mmc. In the logs I get a ESENT error and
I've tried the various ways to esentutl. Still nothing has helped get them
back. Even tried restoring the secedit.sdb from a date when everything was
fine, but that did not work. I'm running out of ideas. My next step will be
to try to recreate the shares from scratch, which I don't want to do.
Thanks.

 

[Steven L Umbach]

Such behavior may be an indication of malware so I would be sure to scan all
of your computers for such using the latest definitions from your antvirus
vendors website. Verify that file and print sharing is enabled on your
computers, that the server service is started, see if nbtstat -n shows at
least three registered names, and that netstat -an shows ports 139 and/or
445 TCP as listening or connected. Also look in the application/system logs
in Event Viewer to see if anything pertinent has been recorded and run the
command net config server to see what it reports. Run the support tool
netdiag to see if it finds any problems that can give you an idea what the
problem may be. Sometimes the command net share ipc$ or uninstalling and
reinstalling file and print sharing helps.

The fact that it has happen to more than one server is curious. Try to think
if anything was done or changed in that timeframe such as installing new
software or changing Group Policy to modify security policy on your servers.
I would also boot into safe mode with networking to see if that makes a
difference. If it does it could indicate a startup
application/service/driver causing a problem. --- Steve

 

[Guest]

Tried what you suggested and nothing seemed to help it. The virus scanner has
picked up nothing, file and print sharing is enabled, server service is
started, nbtstat shows me what i should be seeing, net config server reported
nothing unusual. i ran the microsoft malware remove program and it found
nothing. the microsoft antispyware also did not detect anything. no new
programs have been installed and i do not use group policy much. i have been
getting a lot of master browser events in the event viewer.

 

[Steven L Umbach]

Hmm. When you say hidden shares do you meant the default administrative
shares such as c$ or ones you are trying to create? Does ipc$ show when you
look at your shared folders in Computer Management? Did netdiag report any
problems? If possible paste some of the Event ID's that you are seeing for
Esent and the browser. If the problem is for default hidden shares see the
link below to check the registry to make sure they are still enabled. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;816113

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer must be set as type REG_DWORD.
When this value is set to 0 (zero), Windows does not automatically create
administrative shares. Note that this does not apply to the IPC$ share or
shares that you create manually.
4. Either delete the AutoShareServer value or set the value to 1. To
do so, use one of the following methods: . To delete the AutoShareServer
value, click Delete on the Edit menu. When you are prompted to confirm the
deletion, click Yes.
. To set the AutoShareServer value to 1, click Modify on the
Edit menu. In the Value data box, type 1, and then click OK.

5. Quit Registry Editor.
6. Stop and then start the Server service: a. Click Start, and then
click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following commands, pressing
ENTER after each command:
net stop server
net start server
d. Type exit, and then press ENTER.

 

[Guest]

the hidden shares i'm talking about are ones that i created. when i try to
change the registry for the administrative hidden shares, i change it to 1, i
then reboot, and then i look in computer management and they are gone again.
ipc$ doesn't always show.
tried to run netdiag but i get a fatal error when running it. "failed to get
system information from this machine"


Event Type: Error
Event Source: BROWSER
Event Category: None
Event ID: 8032
Date: 8/16/2005
Time: 2:18:38 PM
User: N/A
Computer: LUPFFILE1
Description:
The browser service has failed to retrieve the backup list too many times on
transport \Device\NetBT_Tcpip_{50146695-A45F-4F7D-9868-E07B80C5E0FC}. The
backup browser is stopping.
Data:
0000: 5d 08 00 00 ]...

Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 427
Date: 8/12/2005
Time: 11:02:22 PM
User: N/A
Computer: LUPFFILE1
Description:
services (352) The database engine could not access the file called
C:\WINNT\Security\Database\secedit.sdb.

 

[Steven L Umbach]

How many servers did this happen to? Are they domain controllers? Do your
non hidden shares still work in that users on the network can access them?

