Sign in with
Sign up | Sign in
Your question

Hidden Shares Disappear

Last response: in Windows 2000/NT
Share
Anonymous
August 15, 2005 4:39:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Sometime over the weekend, the hidden shares that I have on my servers
disappeared and everytime I create one and then reboot the server, it
disappears. When you look in computer management, there are no shared drives,
unless it was created without an $ at the end. I also can't connect to the
server using the computer management mmc. In the logs I get a ESENT error and
I've tried the various ways to esentutl. Still nothing has helped get them
back. Even tried restoring the secedit.sdb from a date when everything was
fine, but that did not work. I'm running out of ideas. My next step will be
to try to recreate the shares from scratch, which I don't want to do.
Thanks.
Anonymous
August 15, 2005 9:48:49 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Such behavior may be an indication of malware so I would be sure to scan all
of your computers for such using the latest definitions from your antvirus
vendors website. Verify that file and print sharing is enabled on your
computers, that the server service is started, see if nbtstat -n shows at
least three registered names, and that netstat -an shows ports 139 and/or
445 TCP as listening or connected. Also look in the application/system logs
in Event Viewer to see if anything pertinent has been recorded and run the
command net config server to see what it reports. Run the support tool
netdiag to see if it finds any problems that can give you an idea what the
problem may be. Sometimes the command net share ipc$ or uninstalling and
reinstalling file and print sharing helps.

The fact that it has happen to more than one server is curious. Try to think
if anything was done or changed in that timeframe such as installing new
software or changing Group Policy to modify security policy on your servers.
I would also boot into safe mode with networking to see if that makes a
difference. If it does it could indicate a startup
application/service/driver causing a problem. --- Steve


"Mike A." <Mike A.@discussions.microsoft.com> wrote in message
news:0E9EC3AE-2FA5-4EF9-A545-A259901F9FCF@microsoft.com...
> Sometime over the weekend, the hidden shares that I have on my servers
> disappeared and everytime I create one and then reboot the server, it
> disappears. When you look in computer management, there are no shared
> drives,
> unless it was created without an $ at the end. I also can't connect to the
> server using the computer management mmc. In the logs I get a ESENT error
> and
> I've tried the various ways to esentutl. Still nothing has helped get them
> back. Even tried restoring the secedit.sdb from a date when everything was
> fine, but that did not work. I'm running out of ideas. My next step will
> be
> to try to recreate the shares from scratch, which I don't want to do.
> Thanks.
Anonymous
August 16, 2005 1:43:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Tried what you suggested and nothing seemed to help it. The virus scanner has
picked up nothing, file and print sharing is enabled, server service is
started, nbtstat shows me what i should be seeing, net config server reported
nothing unusual. i ran the microsoft malware remove program and it found
nothing. the microsoft antispyware also did not detect anything. no new
programs have been installed and i do not use group policy much. i have been
getting a lot of master browser events in the event viewer.

"Steven L Umbach" wrote:

> Such behavior may be an indication of malware so I would be sure to scan all
> of your computers for such using the latest definitions from your antvirus
> vendors website. Verify that file and print sharing is enabled on your
> computers, that the server service is started, see if nbtstat -n shows at
> least three registered names, and that netstat -an shows ports 139 and/or
> 445 TCP as listening or connected. Also look in the application/system logs
> in Event Viewer to see if anything pertinent has been recorded and run the
> command net config server to see what it reports. Run the support tool
> netdiag to see if it finds any problems that can give you an idea what the
> problem may be. Sometimes the command net share ipc$ or uninstalling and
> reinstalling file and print sharing helps.
>
> The fact that it has happen to more than one server is curious. Try to think
> if anything was done or changed in that timeframe such as installing new
> software or changing Group Policy to modify security policy on your servers.
> I would also boot into safe mode with networking to see if that makes a
> difference. If it does it could indicate a startup
> application/service/driver causing a problem. --- Steve
>
>
> "Mike A." <Mike A.@discussions.microsoft.com> wrote in message
> news:0E9EC3AE-2FA5-4EF9-A545-A259901F9FCF@microsoft.com...
> > Sometime over the weekend, the hidden shares that I have on my servers
> > disappeared and everytime I create one and then reboot the server, it
> > disappears. When you look in computer management, there are no shared
> > drives,
> > unless it was created without an $ at the end. I also can't connect to the
> > server using the computer management mmc. In the logs I get a ESENT error
> > and
> > I've tried the various ways to esentutl. Still nothing has helped get them
> > back. Even tried restoring the secedit.sdb from a date when everything was
> > fine, but that did not work. I'm running out of ideas. My next step will
> > be
> > to try to recreate the shares from scratch, which I don't want to do.
> > Thanks.
>
>
>
Related resources
Anonymous
August 16, 2005 4:55:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hmm. When you say hidden shares do you meant the default administrative
shares such as c$ or ones you are trying to create? Does ipc$ show when you
look at your shared folders in Computer Management? Did netdiag report any
problems? If possible paste some of the Event ID's that you are seeing for
Esent and the browser. If the problem is for default hidden shares see the
link below to check the registry to make sure they are still enabled. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;816113

