"Unable to Restore Windows 7 Administrative Shares": A compendium of fixes
Before You Begin
Directions for Creating Administrative Shares
Step #1. Install administrative share drives on your Windows 7 computer.
Step #2: Allow outside computer access to your Windows 7 computer.
Step #3: Make administrative shares permanent on the Windows 7 computer.
Step #4. Confirm that administrative shares are working
Troubleshooting your Installation
Create the.reg File for Automating the Process
Removing Administrative Shares
I use administrative shares as an easy way to transfer files between computers on my home network. Windows XP installs administrative shares which by default are fully functioning. Because these shares weaken security in Windows, Microsoft turned them off in Vista, but a simple registry change turns them back on. In Windows 7 restoring administrative shares is more difficult.
The most frequently recommended method for restoring Windows 7 administrative shares -- it worked unfailingly in Vista -- can be seen in Step #2 below. This method worked during the early stages of my Windows 7 64-bit installation. However, by the time I had finished installing all the software, administrative sharing was broken.
An internet search found other modifications purported to turn on administrative shares. None of them did. After experimenting with various combinations I found a set of four which restored administrative shares on my Windows 7 computer.
BEFORE YOU BEGIN
I recommend an installation of Windows 7 which uses the WORK network. Do not use an installation of Windows 7 with the HOME network. I found Home network difficult to change, gave up and reinstalled Windows.Near the end of this article I have provided a registry file (.reg) which will update the Registry automatically. Run it and avoid the tedious searching and typing required by Steps #2 and #3. Directions for creating the .reg file can be found in the section Create the .reg File for Automating the Process.
If you have never worked with the Windows Registry before, use the automated process to avoid accidentally damaging the Registry. In fact, you may want to perform a Restore Point or even a Backup image before you begin.
Perform the following steps in order. Do not reboot until you have finished Step #3 of the installation process.
Note: By following these directions in reverse, you can easily remove the administrative shares you installed with these directions. And even if you have installed Windows 7 with administrative shares automatically turned off, these directions will allow you to harden your installation by removing any ancillary programs and data used for sharing that still remain. See the section Removing Administrative Shares at the end of this article for details.
DIRECTIONS FOR CREATING ADMINISTRATIVE SHARES
Step #1. Install administrative share drives on your Windows 7 computer.If you turn on administrative shares in a fresh installation of Windows before any software is installed, you should find this step already completed.
If you turn on administrative shares in an older installation, you may have to enter all of the following data.
1. Open Control Panel > Administrative Tools > Computer Management.
2. Select "Shared Folders" from the left pane.
3. In the middle pane left click on "Shares".
4. The following icons should be present:
ADMIN$ IPC$ C$ D$ {etc....}
5. If no shares for C, D, etc. are listed -- shared drives are denoted by a "$" -- or if they are incomplete, add a share for each drive on your Windows 7 computer. ADMIN$ and IPC$ will be added automatically.
Create new shared drives as follows:
(1) Expand the "Shared Folders" in the left pane. Right-click "Shares", and then click "New File Share".
(2) In the "Folder to share" box, type the path of the folder that you want to share, or click "Browse" to locate the folder.
(3) Type the share name you have chosen, followed by $. Click "Next".
(4) To make the share accessible to administrators only, select "Administrators have full control; other users have no access" check box.
(5) Click "Finish". Click "Yes" to create another share or click "No" to return to the Computer Management console.
Note: Drives associated with administrative sharing (drive designations which include $) cannot be added by using Windows Explorer. They can be added only by using Administrative Tools.
Reference: http://support.microsoft.com/kb/314984
***
Step #2. Allow outside computer access to your Windows 7 computer.
Note: The outside user must have a password-protected account on both computers.
