Administrative share

Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.

Share names

Administrative shares are a collection of automatically shared resources including the following: ^[1]

• Disk volumes: Every disk volume on the system with a drive letter assignment has a corresponding administrative share named as the drive letter with an appended dollar sign ($). For example, a system that has volumes C:, D: and E: has three corresponding administrative shares named C$, D$ and E$. (NetBIOS is not case sensitive.)
• OS folder: The folder in which Windows is installed is shared as ADMIN$.
• Fax cache: The folder in which faxed transmissions and their cover pages are cached is shared as FAX$.
• IPC shares: This area, used for inter-process communication via named pipes, is shared as IPC$ and is not part of the file system.
• Printers folder: This virtual folder, which contains objects that represent installed printers is shared as PRINT$.
• Domain controller shares: The Windows Server family of operating systems creates two domain controller-specific shares called SYSVOL and NETLOGON which do not have dollar signs ($) appended to their names. ^[2]

Characteristics

Administrative shares have the following characteristics:

1. They are hidden. The "$" appended to the end of the share name means that it is a hidden share. Windows will not enumerate them among those it defines in response to typical queries by remote clients to obtain the list of shares. One needs to know the name of an administrative share in order to access it. ^[1] Not every hidden share is an administrative share nor is the reverse true; in other words, ordinary hidden shares may be created at the user's discretion. ^[1]
2. They are automatically created by Windows, not a network administrator, and if deleted they will be automatically re-created. ^[2]

Administrative shares are not created by Windows XP Home Edition. ^[1]

Management

Administrative shares can be deleted in the same manner as any other network share, however they will be recreated automatically during the next boot cycle. ^[1] To prevent access to them permanently, it is necessary to disable, rather than delete them. ^[2]

Disabling administrative shares is not without caveats, though. ^[3] Previous Versions for local files, a feature of Windows Vista and Windows 7 before being rebranded as File History in Windows 8 and beyond, requires administrative shares in order to function properly. ^{[4] [5]}

Restrictions

Windows XP implements "simple file sharing" (also known as "ForceGuest"), a feature that can be enabled on computers that are not part of a Windows domain. ^[6] When enabled, it authenticates all incoming access requests to network shares as "Guest", a user account with very limited access rights in Windows. This effectively disables access to administrative shares. ^[7]

By default, Windows Vista and later use User Account Control (UAC) to enforce security. One of UAC's features denies administrative rights to a user who accesses network shares on the local computer over a network, unless the accessing user is registered on a Windows domain or using the built in Administrator account. If not in a Windows domain it is possible to allow administrative share access to all accounts with administrative permissions by adding the LocalAccountTokenFilterPolicy value to the registry. ^[8]

See also

• Server Message Block (SMB) – the infrastructure responsible for file and printer sharing in Windows
• Distributed File System (DFS) – another infrastructure that makes file sharing possible
• My Network Places – Windows graphical user interface for accessing network shares
• Network Access Protection (NAP) – a Microsoft network security technology
• Conficker – an infamous malware that exploited a combination of weak passwords, security vulnerabilities, administrative negligence and ADMIN$ share to breach a computer over a network and propagate itself

References

1. "Managing Administrative Shares (Admin$, IPC$, C$) on Windows". Windows OS Hub. March 15, 2024. Archived from the original on February 22, 2021. Retrieved March 7, 2025.
2. Liang, Han; Xu, Simonx (January 15, 2025). "How to remove administrative shares in Windows". Microsoft Learn . Redmond, Washington: Microsoft. Archived from the original on December 7, 2024. Retrieved March 7, 2025.
3. Liang, Han; Xu, Simonx; Ainapure, Kaushik; Li, Anna (January 15, 2025). "Overview of problems that may occur when administrative shares are missing". Microsoft Learn . Redmond, Washington: Microsoft. Archived from the original on September 30, 2022. Retrieved March 7, 2025.
4. Karp, David A. (2010-06-08). Windows 7 Annoyances: Tips, Secrets, and Solutions (1st ed.). Sebastopol, California: O'Reilly Media. p. 607. ISBN   978-0-596-15762-3.
5. Karp, David A. (2008-01-22). Windows Vista Annoyances: Tips, Secrets, and Hacks for the Cranky Consumer (1st ed.). Sebastopol, California: O'Reilly Media. p. 507. ISBN   978-0-596-52762-4.
6. Qinglin, Gao; Dressman, Matthew (October 14, 2022). "Microsoft Security Advisory 906574: Clarification of Simple File Sharing and ForceGuest". Microsoft Learn . Redmond, Washington: Microsoft. Archived from the original on July 25, 2024. Retrieved March 7, 2025.
7. Karp, David A. (April 18, 2006). Fixing Windows XP Annoyances: How to Fix the Most Annoying Things About the Windows OS (1st ed.). Sebastopol, California: O'Reilly Media. p. 55. ISBN   978-0-596-10053-7. Archived from the original on March 7, 2025. Retrieved March 7, 2025.
8. Liang, Han; Xu, Simonx; Straessner, C. (January 15, 2025). "Error when you try to access an administrative share on a Windows-based computer from another Windows-based computer that's a member of a workgroup: Logon unsuccessful: Windows is unable to log you on". Microsoft Learn . Redmond, Washington: Microsoft. Archived from the original on September 20, 2022. Retrieved March 7, 2025.