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer must be set as type REG_DWORD.
When this value is set to 0 (zero), Windows does not automatically create
administrative shares. Note that this does not apply to the IPC$ share or
shares that you create manually.
4. Either delete the AutoShareServer value or set the value to 1. To
do so, use one of the following methods: . To delete the AutoShareServer
value, click Delete on the Edit menu. When you are prompted to confirm the
deletion, click Yes.
. To set the AutoShareServer value to 1, click Modify on the
Edit menu. In the Value data box, type 1, and then click OK.

5. Quit Registry Editor.
6. Stop and then start the Server service: a. Click Start, and then
click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following commands, pressing
ENTER after each command:
net stop server
net start server
d. Type exit, and then press ENTER.



"Mike A." <MikeA@discussions.microsoft.com> wrote in message
news:09F33D17-D5E4-4CFC-AF7D-9FA603A0C53B@microsoft.com...
> Tried what you suggested and nothing seemed to help it. The virus scanner
> has
> picked up nothing, file and print sharing is enabled, server service is
> started, nbtstat shows me what i should be seeing, net config server
> reported
> nothing unusual. i ran the microsoft malware remove program and it found
> nothing. the microsoft antispyware also did not detect anything. no new
> programs have been installed and i do not use group policy much. i have
> been
> getting a lot of master browser events in the event viewer.
>
> "Steven L Umbach" wrote:
>
>> Such behavior may be an indication of malware so I would be sure to scan
>> all
>> of your computers for such using the latest definitions from your
>> antvirus
>> vendors website. Verify that file and print sharing is enabled on your
>> computers, that the server service is started, see if nbtstat -n shows at
>> least three registered names, and that netstat -an shows ports 139 and/or
>> 445 TCP as listening or connected. Also look in the application/system
>> logs
>> in Event Viewer to see if anything pertinent has been recorded and run
>> the
>> command net config server to see what it reports. Run the support tool
>> netdiag to see if it finds any problems that can give you an idea what
>> the
>> problem may be. Sometimes the command net share ipc$ or uninstalling and
>> reinstalling file and print sharing helps.
>>
>> The fact that it has happen to more than one server is curious. Try to
>> think
>> if anything was done or changed in that timeframe such as installing new
>> software or changing Group Policy to modify security policy on your
>> servers.
>> I would also boot into safe mode with networking to see if that makes a
>> difference. If it does it could indicate a startup
>> application/service/driver causing a problem. --- Steve
>>
>>
>> "Mike A." <Mike A.@discussions.microsoft.com> wrote in message
>> news:0E9EC3AE-2FA5-4EF9-A545-A259901F9FCF@microsoft.com...
>> > Sometime over the weekend, the hidden shares that I have on my servers
>> > disappeared and everytime I create one and then reboot the server, it
>> > disappears. When you look in computer management, there are no shared
>> > drives,
>> > unless it was created without an $ at the end. I also can't connect to
>> > the
>> > server using the computer management mmc. In the logs I get a ESENT
>> > error
>> > and
>> > I've tried the various ways to esentutl. Still nothing has helped get
>> > them
>> > back. Even tried restoring the secedit.sdb from a date when everything
>> > was
>> > fine, but that did not work. I'm running out of ideas. My next step
>> > will
>> > be
>> > to try to recreate the shares from scratch, which I don't want to do.
>> > Thanks.
>>
>>
>>
Anonymous
August 16, 2005 4:55:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

the hidden shares i'm talking about are ones that i created. when i try to
change the registry for the administrative hidden shares, i change it to 1, i
then reboot, and then i look in computer management and they are gone again.
ipc$ doesn't always show.
tried to run netdiag but i get a fatal error when running it. "failed to get
system information from this machine"


Event Type: Error
Event Source: BROWSER
Event Category: None
Event ID: 8032
Date: 8/16/2005
Time: 2:18:38 PM
User: N/A
Computer: LUPFFILE1
Description:
The browser service has failed to retrieve the backup list too many times on
transport \Device\NetBT_Tcpip_{50146695-A45F-4F7D-9868-E07B80C5E0FC}. The
backup browser is stopping.
Data:
0000: 5d 08 00 00 ]...

Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 427
Date: 8/12/2005
Time: 11:02:22 PM
User: N/A
Computer: LUPFFILE1
Description:
services (352) The database engine could not access the file called
C:\WINNT\Security\Database\secedit.sdb.


"Steven L Umbach" wrote:

> Hmm. When you say hidden shares do you meant the default administrative
> shares such as c$ or ones you are trying to create? Does ipc$ show when you
> look at your shared folders in Computer Management? Did netdiag report any
> problems? If possible paste some of the Event ID's that you are seeing for
> Esent and the browser. If the problem is for default hidden shares see the
> link below to check the registry to make sure they are still enabled. ---
> Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;816113
>
> 1. Click Start, and then click Run.
> 2. In the Open box, type regedit, and then click OK.
> 3. Click the following registry key:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
> Note The registry key AutoShareServer must be set as type REG_DWORD.
> When this value is set to 0 (zero), Windows does not automatically create
> administrative shares. Note that this does not apply to the IPC$ share or
> shares that you create manually.
> 4. Either delete the AutoShareServer value or set the value to 1. To
> do so, use one of the following methods: . To delete the AutoShareServer
> value, click Delete on the Edit menu. When you are prompted to confirm the
> deletion, click Yes.
> . To set the AutoShareServer value to 1, click Modify on the
> Edit menu. In the Value data box, type 1, and then click OK.
>
> 5. Quit Registry Editor.
> 6. Stop and then start the Server service: a. Click Start, and then
> click Run.
> b. In the Open box, type cmd, and then click OK.
> c. At the command prompt, type the following commands, pressing
> ENTER after each command:
> net stop server
> net start server
> d. Type exit, and then press ENTER.
>
>
>
> "Mike A." <MikeA@discussions.microsoft.com> wrote in message
> news:09F33D17-D5E4-4CFC-AF7D-9FA603A0C53B@microsoft.com...
> > Tried what you suggested and nothing seemed to help it. The virus scanner
> > has
> > picked up nothing, file and print sharing is enabled, server service is
> > started, nbtstat shows me what i should be seeing, net config server
> > reported
> > nothing unusual. i ran the microsoft malware remove program and it found
> > nothing. the microsoft antispyware also did not detect anything. no new
> > programs have been installed and i do not use group policy much. i have
> > been
> > getting a lot of master browser events in the event viewer.
> >
> > "Steven L Umbach" wrote:
> >
> >> Such behavior may be an indication of malware so I would be sure to scan
> >> all
> >> of your computers for such using the latest definitions from your
> >> antvirus
> >> vendors website. Verify that file and print sharing is enabled on your
> >> computers, that the server service is started, see if nbtstat -n shows at
> >> least three registered names, and that netstat -an shows ports 139 and/or
> >> 445 TCP as listening or connected. Also look in the application/system
> >> logs
> >> in Event Viewer to see if anything pertinent has been recorded and run
> >> the
> >> command net config server to see what it reports. Run the support tool
> >> netdiag to see if it finds any problems that can give you an idea what
> >> the
> >> problem may be. Sometimes the command net share ipc$ or uninstalling and
> >> reinstalling file and print sharing helps.
> >>
> >> The fact that it has happen to more than one server is curious. Try to
> >> think
> >> if anything was done or changed in that timeframe such as installing new
> >> software or changing Group Policy to modify security policy on your
> >> servers.
> >> I would also boot into safe mode with networking to see if that makes a
> >> difference. If it does it could indicate a startup
> >> application/service/driver causing a problem. --- Steve
> >>
> >>
> >> "Mike A." <Mike A.@discussions.microsoft.com> wrote in message
> >> news:0E9EC3AE-2FA5-4EF9-A545-A259901F9FCF@microsoft.com...
> >> > Sometime over the weekend, the hidden shares that I have on my servers
> >> > disappeared and everytime I create one and then reboot the server, it
> >> > disappears. When you look in computer management, there are no shared
> >> > drives,
> >> > unless it was created without an $ at the end. I also can't connect to
> >> > the
> >> > server using the computer management mmc. In the logs I get a ESENT
> >> > error
> >> > and
> >> > I've tried the various ways to esentutl. Still nothing has helped get
> >> > them
> >> > back. Even tried restoring the secedit.sdb from a date when everything
> >> > was
> >> > fine, but that did not work. I'm running out of ideas. My next step
> >> > will
> >> > be
> >> > to try to recreate the shares from scratch, which I don't want to do.
> >> > Thanks.
> >>
> >>
> >>
>
>
>
Anonymous
August 16, 2005 10:13:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