1. Click the Start orb.
2. Type "regedit".
3. Press <Enter>.
4. In the left pane, browse to the following folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\system\
5. Right-click in the blank area in the right pane.
6. Click "New".
7. Click "DWORD (32-bit) Value".
8. Type "LocalAccountTokenFilterPolicy"
9. Double-click the item you just created.
10. Type "1" in the data box.
11. Click "OK".
12. Close regedit.
13. Proceed to Step #3 without booting.
Reference: http://blog.hansmelis.be/2009/09/06/administrative-shares-in-windows-7/
***
Step #3. Make administrative shares permanently available on the Windows 7 computer.
This step installs two words in the Registry. The data value of "1" tells them to remember administrative shares from one windows session to another. If the words are not installed by you and Windows later installs them, they will be installed with a value of "0". "0" tells them not to remember administrative shares. In the latter case the shares exist only in the current session; they are not available after a reboot.
1. Click the Start orb.
2. Type "regedit".
3. Press <Enter>.
4. In the left pane, browse to the following folder:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
LanmanServer\Parameters\
5. Right-click in the blank area in the right pane.
6. Click "New".
7. Click "DWORD (32-bit) Value".
8. Type "AutoShareWks".
9. Double-click the item you just created.
10. Type "1" in the data box.
11. Click "OK".
Right-click again in the blank area in the right pane.
1. Click "New".
2. Click "DWORD (32-bit) Value".
3. Type "AutoShareServer".
4. Double-click the item you just created.
5. Type "1" in the data box.
6. Click "OK".
7. Close regedit.
8. Reboot.
Reference: http://support.microsoft.com/kb/288164
***
Step #4. Confirm that administrative shares are working.
1. Go to your Windows XP computer.
2. Open a command prompt and type the following command. Use drive designations that are available on your Windows XP and Windows 7 computers:
net use XP-Drive: \\Win7-ComputerName\SharedDrive$
On my Windows XP computer I would type:
net use Z: \\Win7\C$
3. If you are unsuccessful, return to your Windows 7 computer.
(1) Check first to see if the proper drive shares are found in the Shared Folders section of Computer Management. See Step #1.
(2) Check that the new Registry data in Steps #2 and #3 has been entered correctly.
(3) After making any necessary changes, reboot the Windows 7 computer and repeat this step.
(4) If you are still having problems, proceed to Troubleshooting Your Installation.
TROUBLESHOOTING YOUR INSTALLATION
If you are unsuccessful, you may want to try two other modifications. I have tried both of them but neither turned on administrative shares.Fix #1. Modify the LMCompatibility value.
Warning! The following change will lower the security level of your Windows 7 installation.
1. Open regedit.exe.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3. In the right pane find "LmCompatibilityLevel".
4. Right click on it and select "Modify".
5. Change "Value Data" from "3" to "1".
6. Click "OK".
7. Close Regedit.
8. Reboot.
Reference: http://www.vistaheads.com/forums/microsoft-public-windows-vista-networking-sharing/224789-intermittently-losing-mapped-drives.html
Discussion:
(The following is a discussion of Fix #1 above. The material has been edited and condensed.)
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name: LMCompatibilityLevel
The following are the different levels that you can set LMCompatibilityLevel to:
Value: 5 : DC refuses LM and NTLM responses (accepts only NTLMv2)
Value: 4 : DC refuses LM responses
Value: 3 : Send NTLMv2 response only
Value: 2 : Send NTLM response only
Value: 1 : Use NTLMv2 session security if negotiated
Value: 0 : Default - send LM response and NTLM response; never use NTLMv2 session security.
Vista only accepts NTLMV2 for network security. At this default level you cannot access hidden shares on previous versions of Windows.
The default level of Windows XP is hexadecimal "0". If you change the LMCompatibilityLevel of your Vista machine from "3" to "0", you will be able to access hidden shares on your XP machines. You can also set your XP machines to level "3" to match the default of Vista.
[Comment: My Windows XP computers, set at either "0" or "1", were able to access my Windows 7 computer at its default setting of "3".]
Reference: http://quantumgeeks.com/main/windowstips.html
***
Fix #2.
(The following is an edited and condensed version of the original article.)
First:
You need to have File & Printer Sharing enabled. Go to Control Panel > Folder Options > View and turn on File & Printer Sharing.
