none
Cannot open default/admin share C$/D$ from HyperV VM to Host Machine RRS feed

  • Question

  • Hi,

    I am unable open a default share C$ from a HyperV VM to host machine.

    I have a Windows 10 Host machine (PC-A) running HyperV and a VM running Windows Server 2019 on top of it (PC-B).

    PC-A configuration: Windows Firewall enabled by default. Enabled File and Print Sharing via "allow an app or feature through Windows Defender Firewall"

    PC-B (VM) configuration: Windows Firewall enabled by default. Enabled File and Print Sharing via "allow an app or feature through Windows Defender Firewall"

    I am able to PING both ways. From PC-A to PC-B (VM), I am able to open the default share (C$/D$) using windows authentication.

    From PC-B (VM) to PC-A I am able to ping but I am not able to open the default share (C$/D$) using windows authentication. I get Access Denied error message.

    I even tried to turn off the firewall on PC-A, but it does not work.

    Please help!


    Thanks, Rajiv Iyer


    • Edited by Rajiv IR Friday, September 18, 2020 7:21 AM
    Sunday, August 23, 2020 8:43 AM

All replies

  • Have you got a windows with credential input? Or it just gives an error?
    Sunday, August 23, 2020 1:29 PM
  • I get Access Denied error message.


    If you get access denied, then the account that you are using does not have administrator access to the machine. 

    If you are not using Active Directory, then the easiest method is to create an account with the same name and password on both systems. Add that account to the administrators group on both systems. If you don't want to logon to the desktop with that account, then map a drive and use alternate credentials with the account that you created.  

    To verify that the firewall is allowing access, run this Powershell command.

    Test-NetConnection  -ComputerName *TheMachineYouWantToTest* -CommonTCPPort SMB

    • Edited by MotoX80 Sunday, August 23, 2020 3:02 PM
    Sunday, August 23, 2020 2:29 PM
  • The VM is part of a Domain. The subnet for both my host and VM are same: 192.168.1.0

    The Host IP is 192.168.1.2 and the VM IP is 192.168.1.14

    When I open host : \\192.168.1.2 with the local credentials of my Host machine I am able to see the shared folders and I am able to navigate through them.

    But accessing \\192.168.1.2\c$ doesnt work...

    Below are the results of Test-NetConnection

    Also, I turned off the firewall on the Host Machine and still it doesn't work.


    Thanks, Rajiv Iyer



    • Edited by Rajiv IR Wednesday, August 26, 2020 5:25 PM
    Wednesday, August 26, 2020 5:19 PM
  • local credentials of my Host machine

    Can you please be more specific on "local credentials"? Is that the "admin" in your image? Is that account a member of the Administrators group?

    What is "IRPC"? Is that the name of your domain? The name of the host machine? The name of the VM?

    If both machines are members of a domain, then add the domain account that you use to the administrators groups on both the host and the VM. Log on to both desktops with that account. See if that works.

    Also look in the security event log for a logon error when you get access denied.

    Have you tried using machine names instead of IP addresses? 

     


    • Edited by MotoX80 Thursday, August 27, 2020 11:47 AM
    Wednesday, August 26, 2020 7:13 PM
  • There are 3 machines:

    IRPC - A Host machine which is physical and it is part of the workgroup having IP Address 192.168.1.2

    There are 2 VM's running on top of IRPC. One of the VM is a Domain Controller and the other one is a member server and part of the domain. The VM's connect the host machine using an External switch.

    User name "admin" is a local user account on IRPC and it is part of the local administrators group. 

    All the above 3 machines receive IP Address via a Router which is the default gateway connecting to the internet.

    I tried connecting from the Member Server (VM) to the Host machine via IP Address to access C$ or D$ but it doesn't work. I am able to access NetBIOS share \\(Host Machine IP Address)


    Thanks, Rajiv Iyer

    Saturday, September 5, 2020 5:53 AM
  • Check the security event log on the host machine for errors when access fails. 

    Make sure you have auditing enabled. https://www.maketecheasier.com/enable-logon-auditing-windows-8/

    Saturday, September 5, 2020 12:55 PM
  • Hi,

    I enabled audit logon events for success and failure. When I try to access the host machine (IRPC) which is on workgroup from the VM (DC01), I still get access denied message. In the Security event log of both workgroup host (IRPC) and VM (DC01) there are not audit logon failure events.

    On the Open Session of Workgroup host machine, I can see an open session from the VM.

    Open Session from DC01 (VM)

    Also, please find the event logs from both the machines for your reference: https://1drv.ms/u/s!AuBK2J7Jd4hpga9HLqZEfSaoFVpG_Q?e=se1iVT

    Thanks


    Thanks, Rajiv Iyer

    Saturday, September 5, 2020 5:15 PM
  • From my experience, this looks like it should work. Your "admin" account is logging in to "IRPC" from machine "DC01". It shows group membership contains "BUILTIN\Administrators". 

