Tuesday, December 6, 2011

Enable Windows 7 admin shares for local accounts (c$, etc)

If you are frustrated by the lack of access to admin shares in Vista or Windows 7 here is a reg hack to re-enable those shares. This will allow local accounts (On the host machine) to access admin shares. By changing this registry setting you are DISABLING UAC remote restrictions!

Key: Software\Microsoft\Windows\CurrentVersion\Policies\System Name: LocalAccountTokenFilterPolicy Data Type: REG_DWORD
Value: 1

Please be aware that this is a security hole if your systems are not patched (Not to mention zero day attacks). Use with discretion and without blame (Me that is).

From Microsoft:
How UAC remote restrictions work 
To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

Source: http://support.microsoft.com/kb/951016/
Other Source: http://en.wikipedia.org/wiki/Administrative_share

Thursday, October 13, 2011

Check to see if a VBS script has Admin rights

Came across a problem today where we were running a VBS script that was obviously designed expecting UAC to be turned off.  In looking for a way to elevate the script to Admin before running, I found some code to force the script to run as administrator without having to reghack each PC.  It took a combination of sites to get the code, but here it is.

On Error Resume Next
key = CreateObject("WScript.Shell").RegRead("HKEY_USERS\s-1-5-19\")
If err.number <> 0 Then
 Set objShell = CreateObject("Shell.Application")
 objShell.ShellExecute "wscript.exe", Chr(34) & _
 WScript.ScriptFullName & Chr(34), "", "runas", 1

End If

If you insert that code at the beginning of your script it will first check to see if the script has Administrative rights (Either through UAC, or XP admin) and if it doesn't it will relaunch the script using runas administrator.

Warning: I haven't tested this in Windows XP.  I know that the Check part will work, but don't know about the relaunch.

Reghack to get Run As Administrator in the context menu for .VBS files:

UAC elevation code:

Check for Admin rights code:

Edited: 9-4-15 Thanks Hh Lohmann