[Comment: I always disable this setting!]
Second:
1. Open the Control Panel > Network and Internet.
2. Go to "Network and Sharing Center".
3. In the left column, click on "Change advanced sharing settings".
4. There are two profiles. You probably do not want this option "on" when you are on a Public network. Therefore, select either "Home" or "Work".
5. Under the heading "File and Printer sharing", select "Turn on".
Third:
If you installed a Home network, you were offered the option of setting up a Homegroup. If you enabled that feature, you will be unable to use administrative shares. Attempt to extract yourself from the group as follows:
1. Open Control Panel > Network and Internet.
2. Select HomeGroup.
3. Click on the blue link "Leave the Homegroup".
4. A popup dialog appears. I believe I picked to first option.
Once I had left the homegroup, administrative shares started working again.
[Comment: I tried this procedure before I found this article. It did not work for me.]
Reference: http://blog.hansmelis.be/2009/09/06/administrative-shares-in-windows-7/
CREATE THE .reg FILE FOR AUTOMATING THE PROCESS
This section details how to create the automated program "3in1-AdminShares_ON.reg" which will make the necessary additions to the Registry:1. Copy the text file below with your mouse. Copy only the text between the dashed lines.
2. Paste the text into Notepad. Use only Notepad, no other program. Be sure that Notepad shows only the required text.
3. Remove any blank lines above the text. "Windows Registry......" must be the very first line of your new text file.
4. Save file to your desktop as "3in1-AdminShares_ON.reg".
When you are you are ready to make the Registry changes, double click on the program's icon.
Text for "3in1-AdminShares_ON.reg":
;---------- Begin copying below this line -------------
Windows Registry Editor Version 5.00
;Allows outside computers access to administrative shares (c$, d$, etc)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\]
"LocalAccountTokenFilterPolicy"=dword:00000001
;Makes administrative shares permanent for name #1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000001
;Makes administrative shares permanent for name #2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000001
;---------- Stop copying above this line -------------
REMOVING ADMINISTRATIVE SHARES
To turn off administrative shares, you need only to reverse the above directions.1. In Steps #2 and #3 above you added three new words, "LocalAccountTokenFilterPolicy", "AutoShareWks", and "AutoShareServer". These words must either be turned off or deleted.
(1) If you want to leave them, turn them off by changing the Value Data from "1" to "0":
__1 Navigate to the location of the first word.
__2 Right click on the word. Select "Modify".
__3 In the Value Data box change "1" to "0".
__4 Click "OK".
__5 Navigate to each of the remaining two words and repeat the process.
__6 Close Regedit.
(2) If you want to delete the three new words:
__1 Navigate to the location of the first word.
__2 Right-click on the word. Select "Delete".
__3 Click on "Yes".
__4 Navigate to each of the remaining two words and repeat the process.
__5 Close Regedit.
2. REBOOT
3. Check to see if the shared devices installed in Step #1 above have been automatically removed. If not, remove them manually:
(1) Open Control Panel > Administrative Tools > Computer Management.
(2) Select "Shared Folders" from the left pane.
(3) In the middle pane right-click on "Shares".
(4) If you see any of the following devices, they need to be removed:
ADMIN$ C$ D$ E$ etc...
(5) Right-click one of the shared drives you added in Step #1. Select "Stop Sharing". Click "Yes" twice.
(6) Repeat (5) above for each of your shared drives.
(7) Repeat (5) for the automatically-added shared drive ADMIN$. (Be sure not to delete IPC$; it must remain.)
(8) Close Computer Management.
(9) REBOOT.
(10) Open Control Panel > Administrative Tools > Computer Management.
(11) Select "Shared Folders" from the left pane.
(12) In the middle pane right-click on "Shares.
(13) Confirm that only IPC$ remains.
(14) Close Computer Management.
(15) Move to your Windows XP computer and confirm that it is unable to access your Windows 7 computer. At the command prompt of your Windows XP computer try to access one of the shared drives on the Windows 7 computer by employing "net use". This action should generate an error message.