How many servers did this happen to? Are they domain controllers? Do your
non hidden shares still work in that users on the network can access them?

If they are not domain controllers then on one of the computers try
uninstalling and reinstalling file and print sharing. If that does not help
try uninstalling and reinstalling tcp/ip per the link below being sure to
jot down the current tcp/ip configuration as shown by ipconfig /all as it
may change when you reinstall tcp/ip. Getting a fatal error from netdiag is
troubling and I have never seen that myself. Try booting into safe mode with
networking [assuming you are behind a firewall] and see if netdiag runs.

http://support.microsoft.com/?id=285034

The browser error is probably a symptom of your problem but not the cause.
It depends on the server service. Check to see that all the services that
are set to automatic are started including the tcp/ip netbios helper
service. I still have to wonder if it is not malware. There is a new worm
going around right now that is affecting Windows 2000 computers that have
not been recently patched. I would try scanning at least one server again
with virus definitions up to date as of today and try a second opinion.
Trend Micro has the free Sysclean which you do not have to install - just
download it and the pattern file [after unzipping] to a common folder to run
from. You may also want to post in the
Microsoft.public.windows.server.networking newsgroup to see if anyone there
has seen what you describe.

http://www.trendmicro.com/download/dcs.asp --- Sysclean
http://www.trendmicro.com/download/viruspattern.asp --- pattern file

I don't know if your second Event ID is related but not being able to access
the secedit.sdb file is significant and results in problems when you try to
open Local Security Policy. Check your permissions to the
\system\security\database file to make sure system and administrators have
full control and see the links below for possible fixes. --- Steve

http://www.microsoft.com/resources/documentation/window...
http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm

"Mike A." <MikeA@discussions.microsoft.com> wrote in message
news:D 83432B6-1B06-4ACE-AA5E-ACDFBF7A7F5D@microsoft.com...
> the hidden shares i'm talking about are ones that i created. when i try to
> change the registry for the administrative hidden shares, i change it to
> 1, i
> then reboot, and then i look in computer management and they are gone
> again.
> ipc$ doesn't always show.
> tried to run netdiag but i get a fatal error when running it. "failed to
> get
> system information from this machine"
>
>
> Event Type: Error
> Event Source: BROWSER
> Event Category: None
> Event ID: 8032
> Date: 8/16/2005
> Time: 2:18:38 PM
> User: N/A
> Computer: LUPFFILE1
> Description:
> The browser service has failed to retrieve the backup list too many times
> on
> transport \Device\NetBT_Tcpip_{50146695-A45F-4F7D-9868-E07B80C5E0FC}. The
> backup browser is stopping.
> Data:
> 0000: 5d 08 00 00 ]...
>
> Event Type: Error
> Event Source: ESENT
> Event Category: General
> Event ID: 427
> Date: 8/12/2005
> Time: 11:02:22 PM
> User: N/A
> Computer: LUPFFILE1
> Description:
> services (352) The database engine could not access the file called
> C:\WINNT\Security\Database\secedit.sdb.
>
>
> "Steven L Umbach" wrote:
>
>> Hmm. When you say hidden shares do you meant the default administrative
>> shares such as c$ or ones you are trying to create? Does ipc$ show when
>> you
>> look at your shared folders in Computer Management? Did netdiag report
>> any
>> problems? If possible paste some of the Event ID's that you are seeing
>> for
>> Esent and the browser. If the problem is for default hidden shares see
>> the
>> link below to check the registry to make sure they are still enabled. ---
>> Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;816113
>>
>> 1. Click Start, and then click Run.
>> 2. In the Open box, type regedit, and then click OK.
>> 3. Click the following registry key:
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
>> Note The registry key AutoShareServer must be set as type
>> REG_DWORD.
>> When this value is set to 0 (zero), Windows does not automatically create
>> administrative shares. Note that this does not apply to the IPC$ share or
>> shares that you create manually.
>> 4. Either delete the AutoShareServer value or set the value to 1.
>> To
>> do so, use one of the following methods: . To delete the AutoShareServer
>> value, click Delete on the Edit menu. When you are prompted to confirm
>> the
>> deletion, click Yes.
>> . To set the AutoShareServer value to 1, click Modify on the
>> Edit menu. In the Value data box, type 1, and then click OK.
>>
>> 5. Quit Registry Editor.
>> 6. Stop and then start the Server service: a. Click Start, and
>> then
>> click Run.
>> b. In the Open box, type cmd, and then click OK.
>> c. At the command prompt, type the following commands,
>> pressing
>> ENTER after each command:
>> net stop server
>> net start server
>> d. Type exit, and then press ENTER.
>>
>>
>>
>> "Mike A." <MikeA@discussions.microsoft.com> wrote in message
>> news:09F33D17-D5E4-4CFC-AF7D-9FA603A0C53B@microsoft.com...
>> > Tried what you suggested and nothing seemed to help it. The virus
>> > scanner
>> > has
>> > picked up nothing, file and print sharing is enabled, server service is
>> > started, nbtstat shows me what i should be seeing, net config server
>> > reported
>> > nothing unusual. i ran the microsoft malware remove program and it
>> > found
>> > nothing. the microsoft antispyware also did not detect anything. no new
>> > programs have been installed and i do not use group policy much. i have
>> > been
>> > getting a lot of master browser events in the event viewer.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Such behavior may be an indication of malware so I would be sure to
>> >> scan
>> >> all
>> >> of your computers for such using the latest definitions from your
>> >> antvirus
>> >> vendors website. Verify that file and print sharing is enabled on your
>> >> computers, that the server service is started, see if nbtstat -n shows
>> >> at
>> >> least three registered names, and that netstat -an shows ports 139
>> >> and/or
>> >> 445 TCP as listening or connected. Also look in the application/system
>> >> logs
>> >> in Event Viewer to see if anything pertinent has been recorded and run
>> >> the
>> >> command net config server to see what it reports. Run the support tool
>> >> netdiag to see if it finds any problems that can give you an idea what
>> >> the
>> >> problem may be. Sometimes the command net share ipc$ or uninstalling
>> >> and
>> >> reinstalling file and print sharing helps.
>> >>
>> >> The fact that it has happen to more than one server is curious. Try to
>> >> think
>> >> if anything was done or changed in that timeframe such as installing
>> >> new
>> >> software or changing Group Policy to modify security policy on your
>> >> servers.
>> >> I would also boot into safe mode with networking to see if that makes
>> >> a
>> >> difference. If it does it could indicate a startup
>> >> application/service/driver causing a problem. --- Steve
>> >>
>> >>
>> >> "Mike A." <Mike A.@discussions.microsoft.com> wrote in message
>> >> news:0E9EC3AE-2FA5-4EF9-A545-A259901F9FCF@microsoft.com...
>> >> > Sometime over the weekend, the hidden shares that I have on my
>> >> > servers
>> >> > disappeared and everytime I create one and then reboot the server,
>> >> > it
>> >> > disappears. When you look in computer management, there are no
>> >> > shared
>> >> > drives,
>> >> > unless it was created without an $ at the end. I also can't connect
>> >> > to
>> >> > the
>> >> > server using the computer management mmc. In the logs I get a ESENT
>> >> > error
>> >> > and
>> >> > I've tried the various ways to esentutl. Still nothing has helped
>> >> > get
>> >> > them
>> >> > back. Even tried restoring the secedit.sdb from a date when
>> >> > everything
>> >> > was
>> >> > fine, but that did not work. I'm running out of ideas. My next step
>> >> > will
>> >> > be
>> >> > to try to recreate the shares from scratch, which I don't want to
>> >> > do.
>> >> > Thanks.
>> >>
>> >>
>> >>
>>
>>
>>
!