question

RandalAndress-2820 avatar image
0 Votes"
RandalAndress-2820 asked RandalAndress-2820 commented

Cannot browse Windows 7 admin disk volume shares from Windows 10

From computer A (Windows 10 Home), the file shares on computer B (Windows 7 Pro, laptop) can be successfully accessed by: "\\b\users\<username>\desktop\<shared-folder>".

But when browsing the network from computer A by opening the Network in explorer, although computer B shows up as a computer icon, when you open it an error is displayed:

"You do not have permission to access \\b."

I get the same error when entering "\\b" from computer A.

On computer B, the admin shares (C$, D$, etc,) are enabled via the AutoShareServer and AutoShareWks values in the LanmanServer\Parameters and are visible after restart.

I have another Windows 7 computer on the network whose local disk shares can be browsed to and accessed by opening the computer icon in the Network explorer window but, like the Windows 10 computer A, it cannot browse the shares on computer B when beginning at the local disk volume (C$).

What should I check next?

-Randal

windows-10-networkwindows-7
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please check SMBclient log on windows 10 to see if there are something related for us to troubleshooting.

0 Votes 0 ·

I fount this Warning in the Security section:
The AllowInsecureGuestAuth registry value is not configured with default settings.

Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:0
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:1

I do not recall changing this (I rarely modify the regsitry)
-Randal

0 Votes 0 ·

Could there be an event on the Windows 7 side (\\b) that might help? Where?

I do see some error events in the Security section on the W10 (A) computer, but they do not seem to be related to the failures that I am getting when I attempt to access B (W7): \\b which produces an error dialog "You do not have permission to access \\b."

Where else can I look?

BTW, remember this also occurs (can't access \\b) from another W7 Computer "C" on the network. Perhaps there is an event on it that could help. -Randal

0 Votes 0 ·

One more thing... while "\\b" gets a permission error, "\\b\users" works!
Thanks for looking into this...-Randal

0 Votes 0 ·

Any more ideas?

0 Votes 0 ·

What I am trying to figure out is what "permission" would keep me from browsing the 'C' drive but would not prevent me from accessing its folders.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered RandalAndress-2820 commented

One more thing... while "\\b" gets a permission error, "\\b\users" works!
What I am trying to figure out is what "permission" would keep me from browsing the 'C' drive

I have always used a local account with the same name and password on each machine. If you want to access the administrative shares, C$, then that account needs to be a member of the administrators group.

If you open a command prompt and run "net view \\b" does it display the non-administrative shares? What error do you get? Does B have an identical account? Have you checked the security eventlog on B?

101190-capture.jpg



capture.jpg (27.2 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply!

I have always used a local account with the same name and password on each machine. If you want to access the administrative shares, C$, then that account needs to be a member of the administrators group.

Only accounts on both machines (A and B) are admin and have same name - no passwords. In Network settings I have selected the no passwords option.

Also I have another windows 7 machine (computer 'C'), that has a different admin user name with no password and I can browse it with no problem. So password and user account name would not seem to be the problem.

Here is my "net view" result on computer B:

Shared resources at \\localhost

laptop

Share name Type Used as Comment


FEATool Disk
FSX Disk
rpa Disk
Users Disk
The command completed successfully.








0 Votes 0 ·
MotoX80 avatar image MotoX80 RandalAndress-2820 ·

So on computer A, does "net view \\B" show the same share names?

0 Votes 0 ·

Again, thank you for this interaction!
From a powershell on computer A (windows 10 home) being run as administrator the following results (computer B name is "v3500":

PS C:\Users\Randal\Desktop> net view \\v3500
System error 5 has occurred.

Access is denied.

PS C:\Users\Randal\Desktop>

BUT from the same shell:

PS C:\Users\Randal\Desktop> copy \\v3500\users\randal\desktop\testshare\fromb.txt toa.txt
PS C:\Users\Randal\Desktop> type toa.txt
file from B TestSHare folder.


\\v3500 (name of computer B) is not accessible from computer A, but from computer A I can copy a file FROM a shared folder on computer B desktop TO computer A.

This behavior is similar to that of using explorer from computer A. Entering "\\v3500" gets the permission error, yet entering "\\3500\users\randal\desktop\testshare" will list the content of the testshare folder on computer B (v3500), which includes the file that was successfully copied from B to A (fromb.txt).



0 Votes 0 ·
Show more comments
GaryNebbett avatar image
0 Votes"
GaryNebbett answered RandalAndress-2820 commented

Hello @RandalAndress-2820 ,

I have never used a "Home" version of Windows, so I don't know what features/capabilities it is missing (compared to the "Pro" version). If what I propose below does not work then we can check for alternatives.

