How to enable administrative shares on Vista and XP?

I am looking for a way to enable administrative shares on both XP and on Vista. I am a complete newbie when it comes to using administrative shares. I have no prior experience as to how this is supposed to work. What I'm trying to achieve is to make a setup that would allow me to exchange files between the two computers freely, without necessarily having to share individual disk partitions or taking ownership of any disk partition.

Computer 1

  • OS: XP Pro SP2
  • Host name: TOSH
  • Workgroup: WORKGROUP
  • IP: 10.0.0.1
  • Subnet mask: 255.255.255.0
  • Default gateway: blank
  • DNS: blank
  • Client for Microspoof network enabled (joke!)
  • File and printer sharing for Microsoft network enabled
  • File and Printer sharing exception in Windows Firewall
  • Firewall: Windows Firewall disabled, Kaspersky installed but disabled
  • Users: Descartes (admin), Administratör (built-in admin, enabled), Gäst (built-in guest)
  • Test user: Testuser1 (admin, my own creation)
  • Shares: Shared Documents (default)

Computer 2

  • OS: Vista SP2
  • Host name: GIGA
  • Workgroup: WORKGROUP
  • IP: 10.0.0.2
  • Subnet mask: 255.255.255.0
  • Default gateway: blank
  • DNS: blank
  • Client for Microsoft network enabled
  • File and printer sharing for Microsoft network enabled
  • File and Printer sharing exception in Windows Firewall
  • Firewall: Windows Firewall disabled, no 3rd party firewall
  • Network discovery on
  • File sharing on
  • Public folder sharing on
  • Printer sharing off
  • Password protected sharing off
  • Media sharing off
  • Users: Sammy (admin), Administratör (built-in admin, disabled), Gäst (built-in guest)
  • Test user: Testuser1 (admin, my own creation)
  • Shares: Public (default)
  • Test share: Share 1 (my own creation)

If Descartes@TOSH is local and Sammy@GIGA is remote:

  • Cannot access \\10.0.0.2\c$
  • Can access \\10.0.0.2\
  • Cannot access \\10.0.0.2\Public
  • Cannot access \\10.0.0.2\Share 1

I was logged on as Descartes@TOSH and Sammy@GIGA. When I try to access \\10.0.0.2\c$ I get the dialog box asking for user name and password. I use the credentials for Sammy@GIGA. Trying to access the other paths doesn't show any dialog box, where \\10.0.0.2 just shows the regular network shares @GIGA and \\10.0.0.2\Public and ..\Share 1 just shows an error message.

If Testuser1@TOSH is local and Sammy@GIGA is remote:

  • Cannot access \\10.0.0.2\c$
  • Can access \\10.0.0.2
  • Cannot access \\10.0.0.2\Public
  • Can access \\10.0.0.2\Share 1

As soon as I log on as Testuser1@TOSH I can access ..\Share 1 but still can't access the ..\Public share and ..\c$ administrative share. I think something strange is going on here. At bare minimum, the Public share should be accessible without any problem. I checked the sharing options and permissions for the Public share on Vista and it looks OK.

If Sammy@GIGA is local and Descartes@TOSH is remote:

  • Cannot access \\10.0.0.1\c$
  • Can access \\10.0.0.1
  • Can access \\10.0.0.1\Shared Documents

When I try to access \\10.0.0.1\c$ I get the same type of dialog box asking for user name and password. I use the credentials for Descartes@TOSH to log on. But log on fails.

Logon unsuccessful:

Windows is unable to log you on.

Be sure that your user name and password are correct.

I know the credentials I used for Descartes are correct. This is something else.

Administrative shares on TOSH:

C:\WINDOWS>net share

Resursnamn   Resurs                          Anmärkning

---------------------------------------------------------------
IPC$                                         Fjärr-IPC
print$       C:\WINDOWS\system32\spool\drivers
                                             Skrivardrivrutiner
C$           C:\                             Standardresurs
ADMIN$       C:\WINDOWS                      Fjärr-admin

Administrative shares on GIGA:

C:\Windows\system32>net share

Share name   Resource                        Remark

-----------------------------------------------------------
ADMIN$       C:\Windows                      Fjärradmin
B$           B:\                             Standardresurs
C$           C:\                             Standardresurs
Q$           Q:\                             Standardresurs
E$           E:\                             Standardresurs

There are more shares but you can see here that the c$ share is listed on both computers.

After some research I have found a way to enable the administrative shares on Vista. See Microsoft KB article 947232. You basically just need to create a new or edit existing Windows registry value. You need to have following entry.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Value type: DWORD
Value data: 1 (0x00000001)

After adding this bit to the registry I was able to connect to the administrative share c$ on the Vista computer. As it stands right now:

If Descartes@TOSH is local and Sammy@GIGA is remote (with this mod):

  • Can access \\10.0.0.2\c$
  • Can access \\10.0.0.2
  • Cannot access \\10.0.0.2\Public
  • Cannot access \\10.0.0.2\Share 1

For some reason I still can't access the Public or the Share 1 share. But F DOS! The important thing is that I can now access c$ on Vista. That way, I can rule them all! :) Of course, as before, logging on as Testuser1 on XP will allow me to remotely access Share 1 as well.

Now the only question is how do you do this on XP? Or should this even be necessary for a Windows XP computer? From what I understand this is only a necessity on Windows Vista, 7 and 8?...

Or to quote Microsoft KB article above:

By default, Windows Vista and newer versions of Windows prevent local accounts from accessing administrative shares through the network.

So does Windows XP require a registry mod to enable administrative shares or not? Which is it? I did try to replicate the same registry value (LocalAccountTokenFilterPolicy) on the XP computer but that didn't work out. So I'm typing this very lengthy question/problem on SU in hope that someone with a lot of experience from Windows networking will be able to help.

What I have tried so far:


Besides the above registry mod, I also tried to add the following registry entry to the XP computer.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
Value: AutoShareWks
Value type: DWORD
Value data: 1 (0x00000001)

I also tried to use a 0 but it didn't help.

I also tried to connect to the share using the net command in cmd.

C:\Windows\system32>net use /user:Descartes \\10.0.0.1\c$ ********
System error 5 has occurred.

Access is denied.


C:\Windows\system32>

Solution 1:

Problemz zolved!

To begin with, I believe there was some issue with the Descartes account on the XP. It ought to do with security policies. It simply should not matter if I'm logged in as Descartes or Testuser1. As long as they are both administrator accounts, I should still be able to access the default, built-in shares such as Public on the Vista computer. It makes absolutely no sense that Testuser1 can access the Share1 share (that I created myself), while Descartes cannot do that, and that neither of them can access the built-in Public share on Vista.

At the same time, Sammy on the Vista computer is able to access the Shared Documents share on the XP without any problems. This is the way it's supposed to be. It should be just as easy the other way around, to access the Public share on Vista. The Public share on Windows Vista, 7 and above is what used to be known as Shared Documents share in old versions of Windows. However, Sammy on the Vista computer was still unable to access the c$ share on the XP, but I now know why and how to fix that.

Instead of tinkering with security policies and what now, I decided to do a clean install of Windows XP. So I started fresh and I got things working now. So I thought I would share my findings here. I will make this very simple so that both noobz and so called "expertz" can do this.

Enabling file sharing and administrative shares on Vista

The first thing you will need in order to access the administrative shares is an administrator account with a password. So let's look at that first.

Creating an administrator account

  1. Click on Start.
  2. Click on Control Panel.
  3. Click on User Accounts and Family Safety.
  4. Click on User Accounts.
  5. Click on Manage another account. If prompted by UAC click Continue. If you already have an administrator account but no password, jump to step 8. If you don't have an administrator account or you want to add a second administrator account then see next step to create one. Note that you must be logged in as an administrator in order to create new administrator accounts.
  6. Click on the link Create a new account.
  7. Type the new user name, select Administrator and click Create Account. The new account will now appear in the list of accounts.
  8. To add a password to an account, click on the account name.
  9. Click on the link Create a password.
  10. Type in a password and click Create password. The account will now appear as "Password protected".
  11. Close the Manage Accounts window. Done!

It's needless to say, as this is a "superuser" site, but I'll say it anyway. If you have created a new administrator account previously, then you will have to log out from the current account and then log in with the new account to use it. If you are already logged in with an administrator account, and you only added a password to it, then you don't need to log out.

Screeniez...

scrn1 scrn2 scrn3 scrn4 scrn5 scrn6 scrn7 scrn8 scrn9

Now that you have that sorted out, you now need to make sure you have file sharing enabled.

Enabling file sharing

  1. Click on Start.
  2. Click on Control Panel.
  3. Click on Network and Internet.
  4. Click on Network and Sharing Center. Under Sharing and Discovery section, make sure that Network discovery, File sharing, and Public folder sharing is turned on. If they are, jump to step 8. If not, see the next step.
  5. Click on the arrow next to Network discovery, select Turn on network discovery and click Apply. If prompted by UAC, click Continue.
  6. Click on the arrow next to File sharing, select Turn on file sharing and click Apply. If prompted by UAC, click Continue.
  7. Click on the arrow next to Public folder sharing, select Turn on sharing so anyone with network access can open, change, and create files. If prompted... you get the point.
  8. Now make sure that Password protected sharing is turned off. If it's on then you must turn it off.
  9. Close the Network and Sharing Center window. Done!