If they are not domain controllers then on one of the computers try
uninstalling and reinstalling file and print sharing. If that does not help
try uninstalling and reinstalling tcp/ip per the link below being sure to
jot down the current tcp/ip configuration as shown by ipconfig /all as it
may change when you reinstall tcp/ip. Getting a fatal error from netdiag is
troubling and I have never seen that myself. Try booting into safe mode with
networking [assuming you are behind a firewall] and see if netdiag runs.

http://support.microsoft.com/?id=285034

The browser error is probably a symptom of your problem but not the cause.
It depends on the server service. Check to see that all the services that
are set to automatic are started including the tcp/ip netbios helper
service. I still have to wonder if it is not malware. There is a new worm
going around right now that is affecting Windows 2000 computers that have
not been recently patched. I would try scanning at least one server again
with virus definitions up to date as of today and try a second opinion.
Trend Micro has the free Sysclean which you do not have to install - just
download it and the pattern file [after unzipping] to a common folder to run
from. You may also want to post in the
Microsoft.public.windows.server.networking newsgroup to see if anyone there
has seen what you describe.

http://www.trendmicro.com/download/dcs.asp --- Sysclean
http://www.trendmicro.com/download/viruspattern.asp --- pattern file

I don't know if your second Event ID is related but not being able to access
the secedit.sdb file is significant and results in problems when you try to
open Local Security Policy. Check your permissions to the
\system\security\database file to make sure system and administrators have
full control and see the links below for possible fixes. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx
http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm

the hidden shares i'm talking about are ones that i created. when i try to
change the registry for the administrative hidden shares, i change it to
1, i
then reboot, and then i look in computer management and they are gone
again.
ipc$ doesn't always show.
tried to run netdiag but i get a fatal error when running it. "failed to
get
system information from this machine"


Event Type: Error
Event Source: BROWSER
Event Category: None
Event ID: 8032
Date: 8/16/2005
Time: 2:18:38 PM
User: N/A
Computer: LUPFFILE1
Description:
The browser service has failed to retrieve the backup list too many times
on
transport \Device\NetBT_Tcpip_{50146695-A45F-4F7D-9868-E07B80C5E0FC}. The
backup browser is stopping.
Data:
0000: 5d 08 00 00 ]...

Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 427
Date: 8/12/2005
Time: 11:02:22 PM
User: N/A
Computer: LUPFFILE1
Description:
services (352) The database engine could not access the file called
C:\WINNT\Security\Database\secedit.sdb.

Hmm. When you say hidden shares do you meant the default administrative
shares such as c$ or ones you are trying to create? Does ipc$ show when
you
look at your shared folders in Computer Management? Did netdiag report
any
problems? If possible paste some of the Event ID's that you are seeing
for
Esent and the browser. If the problem is for default hidden shares see
the
link below to check the registry to make sure they are still enabled. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;816113

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer must be set as type
REG_DWORD.
When this value is set to 0 (zero), Windows does not automatically create
administrative shares. Note that this does not apply to the IPC$ share or
shares that you create manually.
4. Either delete the AutoShareServer value or set the value to 1.
To
do so, use one of the following methods: . To delete the AutoShareServer
value, click Delete on the Edit menu. When you are prompted to confirm
the
deletion, click Yes.
. To set the AutoShareServer value to 1, click Modify on the
Edit menu. In the Value data box, type 1, and then click OK.

5. Quit Registry Editor.
6. Stop and then start the Server service: a. Click Start, and
then
click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following commands,
pressing
ENTER after each command:
net stop server
net start server
d. Type exit, and then press ENTER.

 

[shashank]

Hi All
I m facing same problem with my server(windows2000) which domain controller
also.
When I delete DWORD value "AutoShareServer" or set to 1
it again changing to 0. Due to this my other terminal servers in domain are
not get remotely connected

Thanx in Advance
Shashank

 

[Roger Abell [MVP]]

When settings seem to automagically get changed back, the
first place to look is at GPOs that impact the machine.