    Instead of using the built-in administrative shares, can you just share out the folders that you need to access and see if that works?  Or create a second share at the root of C:\ and try to access that share name? 

     



    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/5/2020 1:00:16 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      IRPC
    Description:
    An account was successfully logged on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Information:
    Logon Type: 3
    Restricted Admin Mode: -
    Virtual Account: No
    Elevated Token: No

    Impersonation Level: Impersonation

    New Logon:
    Security ID: S-1-5-21-772535778-2910088759-763836227-1004
    Account Name: admin
    Account Domain: IRPC
    Logon ID: 0x12E5D0F
    Linked Logon ID: 0x0
    Network Account Name: -
    Network Account Domain: -
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x0
    Process Name: -

    Network Information:
    Workstation Name: DC01
    Source Network Address: 192.168.1.7
    Source Port: 50441

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V2
    Key Length: 128

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    ------------------------------------------------------------------------------

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/5/2020 1:00:16 PM
    Event ID:      4627
    Task Category: Group Membership
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      IRPC
    Description:
    Group membership information.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    New Logon:
    Security ID: S-1-5-21-772535778-2910088759-763836227-1004
    Account Name: admin
    Account Domain: IRPC
    Logon ID: 0x12E5D0F

    Event in sequence: 1 of 1

    Group Membership:
    S-1-5-21-772535778-2910088759-763836227-513
    Everyone
    NT AUTHORITY\Local account and member of Administrators group
    BUILTIN\Administrators
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    NT AUTHORITY\Local account
    NT AUTHORITY\NTLM Authentication
    Mandatory Label\High Mandatory Level
    Saturday, September 5, 2020 11:24 PM
  • Hi,

    The Host machine has 2 drives. viz; C and D

    When I try to access :

    1. \\Host-MachineName - I am able to access the machine

    2. I create a share on Drive D on folder ISO and when I try access \\Host-MachineName & via \\Host-MachineName\ISO, I am able to access the folder shares

    3. When I try to access \\Host-MachineName\C$ and \\Host-MachineName\D$, it prompts me for credential. Post, supplying in the credential I get access denied. I tested the local user account credentials using powershell. Below is the code:

    $username = 'IRPC\Admin'
    $password = 'welcome'
    
    $computer = $env:COMPUTERNAME
    
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',
    $computer)
    $obj.ValidateCredentials($username, $password) 
     

    The above code returns True for Success and False for Failure.

    Do you suggest in capturing a Network Trace via Microsoft Message Analyzer?


    Thanks, Rajiv Iyer


    • Edited by Rajiv IR Sunday, September 6, 2020 4:30 PM
    Sunday, September 6, 2020 4:29 PM
  • 2. I create a share on Drive D on folder ISO and when I try access \\Host-MachineName & via \\Host-MachineName\ISO, I am able to access the folder shares>



    That's good from the point that you have shown that the account you are using can authenticate and that the firewall is not blocking anything. But I feel like we are missing something simple.

    What permissions do you have set on the ISO share? What permissions do you have set on the ISO folder?  Is "Everyone" allowed access to both the share and the files/folders? 

    I suspect that you have set the share permissions to "Everyone" like the image below. Set the share permissions to only allow administrators access. That effectively makes it just like C$. Can you still access the share?

     

     

    You should disconnect all sessions when you change the share permissions. 

    If you can still access the share then that indicates that the account you are using has administrator level access. In which case access to C$ should also work! That brings the question of... do you really need to access the administrative (C$) shares? Can you just share out the folders that you need? 

    Sunday, September 6, 2020 10:01 PM
  • Hi,

    The share permission on ISO folder has "Everyone" - READ (default setting). The security permission on ISO folder has been inherited from the Drive.

    I changed the share permission to "Everyone" - FULL CONTROL.

    I am able to access the share but I am not able to access the built-in administrative share like C$ or D$.

    I turned off the Windows Firewall on the both the ends and I am able to access the share but not C$ or D$.

    It would be nice to have an access to the administrative shares so that I can access any files that I want and move it as per my requirement (provides more flexibility). I am able to do this via Share and RDP way.


    Thanks, Rajiv Iyer


    • Edited by Rajiv IR Monday, September 7, 2020 5:28 AM
    Monday, September 7, 2020 5:27 AM
  • I changed the share permission to "Everyone" - FULL CONTROL.

    I am able to access the share but I am not able to access the built-in administrative share like C$ or D$.


    But I ask you to do this:  "Set the share permissions to only allow administrators access. That effectively makes it just like C$. Can you still access the share?" 

    I am trying to prove that the account that you are using is being recognized as an administrator.  

    Tuesday, September 8, 2020 2:19 AM
  • Hi,

    I set the share permission only to "Administrators" group and I was not able to access the shared folder. I then, explicitly added only "admin" user account which is part of administrators group and I was able to access the share. I tested this by creating another user account and the behavior is the same.