Screeniez...

scrn10 scrn11

Now that you have that sorted out, you need to make sure that Windows Firewall is set up properly.

Setting up Windows Firewall

  1. Click on Start.
  2. Click on Control Panel.
  3. Click on Security.
  4. Click on Windows Firewall.
  5. Click on Change settings link. Click Continue if prompted by UAC.
  6. Make sure the firewall is set to On and that Block all incoming connections is NOT checked. If you made any changes, click Apply.
  7. Click on Exceptions tab. Now make sure that Core Networking, File and Printer Sharing, and Network Discovery is checked.
  8. Click OK to save any changes and close the dialog box. Done!

Screeniez...

scrn12 scrn13 scrn14 scrn15

Now that you got all that sorted out, there is one last thing you need to do. On Windows Vista and later versions of Windows, you need to modify the registry to enable access to the administrative shares.

Enabling access to administrative shares

  1. Click on Start, then click Run. If not available, press Win+R and you will get the Run prompt.
  2. Type regedit and press Enter. Click Continue if prompted by UAC.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and make sure there is a value named LocalAccountTokenFilterPolicy. If it's there, then you might need to change the value data. See step five. If you don't see it, then you need to add it in next step.
  4. From the Edit menu, select New, then DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy.
  5. Right-click on LocalAccountTokenFilterPolicy and select Modify. As Value data, enter a 1 and click OK.
  6. From the File menu, select Exit to close the Registry Editor. Done!

Screeniez...

scrn16 scrn17

That's it! Windows Vista is now ready. Onto Windows XP...

Enabling file sharing and administrative shares on XP

Just like with Windows Vista, in Windows XP you need to...

  • Have an administrator account.
  • Have a password for that account.
  • Have file sharing enabled.
  • Firewall needs to be set up properly.
  • Administrative share access needs to be enabled.

The major difference is in the way that administrative shares are enabled. Another difference is in the way that file sharing is enabled. On Windows XP, there is no centralized place in the control panel like the Network and Sharing Center in Vista and above, where you can basically configure everything that has to do with file sharing. Instead, file sharing is configured per network connection. So let's have a look at that.

Creating an administrator account

  1. Click on Start.
  2. Click on Control Panel.
  3. Click on the Switch to Classic View link on the left pane. (If it says "Switch to Category View" then you don't have to do anything.)
  4. Double-click on User Accounts. If you already have an administrator account but no password, jump to step 9. If you don't have an administrator account or you want to add a second administrator account then see next step to create one. Note that you must be logged in as an administrator in order to create new administrator accounts.
  5. Click on the link Create a new account.
  6. Type the new user name and click Next.
  7. Select Computer administrator and click Create Account. The new account will now appear in the list of accounts.
  8. To add a password to an account, click on the account name.
  9. Click on the link Create a password.
  10. Type in a password and click Create Password. The account will now appear as "Password protected".
  11. Close the User Accounts windows. Done!

Screeniez...

scrn18 scrn19 scrn20 scrn21 scrn22 scrn23 scrn24 scrn25

Now let's look at enabling file sharing on XP.

Enabling file sharing

  1. Click on Start.
  2. Click on Control Panel. Make sure you're using the Classic View.
  3. Double-click on Network Connections.
  4. Double-click on the Local Area Connection.
  5. Click on Properties.
  6. Make sure that Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, and Internet Protocol (TCP/IP) is checked.
  7. Click OK to save any changes and then Close to close the dialog boxes. Done!

Screeniez...

scrn26 scrn27 scrn28 scrn29

Now let's look at setting up the firewall.

Setting up Windows Firewall

  1. Click on Start.
  2. Click on Control Panel. Make sure you're using the Classic View.
  3. Double-click on Windows Firewall.
  4. Under the General tab, make sure the firewall is set to On and that Don't allow exceptions is NOT checked.
  5. Click on the Exceptions tab and make sure that File and Printer Sharing, and UPnP Framework is checked.
  6. Click OK to save any changes and close the dialog box. Done!

Screeniez...

scrn30 scrn31 scrn32

Finally, let's look at how administrative shares are enabled on XP.

Enabling access to administrative shares

  1. Click on Start.
  2. Click on My Computer. Alternatively, press Win+E.
  3. Click on Tools menu and then click Folder Options.
  4. Click on the View tab.
  5. Make sure the option Use simple file sharing is unchecked. If it's checked, then you must uncheck it.
  6. Click OK to save the changes and close the dialog box.

