Disabling Hidden Shares in Windows 10 (& Windows Vista, Windows 7, and Windows 8.1)

A simple post confirming that the same registry key works in Windows 10.
Based largely off of this ITworld write-up by Paul McFedries.

As is commonly known, a “$” in a Windows share name makes it “hidden”. This does not mean it is any more secure; it only obscures the name. That said, Microsoft, by default, enables hidden shares for “Administrative” purposes, including one for the system drive, C: (C$), and any other hard disk partitions you have on your system. Windows Vista+ also sets up the following hidden shares:

Share Shared Path Purpose
ADMIN$ %SystemRoot% Remote administration
IPC$ N/A Remote interprocess communication
print$ %SystemRoot%\System32\spool\drivers Access to printer drivers

Open an elevated Command Prompt and type “net share” and press Enter. You see a listing similar to this:

Share name   Resource                        Remark
-----------------------------------------------------------
C$           C:\                             Default share
D$           D:\                             Default share
ADMIN$       C:\WINDOWS                      Remote Admin
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public                 

So although the C$, D$, and ADMIN$ shares are otherwise hidden, they’re well known, and they represent a small security risk should an intruder get access to your network. To close this hole, you can force Windows Vista to disable these shares. Here are the steps to follow:

    1. Click Start, type “regedit” in the Search box, and then click regedit.exe in the search results. The User Account Control dialog box appears.
    2. Say “Yes” to the UAC prompt and the Registry Editor should open.

CAUTION – BE CAREFUL WITH YOUR REGISTRY – ONLY CHANGE 

  1. Open the HKEY_LOCAL_MACHINE branch.
  2. Open the SYSTEM branch.
  3. Open the CurrentControlSet branch.
  4. Open the Services branch.
  5. Open the LanmanServer branch.
  6. Select the Parameters branch.
  7. Select Edit, New, “DWORD (32-bit) Value”
  8. Type “AutoShareWks” and press Enter. (Leave the default value of 0.)
    AutoShareWks
  9. Reboot or restart the “server” service using a Command Prompt: “net stop server” then “net start server”.

Once again, open an elevated Command Prompt and type “net share” and press Enter. The output should now looks like this:

Share name   Resource                        Remark
-----------------------------------------------------------
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public                 

FYI – Its possible certain applications require the hidden shares.  To disable or rollback to “default” simply remove the “AutoShareWks” Registry Key or change the value to “1”.

KeePass batch scripting for secure and automatic databases on boot or login using PASSWORD_ENC

KeePass. The venerable KeePass.
You need to use a password manager. Not a Word or Excel document. Not a napkin or Post-it note. A real password manager. I recommend KeePass. You may prefer LastPass or SplashID. Regardless, I reiterate: you need to use a password manager.

Having used KeePass 8+ years and with hundreds of saved passwords, it is one of my most used applications. Anything that falls under PCI or HIPAA is in a KeePass database.

All that said, KeePass is typically the first program I execute upon logon. If you are following best practices, upon logon, you then have to type a very long password accompanied by a keyfile (optional) to open your KeePass database. I am not going to cover in this post what makes a strong password and what are appropriate password lengths.

You might ask, why not just use Windows user accounts introduced in KeePass 2.x? Two main drawbacks: 1) If your Windows user profile (UID) is corrupt/lost, you cannot access your KeePass database, and 2) if you want to synchronize your database, it cannot use Windows user accounts.

So, how to do you securely launch KeePass using command line without putting your password in the batch file as plaintext?

Based on the excellent post in this superuser thread along with more guidance from this post, you can securely script your KeePass databases. Here is how:

  1. Create a file called “RunMeKeePass.bat”
  2. Right click on the file and choose Edit.
  3. Go into your KeePassdatabase your want to script, and create a new, temporary entry called “RunMeKeePass.bat” (or whatever you called the filename in step 1).
  4. Go to the “Auto-Type” tab and hit the “Override default sequence” radio button, and copy/paste “{PASSWORD_ENC}” into the field.
    keepass_auto-type
  5. Leaving KeePassopen, go back to Notepad where you are editing the empty “RunMeKeePass.bat”. Hit Crtl+Alt+A to active the KeePass auto-type feature. Read more here about it if this step does not work or if you changed the default hotkey. Auto-type is one of the best features of KeePass. After hitting Crtl+Alt+A, KeePass should start spitting out a very long password string. You can read more about {PASSWORD_ENC} here, towards the bottom. In short, is long, generated string is a unique password for your KeePassdatabase that only works under your current username. This is what makes the method secure. You assume you have a secure user session because you as a user are scripting it. If someone manages to take this unique password string, it will not work on another PC/user opening the same/original KeePass. It only opens your KeePass database under your Windows user on this unique PC (UID/SID).
    Save this string.
  6. Now its time to script the password string into actually launching KeePass.
    Here is example .bat file script:

    echo KeePass DB #1 without a keyfile
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    
    TIMEOUT 2
    
    echo KeePass DB #2 WITH a keyfile
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    SET KEYFILE="%USERPROFILE%\Documents\<LOCATION OF KEYFILE>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -keyfile:%KEYFILE% -pw-enc:%PASSWORD_ENC%
    
    TIMEOUT 2
    
    echo Re-opening KeePass DB #1 to bring it in focus
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    
    REM To Generate the pw-enc password string (which is specific to the Window user's UID), create a "dummy entry" in KeePass.
    
    REM Courtesy of: http://ddaydj.blogspot.de/2011/07/automatically-open-secure-keepass.html
    REM and http://superuser.com/questions/240657/make-keepass-database-accept-but-not-require-two-unlocking-methods
    REM and http://sourceforge.net/p/keepass/discussion/329221/thread/bdcb75db
    
    

    Basically replace “<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>” with the auto-typed password from the earlier step. In Line 2, set the correct location for your KeePass database (.dbbx) file. Line 3 is for 64-bit Windows7/8/10; for 32 u(x86) for 32-bit versions.

    I provided multiple examples. The 2nd example uses a keyfile. Should be self-explanatory.

    You may also wonder why I commented “Re-opening KeePass DB #1 to bring it in focus”. KeePass, when it opens multupe tabs, keeps track of the order which files are opened. When you have multiple files and you use auto-type with multiple matches, the order of the UI is based on the order of opened files. By “re-opening” the first file, it bring that database tab to the forefront but it is still opened first keep it at the top of auto-type matches.

  7. The last step is to launch your “RunMeKeePass.bat” file. I chose to use Task Scheduler; Tigger=”At log on” and it calls the .bat file. I unchecked the “Start the task only if the computer is on AC power” (since I primarily use this on a Surface Pro 3). Read here if you need additional help in creating the Scheduled Task. The Task Scheduler “triggers” are rather powerful; e.g. if you configured KeePass to automatically lock your database after a certain amount of time, you could add additional triggers for “On workstation unlock” and “On connection to user session” for local and remote computers and open/close KeePass depending on your application.
    Another option is to run have a shortcut placed in the “Startup” folder; read more here for details on how to create it.

Now that you can more easily launch KeePass, you have no excuse not to use it (or  something like it). Enjoy. Here is the PASSWORD_ENC man page.