In a command windows, running as an administrator, issue the command logman start why -ets -p Microsoft-Windows-SMBClient -bs 64 -nb 999 -o why.etl. This will start an ETW trace session.

Now reproduce the problem. From what I have understood from the above messages, "net view \\b" fails and "dir \\b\c$\Users" works - if that is so then issue those two commands.

Now stop the trace with the command logman stop why -ets. There should now be a file called why.etl that you could make available here by posting a link to OneDrive, Google Drive, etc. where a copy of why.etl resides.

There is a reasonable chance (but not a guarantee) that analysing the content of why.etl would provide an indication of why the system is behaving as it is.

Gary

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Many thanks for jumping in!

I have uploaded "why.etl" and "testcmdlog.txt" to www.randress.com/msft .

I executed all commands on computer A (name: RPAFEA; W10 Home) from an administrator account powershell started as "run as administrator". All commands are shown in "testcmdlog.txt".

The remote computer "B" (name V3500) is Windows 7 Pro.

Please let me know how I can produce further data if it would be helpful. I also have another W7 computer "C" (user: Karen-PC, W7 Home Premium) which does NOT fail on cmd "net view \\Karen-PC".

-Randal

0 Votes 0 ·
GaryNebbett avatar image
0 Votes"
GaryNebbett answered GaryNebbett commented

Hello Randal,

Thanks for that. Here is some immediate feedback, so that you know that you efforts were (hopefully) not in vain. We might get some useful input from @MotoX80 too - someone who often has useful insights.

This is what your network traffic looks like when examined with the (now discontinued) Microsoft Message Analyzer tool:

101776-image.png

I have highlighted the problematic protocol exchange in yellow. Your Windows 10 client issues a NetShareEnum request for "level 1" information and receives a response with error code 5 (ERROR_ACCESS_DENIED).

The documentation for NetShareEnum ("NetrShareEnum" is just the name of the RPC method that transports the NetShareEnum request) says:

For interactive users (users who are logged on locally to the machine), no special group membership is required to execute the NetShareEnum function. For non-interactive users, Administrator, Power User, Print Operator, or Server Operator group membership is required to successfully execute the NetShareEnum function at levels 2, 502, and 503. No special group membership is required for level 0 or level 1 calls.

It seems as though the Windows 7 "server" is behaving unexpectedly/unexplainably (at the moment). I will need to do a bit of thinking about the next step...

Gary




image.png (175.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

101862-comment1.txt



I had trouble entering message (haven't figured out how to best navigate interface), so I just attached a text file.
-Randal

0 Votes 0 ·
comment1.txt (1008 B)

Hello Randal,

Another problem with the forum (for me) is that approaching 5% of my posts are referred by some automatic process to a moderator before they (hopefully) appear in the forum. I replied to your last message - let's see if/when it becomes visible here...

Gary

0 Votes 0 ·
GaryNebbett avatar image
0 Votes"
GaryNebbett answered RandalAndress-2820 commented

Hello Randal,

The software which implements this platform seems to have many weaknesses; it seems that if you leave a message open too long in a browser window, a session times out and many buttons (Preview, Post, etc.) become ineffective - this may explain your difficulties (refreshing the page helps).

This problem is turning out to be a real mystery. To get a feel for how things should work, I traced what happens on my (Windows 10) "server" when responding to a "net view" (NetShareEnum) request. The best ETW trace that I got was:

101960-image.png

This shows the RPC for NetShareEnum (RPC OpNum = 15 (0xF)) to interface srvsvc (4B324FC8-1670-01D3-1278-5A47BF6EE188) arriving and some processing taking place in srvnet.sys.

I checked the srvnet.sys routines and there is no access checking there. The only access checking takes place in the LanmanServer service process, in routine srvsvc!NetrShareEnum. Based on the "level" of the NetShareEnum request, it checks the desired access against this ACL:

 0:000> !acl poi(srvsvc!SsSharePrintSecurityObject+10)+14 1
 ACL is:
 ACL is: ->AclRevision: 0x2
 ACL is: ->Sbz1       : 0x0
 ACL is: ->AclSize    : 0xe0
 ACL is: ->AceCount   : 0xa
 ACL is: ->Sbz2       : 0x0
 ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[0]: ->AceFlags: 0x0
 ACL is: ->Ace[0]: ->AceSize: 0x18
 ACL is: ->Ace[0]: ->Mask : 0x000f0013
 ACL is: ->Ace[0]: ->SID: S-1-5-32-544 (Alias: BUILTIN\Administrators)
    
 ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[1]: ->AceFlags: 0x0
 ACL is: ->Ace[1]: ->AceSize: 0x18
 ACL is: ->Ace[1]: ->Mask : 0x000f0013
 ACL is: ->Ace[1]: ->SID: S-1-5-32-549 (no name mapped)
    
 ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[2]: ->AceFlags: 0x0
 ACL is: ->Ace[2]: ->AceSize: 0x18
 ACL is: ->Ace[2]: ->Mask : 0x000f0013
 ACL is: ->Ace[2]: ->SID: S-1-5-32-550 (no name mapped)
    
 ACL is: ->Ace[3]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[3]: ->AceFlags: 0x0
 ACL is: ->Ace[3]: ->AceSize: 0x18
 ACL is: ->Ace[3]: ->Mask : 0x000f0013
 ACL is: ->Ace[3]: ->SID: S-1-5-32-547 (Alias: BUILTIN\Power Users)
    
 ACL is: ->Ace[4]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[4]: ->AceFlags: 0x0
 ACL is: ->Ace[4]: ->AceSize: 0x14
 ACL is: ->Ace[4]: ->Mask : 0x00000001
 ACL is: ->Ace[4]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)
    
 ACL is: ->Ace[5]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[5]: ->AceFlags: 0x0
 ACL is: ->Ace[5]: ->AceSize: 0x14
 ACL is: ->Ace[5]: ->Mask : 0x00000001
 ACL is: ->Ace[5]: ->SID: S-1-5-7 (Well Known Group: NT AUTHORITY\ANONYMOUS LOGON)
    
 ACL is: ->Ace[6]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[6]: ->AceFlags: 0x0
 ACL is: ->Ace[6]: ->AceSize: 0x14
 ACL is: ->Ace[6]: ->Mask : 0x00000002
 ACL is: ->Ace[6]: ->SID: S-1-5-20 (Well Known Group: NT AUTHORITY\NETWORK SERVICE)
    
 ACL is: ->Ace[7]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[7]: ->AceFlags: 0x0
 ACL is: ->Ace[7]: ->AceSize: 0x14
 ACL is: ->Ace[7]: ->Mask : 0x00000002
 ACL is: ->Ace[7]: ->SID: S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE)
    
 ACL is: ->Ace[8]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[8]: ->AceFlags: 0x0
 ACL is: ->Ace[8]: ->AceSize: 0x14
 ACL is: ->Ace[8]: ->Mask : 0x00000002
 ACL is: ->Ace[8]: ->SID: S-1-5-6 (Well Known Group: NT AUTHORITY\SERVICE)
    
 ACL is: ->Ace[9]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
 ACL is: ->Ace[9]: ->AceFlags: 0x0
 ACL is: ->Ace[9]: ->AceSize: 0x14
 ACL is: ->Ace[9]: ->Mask : 0x00000002
 ACL is: ->Ace[9]: ->SID: S-1-5-3 (Well Known Group: NT AUTHORITY\BATCH)

In the case of a level 1 info request, the desired access is 1 - an access that is granted to "NT AUTHORITY\ANONYMOUS LOGON" among others.

This ACL is created by code inside the LanmanServer and is not directly accessible to any tool. There may however by policies that influence the content of the ACL. Under Windows 10, at least, one such policy is:

101970-image.png

Can you check whether this policy exists in Windows 7 and, if it does exist, what its value is on B?

Gary


image.png (42.6 KiB)
image.png (170.0 KiB)
· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Randal,

Unfortunately your Comments2.txt attachment does not quite work - the full URL is just "comments2.txt" with no scheme, site, etc.

When you set the setting to "disabled" (the default setting) do things work?

Gary

0 Votes 0 ·

102097-comment2.txt



I was awaiting on 1) verifying that on the "good" W7 computer ("C"), the value was "Disabled" and 2) your concurrence that I should make the change and see if it works...

Note my cry for help in the attached comment2.txt in getting mmc configured again :-)
-Randal

0 Votes 0 ·
comment2.txt (847 B)
Show more comments

Gary,

IT WORKS!!!

After I restarted both computers (A and B):

=========
C:\Users\Randal>net view \\v3500
Shared resources at \\v3500

laptop

Share name Type Used as Comment


FEATool Disk
FSX Disk
rpa Disk
Users Disk
The command completed successfully.
================

Some awesome troubleshooting, my friend! ... peeling the onion one layer at a time... following the bad news from indication to source...

Turns out, W7 Home Premium does not have gpedit. Nor does it have the mmc snap-in Local Group Policy Editor. Getting it installed on 64-bit system is a bit of a hack that I shall put off until necessary.

BTW, I was not concerned about the security issue of Disabling the Policy. Since I'd never messed with them before and since I had you "on the line", I just thought I'd wait to see if that was definitely the next step.

:-) :-) :-)
Randal


0 Votes 0 ·
Show more comments