Overview of problems that may occur when administrative shares are missing (842715)



The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Server 4.0

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes the symptoms that may occur when one or more of the hidden administrative shares are missing on your computer. The article also provides information about how to resolve this problem.

If you have already determined that your computer is missing one or more of the hidden administrative shares, see the "Cause" and "Resolution" sections. Realize that missing administrative shares typically indicate that the computer in question has been compromised by malicious software. We recommend that users format and reinstall Windows on compromised servers.

SYMPTOMS

You may experience a variety of issues when administrative shares are removed or are otherwise missing from your computer.

If you use the net share command or MPSReports, the output may show that your computer is missing the IPC$, ADMIN$, or C$ share. If you re-create a missing share, it may be missing again after the next startup or logon. This issue may occur even if you set the AutoShareServer and AutoShareWks registry DWORD values to 1.

You may find unknown processes that start from the Startup folder or from the Run key in the registry. Antivirus software may detect viruses, worms, Trojans or backdoors. Or the FTP root on a Web server may be filled with unknown files.

The following list is a comprehensive list of the problematic behavior that may be associated with this issue.
  • If the affected computer is a domain controller, you may receive error messages on client computers during network logon or during the times when they try to join the domain. Sometimes, you can log on with client computers that are running Microsoft Windows 2000 or Microsoft Windows XP, but you cannot log on with client computers that are running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition. On Windows 9x-based computers, you may receive an error message that is similar to either of the following:
    • The domain password you supplied is not correct, or access to your logon server has been denied.
    • The logon server did not recognize your domain password, or access to the server has been denied.
    When you try to log on to the network on a Windows 2000-based or Windows XP-based computer, you may receive an error message that is similar to the following:
    No logon server is available to service the logon request.
    When you try to join the domain, you may receive an error message that is similar to the following:
    The following error occurred attempting to join the domain 'Domain_Name': The network name cannot be found.
  • When you try to access or view the affected computer remotely by using a UNC path, a mapped drive, the net use command, the net view command, or by browsing the network in Network Neighborhood or My Network Places, you may receive an error message that is similar to one of the following:
    • The server is not configured for transactions.
    • System error 53 has occurred. The network path was not found.
    • Domain_Name is not accessible.
  • You may receive errors when you try to perform administrative tasks on a domain controller. For example, MMC snap-ins such as Active Directory Users and Computers or Active Directory Sites and Services may not start, and you may receive an error message that is similar to the following:
    Naming Information cannot be located because: Login attempt failed.
  • When you try to add a user to a security group, you may receive an error message that is similar to the following:
    Object Picker cannot open because no locations from which to choose objects can be found.
  • When you try to run Netdom.exe from the Windows 2000 Support Tools to find the FSMO roles, you may receive an error message that is similar to the following:
    Unable to update the password. The value provided as the current password is incorrect.
  • When you try to run Dcdiag.exe from the Windows 2000 Support Tools, you may receive an error message that is similar to the following:
    Failed with 67: The network name cannot be found
    The results from Dcdiag.exe may also list LDAP bind errors that are similar to the following:
    LDAP bind failed with error 1323.
  • When you try to run Netdiag.exe from the Windows 2000 Support Tools, you may receive an error message that is similar to the following:
    DC list test . . . . . . . . . . . : Failed
    Failed to enumerate DCs by using the browser. [NERR_BadTransactConfig]
  • If you run a network trace when you try to connect to the affected computer, you may see results that are similar to the following:
    C session setup & X, Username = username, and C tree connect & X, Share = \\<Server_Name>\IPC$
    R session setup & X - DOS Error, (67) BAD_NET_NAME
    
  • On the server, the WINS service may not start or the WINS console may display a red X, or both.
  • NetBT 4311 events that are similar to the following may be logged in Event Viewer: Event ID: 4311
    Event Source: NetBT
    Event Type: Error
    Description: Initialization failed because the driver device could not be created
  • The Terminal Services Licensing console may not start, and you may receive an error message that is similar to the following:
    • No Terminal Services license server is available in the current domain or workgroup. To connect to another license server, click license, click connect and click the server name.
    • The network address is invalid
  • Services for Macintosh may not start. When you try to start the service, events that are similar to the following may be logged in the Event Viewer: Event Type: Error
    Event Source: MacFile
    Event Category: None
    Event ID: 10021
    User: N/A
    Description: The File Server for Macintosh service was unable to contact a domain controller to obtain domain information.Event Type: Error
    Event Source: MacFile
    Event Category: None
    Event ID: 10027
    User: N/A
    Description: An error occurred while initializing the File Server for Macintosh service. A Server Helper thread could not be initialized. The specific error code is in the data.Event Type: Error
    Event Source: MacFile
    Event Category: None
    Event ID: 10001
    User: N/A
    Description: Unable to start the File Server for Macintosh service. A system specific error has occurred. The error code is in the dataEvent Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7024
    User: N/A
    Description: The File Server for Macintosh service terminated with service-specific error 1722.