Screeniez...

scrn33 scrn34

If you are reading this because you are having trouble accessing the administrative shares on XP, then chances are that it's caused by "Simple File Sharing". As "simple" and innocent as it might seem, it actually puts a spoke in the wheel. Disabling this single option enabled me to access the administrative shares on my XP computer from my Vista computer.

All my other settings were nailed down perfectly, except for this one. I didn't even know, and I wouldn't have expected something like Simple File Sharing to change the security policy on the system so radically. I discovered this by accident, and at first I didn't believe it myself. So I had Windows XP re-installed two times, last time I even made a complete switch to an English version of Windows XP Professional with SP2. It's the same behavior as in my Swedish version, no change. I did a clean install both times.

The only question is... is this a security feature or a bug?...

In either case, that's how you enable access to administrative shares on XP. You just kill off the Simple File Sharing, and if the rest of the settings are done right, then it should work. Some users might find it that not having Simple File Sharing enabled makes sharing files and folders on XP a little more difficult, but it's not really that hard for a "superuser" now, is it? But it's awkward that you must disable a user friendly feature of XP just to get to the more advanced stuff, it's a stupid implementation from Microsoft.

After disabling Simple File Sharing, you will get some new options on the Properties dialog box for the disk you're trying to access remotely. Let's have a look at that.

Verifying that C$ is shared

  1. Click on Start.
  2. Click on My Computer.
  3. Right-click on the system disk C: and click Properties.
  4. Click on the Sharing tab.
  5. Make sure that it's set to Share this folder. Now verify that Share name is set to C$.
  6. Click OK to save any changes and close the dialog box.

Screeniez...

This is what it looks like when Simple File Sharing is enabled.

scrn35 scrn36

And this is what it looks like when Simple File Sharing id disabled.

scrn35

Running the net share command to "verify" that the C$ share is configured is not very helpful. Even if you see it in the list, it doesn't mean anything. It merely suggests that it's installed or configured, but that doesn't necessarily mean that you can actually use it. Not until you disable Simple File Sharing, and you see it appear in the Sharing tab of the Properties dialog box for the disk whose administrative share you want to access.

Here's an example of what it might look like (in XP).

scrn38

Or in code formatting...

C:\WINDOWS>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
ADMIN$       C:\WINDOWS                      Remote Admin
C$           C:\                             Default share
IPC$                                         Remote IPC
The command completed successfully.


C:\WINDOWS>

What you see is not exactly what you will get, not in this case anyway. (Reference to WYSIWYG.)

Troubleshooting

In case you run into those pesky errorz...

  • Check the cable!
  • Check IP settings!
  • Disable any 3rd party firewalls!
  • Go over the settings again!
  • Try the Administrator account.
  • Use the net use command!

Network cable and IP settings

Make sure the network cable is properly seated. Here's an example of error you might see if the connection is broken for some reason, e.g. cable disconnected.

scrn39

If you have two computers connected directly to each other, as in my case, then you might need a crossover network cable (where wires 3 and 1, and 6 and 2 have been crossed). It's not very likely, but it's worth noting. Any modern NIC from at least year 2000 and onwards should have Auto MDI-X support. This allows you to use straight network cables (non-crossed, i.e. MDI).

Go over your IP settings again, and whenever possible use the automatic DHCP negotiation.

Using Administrator account

You don't actually need to set up a password protected administrator account to use the administrative shares if you don't want to. You might as well use the Administrator account. But don't get confused by this. Because "Administrator" is the actual name of the account, and it's an administrator level account. It's not your regular administrator account. This account comes built-in on both Windows XP and on Vista. Only difference is that it's enabled by default on XP, while it's disabled by default on Vista. So in case of Vista, you will have to enable it first before you can use it. Run lusrmgr.msc from the Run prompt on either XP or Vista and you'll get the "Local Users and Groups" window. From here you can see all the users and groups, and you can check account status, disable or enable accounts, including the Administrator account. You can even enable it temporarily and then disable it later on when no longer needed.

There is also a very neat command you can run to activate the built-in administrator account.

To enable:

net user administrator /active:yes

To disable:

net user administrator /active:no

This is a very useful command, even necessary for those of you poor souls who didn't pay M$ enough money and are now sitting with one of those intentionally limited versions of Windows Vista. Those include the Starter, Home Basic and Home Premium. These versions don't have the "Group Policy Editor" and the "Local Users and Groups".

I'm a sucker too, I payed for the Vista Premium FPP (full product package), full version, but these useful tools were apparently not considered a "premium" so M$ didn't bother including them. They didn't include the 64-bit DVD either, that was an "extra" I had to order separately. You might consider yourself lucky if you are on Vista Professional or Vista Ultimate (or Vista Enterprise) because those have all the tools you will ever need. Hence, the commands above will be useful for the less privileged Windows users (economically and technically speaking). Don't forget to disable the built-in administrator account once you're done with it.

Using the "net use" command

This is another useful command. You can use the net use command to remove timed-out network sessions. Often time when an established connection to a share has not been in use for some time it will become disconnected. Sometimes this can cause errors when you try to use the share again. In this case, you need to flush that out. You can do that by either rebooting the remote computer, or preferably rebooting both the remote and the local computer. But if you don't like rebooting, don't have time for it, can't afford it because of other work being done, or whatever the reason, you can use this command instead.

Here's how it works.

You open up a Command Prompt window (or cmd) and you only issue the bare net use command. It will return all active or in-active network sessions. Here's an example.

C:\Windows\system32>net use
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
Disconnected           \\tosh\c$                 Microsoft Windows Network
The command completed successfully.


C:\Windows\system32>

You can see here that I'm disconnected from \\tosh\c$ because I am not actively using it right now. If this is causing you problems, then you can safely remove it. Let's do that.

C:\Windows\system32>net use /delete \\tosh\c$
\\tosh\c$ was deleted successfully.


C:\Windows\system32>

You can see here that it's been deleted. You just have to add in the /delete switch followed by the UNC path to the share and hit Enter. So let's see if it's removed now.

C:\Windows\system32>net use
New connections will be remembered.

There are no entries in the list.


C:\Windows\system32>

You can see here that there are no entries now. So it's gone now. Now, when you connect to the share again, you will be prompted for credentials (i.e. user name and password) again. By the way, you can connect to it again by using the Run prompt. Just press Windows key and R and in the Run prompt type in the UNC path to the share, e.g. \\tosh\c$ and hit Enter. Provide the credentials and hit Enter and you should be right where you started. I have done that now already. So let's use the net use command again to check the status.

C:\Windows\system32>net use
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK                     \\tosh\c$                 Microsoft Windows Network
The command completed successfully.


C:\Windows\system32>

So as you can see now, it says "OK". So we are connected and back to business again.

By the way, I should point out that you will probably have to use this command after a failed connection to a Windows XP computer where Simple File Sharing was not disabled when you attempted to connect. What might happen when you try to connect to the XP computer when the Simple File Sharing is still enabled is that you will get connected to stuff like \\tosh\ipc$ (yet fail to connect to c$) and you need to flush that out before you attempt to connect the second time, after disabling Simple File Sharing.

You basically want to start off with a clean window, i.e. without any saved connections. What might happen if you don't flush that old stuff out is that you will get those annoying errors where Windows says you're trying to use the same user name for more than one connection, something along those lines. If you get that type of error then you want to flush out the old saved credentials for old connections, and you do that by using the net use command (as in my example above).

Examples:

  • Connect to \tosh\ and you're connected to \tosh\ipc$
  • Connecting to \192.168.120.115\ and you're connected to \192.168.120.115\ipc$
  • Connect to \tosh\c$ and you're connected to \tosh\c$
  • Connect to \192.168.120.115\c$ and you're connected to \192.168.120.115\c$

You can be connected to either one of them in order to access the administrative share c$ but you will have to use the correct credentials, otherwise you will have to start all over again, because what you type in the first time is remembered for the duration of the login session. The remedy in that case is to either flush it with the net use command or reboot the system.

Essentially if you connect to \\tosh\ you will get connected to \\tosh\ipc$ and you can browse the most basic shares, like the Shared Documents share (or Public in Vista). But if you had Simple File Sharing disabled before you connected, then you can now go ahead and connect to \\tosh\c$ and it will get you connected to \\tosh\c$. This time you will get into root of C: directly without any prompt for user name and password, because they are remembered now since you are connected to \\tosh\. And because Simple File Sharing was disabled before you started the connection you will get access to it without any errors.

To sum this up...

  • You can connect to either ipc$ or c$ to access c$
  • You don't have to connect to c$ explicitly, it is implied when connected to ipc$. Although you will be asked for credentials initially if you are using the Shell/GUI and not the net tool (with net you specify credentials as part of the command).
  • You can use host names, e.g. "tosh" or its IP address.
  • UNC paths always start with two back-slashes.

Any questions? Leave them in the comments.

That would be all good folks!

shutdown -t 0