Windows 8.1 Administrative Shares

Windows 8.1 Administrative Shares
By

For security reasons the built-in admin$ family of hidden shares has been disabled in Windows 8.1. Here's how you can enable administrative shares in Windows 8.1.

The Problem: You try to connect to a network machine via a hidden share such as c$ or admin$ (\\ MachineName \ c$) and you get one of these error messages:

  • Access is denied.
  • The specified username is invalid.
  • You may not have permission to use this network share.

Solutions for Access is Denied to Administrative Shares in Windows 8.1

One solution may be to accept the situation and abandon your attempt to connect via C$. You could try remote desktop instead. I say this not because the challenge is too difficult, but because the default is the securest configuration for remote user account control (UAC). Once you enable these hidden admin$ shares then your machine can be attacked by hackers. 

Indeed, that is why Microsoft removed this capability, even though it was popular with previous Windows users. The solution?

  1. If you really must find a solution to the Windows 8.1 'Access is denied' message then try leaving the Homegroup.
  2. If that does not work then Launch Regedit and adjust Remote User Account Control (UAC) settings.

How to Use Regedit to Create LocalAccountTokenFilterPolicy Value

Before we start, always heed Microsoft's warning: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk."

Type Regedit in the Search dialog box, right-click the executable and 'Run as administrator'.

Once Regedit launches navigate to this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Windows 8.1 Registry EditorWindows 8.1 Registry Editor

Microsoft documentation says to create a new DWORD value called LocalAccountTokenFilterPolicy. You can also create a QWORD called LocalAccountTokenFilterPolicy, especially when the DWORD will not allow access to your 64-bit machine. 

In either case, set the value to numeric 1 (meaning on) and click OK.

Mostly, the LocalAccountTokenFilterPolicy value gets created before you have a chance to set the data value; no problem, just double-click and modify the data from 0 to 1.

Helpful Tip:
While I made the connection with the firewall ON, if you cannot get this LocalAccountTokenFilterPolicy registry hack to work, then try adding File and Printer Sharing to the firewall's Allowed Programs.

The Default Remote Security Situation in Windows 8.1

Even if a user is a member of the local administrators group on the remote target, by default, they cannot connect as a full administrator. The user has no elevation potential on the remote computer; thus if the user wants to administer the workstation with a Security Account Manager (SAM) account, it's best to logon using Remote Desktop. However, as discussed above, you could try creating LocalAccountTokenFilterPolicy.

Windows 8.1: Built-in Hidden Shares

Microsoft client operating systems from Windows 95 to XP came with built-in hidden shares such as C$, ADMIN$ and IPC$. Windows 7 still creates the administrative shares on install, but you can’t use them out of the box.  Actually, such hidden shares are more commonly used on servers, and are still present on Windows Server 2008 R2 and Windows Server 2012 R2.

The purpose of these hidden shares is for administrators, or those in the know, to connect to another machine.  Take the scenario where a user at MachineA knows the administrator's password on MachineB, they could view the files on the other computer by calling for the 'Run', or 'Search' dialog box and typing:

\\ machineb\c$

At this point they would probably get a request for username and password.

The $ dollar sign means that these network shares never show in the Explorer, indeed I know of administrators who created extra hidden shares simply by appended a regular share with a dollar sign, for example a folder called 'Stuff' shared with Stuff$, or even a folder called Stuff shared as Secret$ if you wanted a modicum of security.

Admin$

This hidden share corresponded to the Windows folder, or to be precise, the %Systemroot% folder, thus normally Admin$ would be a hidden share on the C:\Windows folder.

IPC$

The interprocess connect share is used by processes that need to communicate with a client using named pipes, for example domain controllers processing group policies; hence at least some $ shares are still present on the latest Windows servers.

DriveLetter$

As each drive letter is born on a server, the operating system creates the corresponding hidden share, for example D$, E$ and F$.  It's often handy to connect to the root of a drive when you're not sure of the precise whereabouts of a file you need from a remote machine.

In a nutshell, hackers and robot computer attacks exploited these hidden shares, forcing Microsoft to take the ruthless approach and disable Windows 8.1 Administrative shares by default.  Actually, this about-turn for built-in share accessibility started with Vista and continued with Windows 7, but at first few people seemed to notice.

For security reasons shares such as Admin$ or C$ are no longer created by default on Windows 8.1 client machines.  While there are work-arounds they are klugey, thus a better solution may be Remote Desktop Connection.

Author’s Note:  This article updated to Windows 8.1 from Guy Thomas’s “Windows 8 Administrative Shares”.

Comments
variables