CAUSE

These issues may occur after a malicious program removes the administrative shares on a computer that is running Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0.

Frequently, malicious users connect to these administrative shares by taking advantage of weak passwords, missing security updates, direct exposure of the computer to the Internet, or a combination of these factors. The malicious users then install malicious programs to expand their influence over the computer and over the rest of the computer network. In many cases, these malicious programs remove the administrative shares as a defensive move to prevent other competing malicious users from taking control of the infected systems.

Infection by one of these malicious programs can come directly from the Internet or from another computer on the local network that is infected. This generally indicates that security on the network is weak. Therefore, if you see these symptoms, we recommend that you examine all other computers on the network for malicious programs by using antivirus software and spyware detection tools. We also recommend that you perform a security analysis to identify vulnerabilities on the network. See the "Resolution" section for information about how to detect malicious programs and how to analyze network security.

An example of a malicious program that targets administrative shares is the Win32.Agobot program. For technical details about how this program works, visit the following Computer Associates Virus Information Center Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. Note The Win32.Agobot program is only an example. Malicious programs become obsolete as antivirus vendors discover them and add them to their virus definitions. However, malicious users frequently develop new programs and variants to avoid detection by antivirus software.

RESOLUTION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To verify whether a computer is affected by this issue, follow these steps:
  1. Examine the AutoShareServer and AutoShareWks registry values to make sure that they are not set to 0:
    1. Click Start, click Run, type regedit, and then press ENTER.
    2. Locate and then click the following registry sub-key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
    3. If the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters sub-key are configured with a value data of 0, change that value to 1.

      Note If these values do not exist, you do not have to create them because the default behavior is to automatically create the administrative shares.
    4. Quit Registry Editor.
  2. Restart the computer. Typically, computers that are running Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0 automatically create the administrative shares during startup.
  3. After the computer restarts, verify that the administrative shares are active. To examine the shares, use the net share command. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then press ENTER.
    2. At the command prompt, type net share, and then press ENTER.
    3. Look for the Admin$, C$, and IPC$ administrative shares in the list of shares.
If the administrative shares are not listed, the computer may be running a malicious program that removes the shares during startup. To look for malicious programs, follow these steps:
  1. Use the latest virus definitions to run a complete antivirus scan on the computer. You can use your antivirus software or use one of several free virus-scanning services that are available on the Internet. See the "More Information" section for links to virus definition updates and to free online scans from antivirus software vendors.

    Important If you suspect that a computer is infected with malicious code, we recommend that you remove it from the network as soon as possible. We recommend this because a malicious user may be using the infected computer to start Distributed Denial of Service (DDoS) attacks, to send unsolicited commercial e-mail, or to share illegal copies of software, music, and movies.
  2. If the antivirus scan identifies a malicious program on the system, use the antivirus vendor's removal instructions. Additionally, review the threat assessment and the technical details about the program on your antivirus vendor's Web site. In particular, check to see if the program includes backdoor capability. Backdoor capability means that the program provides a way for the malicious user to regain control of the system if the program is discovered and removed.

    If the technical details about the program indicate that it has backdoor capability, we recommend that you format the computer's hard disk and reinstall Windows securely. For information about improving security of Windows-based computers and servers, visit the following Microsoft Security Guidance Center Web site:
  3. If the antivirus scan does not identify a malicious program on the system, it does not mean that the computer is not infected by a malicious program. More likely, it may mean that the malicious program is a new program or variant, and that the latest virus definitions do not detect it. In this case, contact the antivirus vendor to report the problem, or open a support incident with Microsoft Product Support Services (PSS) to investigate.
  4. After you complete the antivirus scan, examine the computer for other malicious programs, such as spyware or malicious user tools. See the "More Information" section for links to spyware and to malicious user detection tools.
  5. Check all other computers on the network for malicious programs and perform a security analysis to identify vulnerabilities on the network. To analyze network security, we recommend that you use the Microsoft Baseline Security Analyzer version 1.2.1 tool. For more information about this tool, visit the following Microsoft Baseline Security Analyzer Web site:

MORE INFORMATION

For technical information about how to help secure your network, visit the following Microsoft TechNet security Web site: To obtain virus definition updates from antivirus software vendors, visit any one of the following third-party Web sites: To obtain a free online scan from an antivirus software vendor, visit any one of the following third-party Web sites:To obtain spyware and malicious user detection tools, visit any one of the following third-party Web sites: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Modification Type:MajorLast Reviewed:1/26/2005
Keywords:kb3rdparty kbtshoot kbprb KB842715 kbAudITPRO