Home > Powershell > Deleting Default Shares Using Powershell – Part 1

Deleting Default Shares Using Powershell – Part 1

All Windows systems have several default administrative shares configured which are immediately available after installation.  These shares not only provided direct access to the %SystemRoot%\Windows directory (Admin$) but to the root of all hard drives (C$,D$).  There is also the Inter-Process Communication (IPC$) share which is used to facilitate communication between process and computers over Server Message Blocks (SMB). The shares can be enumerated in Powershell using the Win32_Share class.

Get-WmiObject Win32_Share | Format-Table -AutoSize

I’ve used the Format-Table cmdlet with the –Autosize parameter to automatically adjust the column size based on the width of the data.  Otherwise it would look something like this.

The machine I’m working with has several partitions, all of which are being shared, and although they are hidden ($) which means they will not be enumerated over the network by remote machines via My Network Places (XP) or Network (Vista\7), they are just as accessible as any other share I would have manually made available.  This doesn’t mean just anyone has permissions to access them as they are being protected by NTFS\Share permissions as well as the Windows Firewall.   This does mean that if one machine’s adminstrator account is compromised then it’s possible that all machines are vulnerable.  Best security practices state that all unneeded services, shares, etc be disabled\turned off to prevent such attacks.    That being the case I’ve decided to write a script that will  remove only the administrative disk shares and then keep them turned off. 

In order to do this I needed first to determine what property value is used to distinguish an administrative disk share from one manually created. I decided to select the first available share ($Admin) and then view all available membertypes, which will include Methods, Properties, PropertySets and ScriptMethods. 

Get-WmiObject Win32_Share | Select-Object -First 1 | Get-Member

Another way to view the membertypes of a specific object (in this case the Admin$ share)  is to use a Where-Object match expression and then to pipe the results to Get-Member to filter for properties only.

$Obj = Get-WmiObject Win32_Share | Where-Object { $_.Name -eq "Admin$" }            
$Obj | Get-Member -MemberType Property

All shares are classified based on a “Type” property.    The below chart is used to categorize all possible shares and shared devices. 

  • 1    Print Share
  • 2    Device Share
  • 3    IPC Share
  • 2147483648    Administrative Disk Share
  • 2147483649    Administrative Print Share
  • 2147483650     Administrative Device Share
  • 2147483651    Administrative IPC Share

In order to verify the value assigned to the Admin$ share we could use either of the following.

Get-WmiObject Win32_Share | ? {$_.Name -eq "Admin$"} | Select Name,Type | 
Format-Table -AutoSize            

(Get-WmiObject Win32_Share | Where-Object {$_.Name -eq "Admin$"}).Type

Just to keep things simple I’ve decided to use the second example which is more specific

Now that I’ve confirmed the value of the Admin$ disk share I can create a filter to look for all administrative disk shares (those ending with 48), assign the results to a variable ($Share), use the Foreach construct to loop through all elements in the associative array and then invoke the Delete method to remove them.  

$Share = Get-WmiObject Win32_Share | Where-Object { $_.Type -like "*48*" }            
Foreach ( $i in $Share ) {            

Although this accomplishes the task at hand it’s only temporary.  When the machine is rebooted the Server service will reshare all of them once again.  In order to prevent this the registry needs to edited to include a new DWORD, something I will demo in the next artictle

Categories: Powershell
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: