{"id":1097,"date":"2014-09-16T02:13:15","date_gmt":"2014-09-16T07:13:15","guid":{"rendered":"http:\/\/montgomeryminds.com\/blog\/?p=1097"},"modified":"2019-06-30T18:23:14","modified_gmt":"2019-06-30T23:23:14","slug":"enable-admin-shares-c-on-windows-7","status":"publish","type":"post","link":"https:\/\/montgomeryminds.com\/blog\/enable-admin-shares-c-on-windows-7\/","title":{"rendered":"Enable Admin Shares (C$) on Windows 7"},"content":{"rendered":"<p><!-- do not use visual editor (TinyMCE) it strips html --><br \/>\n<!-- \/cygdrive\/c\/a_no_backup\/dl\/M_M\/usb_drive_copy\/tech\/blog\/admin_shares\/post.html --><\/p>\n<style type=\"text\/css\" media=\"all\">@import url(https:\/\/montgomeryminds.com\/css\/wp_blog_fixes.css);<\/style>\n<h2>Enable File and Print Sharing<\/h2>\n<p>The first step to enable administrative shares (ie, <code class=\"bold_lite\">C$<\/code> and even <code class=\"bold_lite\">Admin$<\/code> and <code class=\"bold_lite\">IPC$<\/code>) is to make sure you have File and Print sharing enabled.  While you&#8217;re at it, I recommend turning on Network Discovery also<\/p>\n<ol>\n<li>Click the Windows button (formerly the Start button).<\/li>\n<li>Type &#8220;advanced shar&#8221; into the search text box (that&#8217;s all you need).<\/li>\n<li>Click the link to \u201cManage advanced sharing settings\u201d (aka \u201cChange advanced sharing settings\u201d).<\/li>\n<li>In the window that opens, expand the <strong>\u201cHome or Work\u201d<\/strong> profile and browse to the \u201cNetwork discovery\u201d section.<\/li>\n<li>Click the link to <strong>\u201cTurn on <span style=\"color: #008080;\">network discovery<\/span>\u201d<\/strong> (Figure 1).<\/li>\n<li>Browse to the \u201cFile and printer sharing\u201d section.<\/li>\n<li>Click the link to <strong>\u201cTurn on <span style=\"color: #993300;\">file and printer sharing<\/span>\u201d<\/strong> (Figure 1).<\/li>\n<li>Click Save Changes.<\/li>\n<\/ol>\n<p>Note that this will only enable file and printer sharing for your <em>home<\/em> network. If you connect your computer to a <em>public<\/em> or \u201cunknown\u201d network, your shares will still remain disabled. It is not recommended, but If you want to change this, follow the above procedure for the \u201cPublic\u201d profile.<\/p>\n<div id=\"attachment_1102\" style=\"width: 510px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/change_advanced_settings_annotated.png\"><img aria-describedby=\"caption-attachment-1102\" loading=\"lazy\" class=\"size-medium wp-image-1102\" src=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/change_advanced_settings_annotated.png\" alt=\"Image:change_advanced_settings_annotated\" width=\"500\" height=\"300\" srcset=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/change_advanced_settings_annotated.png 1000w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/change_advanced_settings_annotated-300x180.png 300w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/change_advanced_settings_annotated-500x300.png 500w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-1102\" class=\"wp-caption-text\">Figure 1<\/p><\/div>\n<h2>Step 2: <code class=\"bold_lite\">LocalAccountTokenFilterPolicy<\/code><\/h2>\n<p>The next step is to go into the registry and give local users the ability to access remote administrative shares. BE CAREFUL&#8211;you can destroy our system by editing the registry.<\/p>\n<ol>\n<li>Click the Windows button and in the Search box, type \u201cregedit\u201d. If you get a User Access Control warning, click Yes.<\/li>\n<li>The Registry Editor will open. Expand the items until you get to <code class=\"bold_lite\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System<\/code> (Figure 3).<\/li>\n<li>Click Edit from the top menu then New and then DWORD.<\/li>\n<li>Type in <code class=\"bold_lite\">LocalAccountTokenFilterPolicy<\/code> for the name of the DWORD. Hit ENTER.<\/li>\n<li>Double click the new entry and enter <span class=\"bold_lite\">\u201c1\u201d<\/span> for the value. Click OK.<\/li>\n<li>Close the Registry Editor and reboot your computer.<\/li>\n<\/ol>\n<div id=\"attachment_1124\" style=\"width: 510px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/regedit_LocalAccountTokenFilterPolicy_annotated.png\"><img aria-describedby=\"caption-attachment-1124\" loading=\"lazy\" width=\"761\" height=\"492\" src=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/regedit_LocalAccountTokenFilterPolicy_annotated.png\" alt=\"IMAGE:Regedit create LocalAccountTokenFilterPolicy\" class=\"size-medium wp-image-1124\" srcset=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/regedit_LocalAccountTokenFilterPolicy_annotated.png 761w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/regedit_LocalAccountTokenFilterPolicy_annotated-300x193.png 300w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/regedit_LocalAccountTokenFilterPolicy_annotated-464x300.png 464w\" sizes=\"(max-width: 761px) 100vw, 761px\" \/><\/a><p id=\"caption-attachment-1124\" class=\"wp-caption-text\">Regedit create LocalAccountTokenFilterPolicy<\/p><\/div>\n<h2>What&#8217;s going on here?<\/h2>\n<p>You might be familiar with UAC (User Account Control)<\/p>\n<div id=\"attachment_1111\" style=\"width: 510px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/RegEdit_UAC_dialog.png\"><img aria-describedby=\"caption-attachment-1111\" loading=\"lazy\" src=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/RegEdit_UAC_dialog.png\" alt=\"IMAGE:UAC example\" width=\"500\" height=\"270\" class=\"size-medium wp-image-1111\" srcset=\"https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/RegEdit_UAC_dialog.png 650w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/RegEdit_UAC_dialog-300x162.png 300w, https:\/\/montgomeryminds.com\/blog\/wp-content\/uploads\/2014\/09\/RegEdit_UAC_dialog-500x270.png 500w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-1111\" class=\"wp-caption-text\">UAC example (for regedit in this case)<\/p><\/div>\n<p>This is new for Windows Vista and Windows 7.  It is Microsoft&#8217;s attempt at security.  The idea is that before programs can do dangerous things, or access sensitive areas, the OS will prompt the user for an additional OK.  If the user expects this, they can click YES, if it comes out of the blue, they can click NO.  For example, if some program is running in the background without the user&#8217;s knowledge, and tries to change a sensitive area, this UAC prompt will come out of the blue, and the user can then click NO, protecting his computer.<\/p>\n<p>Clicking YES to the UAC prompt enables what&#8217;s called as <strong>&#8220;elevated privilege&#8221;<\/strong>.  Ie the process now has more privilege to access and change sensitive areas.<\/p>\n<p>Well, when logging in from a remote PC, like you do when you&#8217;re trying to access a network admin share, even if you provide username and password to an administrator account, you do NOT get elevated privilege and there is no UAC prompt.<\/p>\n<p>The <code class=\"bold_lite\">LocalAccountTokenFilterPolicy<\/code> turns this off.  The values of 0 and 1 dont make any sense, so i provide mnemonics to help remember below.<\/p>\n<table id=\"MT6\" class=\"table\" cellspacing=\"0\">\n<tbody>\n<tr>\n<th>Value&nbsp;<\/th>\n<th>Description<\/th>\n<th>Mnemonic<\/th>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>This value builds a filtered token. This is the default value. The administrator credentials are removed.<\/td>\n<td>zero-no privileges<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>This value builds an elevated token.<\/td>\n<td>1-privileges on<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Active Directory<\/h2>\n<p>It&#8217;s not <i>admin shares<\/i> exactly, but you can create (non-admin) shares via GPO (Group Policy Object) in an Active Directory environment.<\/p>\n<p>Briefly, in <code class=\"bold_lite\">GPO<\/code> -> <code class=\"bold_lite\">Preferences<\/code> -> <code class=\"bold_lite\">Windows Settings<\/code> -> <code class=\"bold_lite\">Network Shares<\/code> create new network shares. On the remote computer.<\/p>\n<p>References:<\/p>\n<ul>\n<li><a title=\"Windows 7 Administrative Shares \u2013 What They Are and How to Enable Them (at Brighthub) - http:\/\/www.brighthub.com\/computing\/windows-platform\/articles\/72247.aspx\" href=\"http:\/\/www.brighthub.com\/computing\/windows-platform\/articles\/72247.aspx\">Windows 7 Administrative Shares \u2013 What They Are and How to Enable Them (at Brighthub)<\/a><\/li>\n<li><a href=\"http:\/\/support.microsoft.com\/kb\/951016\" title=\"Description of User Account Control and remote restrictions in Windows Vista (and 7) - http:\/\/support.microsoft.com\/kb\/951016\">Description of User Account Control and remote restrictions in Windows Vista (and 7) (at support.microsoft.com)<\/a><\/li>\n<p>\t<LI><a href=https:\/\/www.techrepublic.com\/blog\/the-enterprise-cloud\/network-shares-group-policy-configuration-notes\/\">Network Shares Group Policy configuration notes (at techrepublic)<\/a>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Enable File and Print Sharing The first step to enable administrative shares (ie, C$ and even Admin$ and IPC$) is to make sure you have File and Print sharing enabled. While you&#8217;re at it, I recommend turning on Network Discovery &hellip; <a href=\"https:\/\/montgomeryminds.com\/blog\/enable-admin-shares-c-on-windows-7\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,3],"tags":[],"_links":{"self":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/1097"}],"collection":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/comments?post=1097"}],"version-history":[{"count":26,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/1097\/revisions"}],"predecessor-version":[{"id":1796,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/1097\/revisions\/1796"}],"wp:attachment":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/media?parent=1097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/categories?post=1097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/tags?post=1097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}