If you have already determined that your computer is missing one or more of the hidden administrative shares, see the "Cause" and "Resolution" sections. Realize that missing administrative shares typically indicate that the computer in question has been compromised by malicious software. We recommend that users format and reinstall Windows on compromised servers.
If you use the net share command or MPSReports, the output may show that your computer is missing the IPC$, ADMIN$, or C$ share. If you re-create a missing share, it may be missing again after the next startup or logon. This issue may occur even if you set the AutoShareServer and AutoShareWks registry DWORD values to 1.
You may find unknown processes that start from the Startup folder or from the Run key in the registry. Antivirus software may detect viruses, worms, Trojans or backdoors. Or the FTP root on a Web server may be filled with unknown files.
The following list is a comprehensive list of the problematic behavior that may be associated with this issue.
- If the affected computer is a domain controller, you may receive error messages on client computers during network logon or during the times when they try to join the domain. Sometimes, you can log on with client computers that are running Microsoft Windows 2000 or Microsoft Windows XP, but you cannot log on with client computers that are running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition. On Windows 9x-based computers, you may receive an error message that is similar to either of the following:
No logon server is available to service the logon request.When you try to join the domain, you may receive an error message that is similar to the following:The following error occurred attempting to join the domain 'Domain_Name': The network name cannot be found.
- The domain password you supplied is not correct, or access to your logon server has been denied.
- The logon server did not recognize your domain password, or access to the server has been denied.
- When you try to access or view the affected computer remotely by using a UNC path, a mapped drive, the net use command, the net view command, or by browsing the network in Network Neighborhood or My Network Places, you may receive an error message that is similar to one of the following:
- The server is not configured for transactions.
- System error 53 has occurred. The network path was not found.
- Domain_Name is not accessible.
- You may receive errors when you try to perform administrative tasks on a domain controller. For example, MMC snap-ins such as Active Directory Users and Computers or Active Directory Sites and Services may not start, and you may receive an error message that is similar to the following:Naming Information cannot be located because: Login attempt failed.
- When you try to add a user to a security group, you may receive an error message that is similar to the following:
Object Picker cannot open because no locations from which to choose objects can be found.
- When you try to run Netdom.exe from the Windows 2000 Support Tools to find the FSMO roles, you may receive an error message that is similar to the following:
Unable to update the password. The value provided as the current password is incorrect.
- When you try to run Dcdiag.exe from the Windows 2000 Support Tools, you may receive an error message that is similar to the following:Failed with 67: The network name cannot be foundThe results from Dcdiag.exe may also list LDAP bind errors that are similar to the following:LDAP bind failed with error 1323.
- When you try to run Netdiag.exe from the Windows 2000 Support Tools, you may receive an error message that is similar to the following:DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [NERR_BadTransactConfig]
- If you run a network trace when you try to connect to the affected computer, you may see results that are similar to the following:
C session setup & X, Username = username, and C tree connect & X, Share = \\<Server_Name>\IPC$
R session setup & X - DOS Error, (67) BAD_NET_NAME
- On the server, the WINS service may not start or the WINS console may display a red X, or both.
- NetBT 4311 events that are similar to the following may be logged in Event Viewer:
- The Terminal Services Licensing console may not start, and you may receive an error message that is similar to the following:
- No Terminal Services license server is available in the current domain or workgroup. To connect to another license server, click license, click connect and click the server name.
- The network address is invalid
- Services for Macintosh may not start. When you try to start the service, events that are similar to the following may be logged in the Event Viewer:
Frequently, malicious users connect to these administrative shares by taking advantage of weak passwords, missing security updates, direct exposure of the computer to the Internet, or a combination of these factors. The malicious users then install malicious programs to expand their influence over the computer and over the rest of the computer network. In many cases, these malicious programs remove the administrative shares as a defensive move to prevent other competing malicious users from taking control of the infected systems.
Infection by one of these malicious programs can come directly from the Internet or from another computer on the local network that is infected. This generally indicates that security on the network is weak. Therefore, if you see these symptoms, we recommend that you examine all other computers on the network for malicious programs by using antivirus software and spyware detection tools. We also recommend that you perform a security analysis to identify vulnerabilities on the network. See the "Resolution" section for information about how to detect malicious programs and how to analyze network security.
An example of a malicious program that targets administrative shares is the Win32.Agobot program. For technical details about how this program works, visit the following Computer Associates Virus Information Center Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Note The Win32.Agobot program is only an example. Malicious programs become obsolete as antivirus vendors discover them and add them to their virus definitions. However, malicious users frequently develop new programs and variants to avoid detection by antivirus software.
To verify whether a computer is affected by this issue, follow these steps:
- Examine the AutoShareServer and AutoShareWks registry values to make sure that they are not set to 0:
- Click Start, click Run, type regedit, and then press ENTER.
- Locate and then click the following registry sub-key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
- If the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters sub-key are configured with a value data of 0, change that value to 1.
Note If these values do not exist, you do not have to create them because the default behavior is to automatically create the administrative shares.
- Quit Registry Editor.
- Restart the computer. Typically, computers that are running Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0 automatically create the administrative shares during startup.
- After the computer restarts, verify that the administrative shares are active. To examine the shares, use the net share command. To do this, follow these steps:
- Click Start, click Run, type cmd, and then press ENTER.
- At the command prompt, type net share, and then press ENTER.
- Look for the Admin$, C$, and IPC$ administrative shares in the list of shares.
- Click Start, click Run, type cmd, and then press ENTER.
- Use the latest virus definitions to run a complete antivirus scan on the computer. You can use your antivirus software or use one of several free virus-scanning services that are available on the Internet. See the "More Information" section for links to virus definition updates and to free online scans from antivirus software vendors.
Important If you suspect that a computer is infected with malicious code, we recommend that you remove it from the network as soon as possible. We recommend this because a malicious user may be using the infected computer to start Distributed Denial of Service (DDoS) attacks, to send unsolicited commercial e-mail, or to share illegal copies of software, music, and movies.
- If the antivirus scan identifies a malicious program on the system, use the antivirus vendor's removal instructions. Additionally, review the threat assessment and the technical details about the program on your antivirus vendor's Web site. In particular, check to see if the program includes backdoor capability. Backdoor capability means that the program provides a way for the malicious user to regain control of the system if the program is discovered and removed.
If the technical details about the program indicate that it has backdoor capability, we recommend that you format the computer's hard disk and reinstall Windows securely. For information about improving security of Windows-based computers and servers, visit the following Microsoft Security Guidance Center Web site:
- If the antivirus scan does not identify a malicious program on the system, it does not mean that the computer is not infected by a malicious program. More likely, it may mean that the malicious program is a new program or variant, and that the latest virus definitions do not detect it. In this case, contact the antivirus vendor to report the problem, or open a support incident with Microsoft Product Support Services (PSS) to investigate.
- After you complete the antivirus scan, examine the computer for other malicious programs, such as spyware or malicious user tools. See the "More Information" section for links to spyware and to malicious user detection tools.
- Check all other computers on the network for malicious programs and perform a security analysis to identify vulnerabilities on the network. To analyze network security, we recommend that you use the Microsoft Baseline Security Analyzer version 1.2.1 tool. For more information about this tool, visit the following Microsoft Baseline Security Analyzer Web site:
- Trend Micro:
- Computer Associates:
- Trend Micro:
- Computer Associates:
- PestPatrol Pestscan: