Administrative Shares are used in Windows to remotely access and manage a computer. If you open the computer management console (compmgmt.msc), expand the System Tools -> Shared Folders -> Share section, or run the net share command, you will see a list of admin shared folders (these folders are hidden in the network neighborhood and access to them is restricted).
What are Administrative Hidden Shares on Windows?
By default, Windows creates the following admin shares:
Admin$— Remote admin (this is the %SystemRoot% directory)IPC$— Remote IPC (used in named pipes)C$— Default Drive Share
If there are other partitions on the computer that are assigned a drive letter, they are also automatically published as admin shares (D$, E$, etc.). If you are using a shared printer, then there should be a Print$, or FAX$ share if you are using a fax server.
Note that the names of administrative shares end with a $. This mark causes LanmanServer to hide these SMB resources when accessed over the network (specific files and folders in the shared network folder can be hidden using Access-Based Enumeration). If you try to view a list of shared network folders available on the computer in File Explorer (\\computername), you won’t see them in the list of available SMB shares.
You can get a list of available admin shares on a remote computer using the command:
net view \\computername /all
In order to view the contents of an admin share from File Explorer, you must specify its full name. For example, \\computername\c$. This command will open the contents of the local drive C and allow you to access the file system of the system drive of the remote computer.
Only members of the local computer Administrators group (and the Backup Operators group) can get access to administrative shares, provided that you have SMB enabled, turned on file and printer sharing and access via TCP port 445 is not blocked by Windows Defender Firewall rules .
How to Disable/Enable Admin Shares on Windows 10?
Windows administrative shares are convenient for remote computer administration, but they carry additional security risks (At the very least, you shouldn’t use the same local administrator password on all computers. Use LAPS to make passwords unique). You can completely prevent Windows from creating these hidden admin shares.
The easiest way to remove the admin share is to right-click the share name in the Computer Management snap-in and select Stop sharing (or use the net share Admin$ /delete command). However, after restarting Windows, the Admin$ share will be recreated automatically.
In order to prevent Windows 10 from publishing administrative shares, you need to open the registry editor (regedit.exe), go to the registry key HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters and add a Dword parameter named AutoShareWks (for desktop versions of Windows) or AutoShareServer (for Windows Server) and the value 0.
You can create this registry parameter manually, from the reg add command line tool, or through PowerShell:
reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0
or
New-ItemProperty -Name AutoShareWks -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Type DWORD -Value 0
Now, after a reboot, administrative shares will not be created. In this case, the tools for remote computer manage, including psexec, will stop working.
If you want to enable admin shares on Windows, you need to change the parameter value to 1 or delete it:
Set-ItemProperty -Name AutoShareWks -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Value 1
To have Windows recreate the hidden admin shares, simply restart the Server service with the command:
Get-service LanmanServer | restart-service -verbose
Enable Remote Access to Admin Shares on Windows 10 using LocalAccountTokenFilterPolicy
There is one important issue when working with Windows admin shared folders on a computer that is not joined to an Active Directory domain (part of a workgroup). Windows 10, by default, restricts remote access to administrative shares to a user who is a member of the local Administrators group. The remote access available only under the built-in local Administrator account (it is disabled by default).
Here is what the problem looks like in detail. I’m trying to remotely access the built-in admin shares on a computer running Windows 10 that is a member of a workgroup (with the firewall turned off) as follows:
- \\w10_pc\C$
- \\w10_pc\D$
- \\w10_pc\IPC$
- \\w10_pc\Admin$
In the authorization window, I specify the credentials of an account that is a member of the local Administrators group on Windows 10, and get an “Access is denied” error. At the same time, I can access all network shares and shared printers on Windows 10 (the computer is not hidden in Network Neighborhood). Also, I can access administrative shares under the built-in Administrator account. If this computer is joined to an Active Directory domain, the access to the admin shares from domain accounts with administrative privileges is not blocked.
The point is in another aspect of security policy that appeared in the UAC – so called Remote UAC (User Account Control for remote connections) that filters the tokens of local and Microsoft accounts and blocks remote access to admin shares under such accounts. When accessing under the domain accounts, this restriction is not applied.
You can disable Remote UAC by creating the LocalAccountTokenFilterPolicy parameter in the registry
- Open the Registry Editor (regedit.exe);
- Go to the following reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ;
- Create a new DWORD (32-bit) parameter with the name LocalAccountTokenFilterPolicy;
- Set the LocalAccountTokenFilterPolicy parameter value to 1;
- Restart your computer to apply the changes.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f
After rebooting, try to remotely open the C$ admin share on a computer running Windows 10. Log in using an account that is a member of the local Administrators group. A File Explorer window should open with the contents of the C:\ drive.
So, we looked at how to allow remote access to hidden admin shares for all local administrators of a computer running Windows 10 using LocalAccountTokenFilterPolicy key. This guide is also applicable to Windows 8.1, 7 and Windows Server.
6 comments
Thank you very much for this information. I have an odd circumstance, where I need to find out all the people MAC of who is remote into my computer. I was finally able to get my network to run on Private and it stay there I’m finding a second network on my computer. I have other situations that backs this up in my router settings.
check event viewer
Thank God someone had the answer.
how to change permission without deleting a share from cmd?
what the impact if we have disable c$ d$ etc on the server?
Oh do I LOVE you…let me count the ways…! Thanks xoxo!