    Thanks, Rajiv Iyer

    Tuesday, September 8, 2020 7:21 AM
  • I set the share permission only to "Administrators" group and I was not able to access the shared folder. 

    That is consistent with the other tests that you have done. For whatever reason, the account that you are using is not being recognized as a member of the Administrators group. 

     I then, explicitly added only "admin" user account which is part of administrators group and I was able to access the share. I tested this by creating another user account and the behavior is the same.

    If that account was recognized as a member of the Administrators group, then it should be able to access the share without you having to add it to the share permissions. 

    This makes no sense.  

    I guess that the answer is.... don't use the admin (C$) shares. Just share out the folders that you need to remotely access.

    A few final thoughts... This machine is a member of a workgroup, correct? (The name of the workgroup should not matter.)

    If you RDP to the server with that new account and launch cmd.exe with "Run as administrator", Does whoami show that you are an administrator?

    whoami /groups > %temp%\groups.txt
    notepad %temp%\groups.txt
    

     


    Tuesday, September 8, 2020 3:10 PM
  • Hi,

    Yes it is strange that an account is not being recognized as part of Administrators group. I just want to highlight that during my test, only one object was part of the share permission (admin or administrators group).

    I captured the whoami results for admin user account. Below is the screenshot:

    The attributes for Administrators group specifies as deny only! In your case, its different.


    Thanks, Rajiv Iyer

    Tuesday, September 8, 2020 5:27 PM
  • You didn't launch cmd.exe with "Run as administrator".  Note the different window titles. Mine says "Administrator: Command Prompt". 
    Tuesday, September 8, 2020 8:52 PM
  • Hi,

    I initially invoked the command prompt under run as administrator and then used "runas /admin cmd". Now I logged into computer using the admin user account credentials and have captured the output.


    Thanks, Rajiv Iyer

    Wednesday, September 9, 2020 3:50 AM
  • Can you access the administrative shares from the server itself?

    dir \\localhost\c$
    dir \\%computername%\c$

    I'm about out of ideas to help you. Have you looked thought group policy to see if anything might apply?

    Or can you just share the folders that you need to access remotely? 

    Wednesday, September 9, 2020 3:40 PM
  • Hi,

    I ran the command you mentioned on the host machine which is on workgroup and I am able to list the files and folders.

    Its okay, by creating a shared folder it works for me. The only limitation I see is that if I want to copy or move any files, I always have to use the shared folder. With built-in administrative access I can easily access any files.


    Thanks, Rajiv Iyer

    Thursday, September 10, 2020 4:01 PM
  • Hi, 

    From a remote computer open up CMD.exe as an administrator and run the following command(s): 

    net use \\x.x.x.x\C$ /user:"<domain\username>" "<password>"

    *this should report back as "the command completed successfully" 

    -Repeat action for:

    net use \\x.x.x.x\IPC$ /user:"<domain\username>" "<password>"

    net use \\x.x.x.x\ADMIN$ /user:"<doamin\username>" "<password>"

    each some come back with "the command completed successfully"

    *this basically confirms authentication is working and also that SMB isn't broken, next check privilege's

    Run this command: 

    REG QUERY \\x.x.x.x\hklm

    this should report back the root of the HKLM registry hive (e.g. hardware, security, software, etc.). This will indicate that your privileges are correct. 

    If you continue to get errors go the Windows Event Viewer on the system your trying to remotely access,

    Navigate to:  Applications and Services > Microsoft > Windows > SMB Client > Operational and review any significant events tied to C$ access via SMB. Id review each log in that directory just to play it safe.

    lastly, check you Firewall, Antivirus, HIPS, products to make sure they aren't blocking the connection. 

    hope that helps! 



    • Edited by lane.wheeler Thursday, September 10, 2020 5:55 PM
    Thursday, September 10, 2020 5:51 PM
  • Hi,

    I am getting Access Denied error message in the Security log of SMB Client when I try to access the built-in admin shares and query the registry. I double checked and the account I am using to authenticate is part of the local admins group. 

    Below is the error:

    Log Name:      Microsoft-Windows-SmbClient/Security
    Source:        Microsoft-Windows-SMBClient
    Date:          9/13/2020 10:09:30 PM
    Event ID:      31010
    Task Category: None
    Level:         Error
    Keywords:      (256)
    User:          N/A
    Computer:      IRDEV
    Description:
    The SMB client failed to connect to the share.

    Error: {Access Denied}
    A process has requested access to an object, but has not been granted those access rights.

    Path: \192.168.1.3\c$

    Thanks, Rajiv Iyer

    Sunday, September 13, 2020 4:41 PM
  • What about from the host machine (IRPC) to the VM (IRDEV)?  Try using the name (\\irpc\c$ and \\irdev\c$) in addition to the IP address. 

    Did you build all of these machines or has someone else has been playing around with registry and group policy settings?

    Can you share out the C drive with another name (like "C") and access it?

    • Edited by MotoX80 Sunday, September 13, 2020 10:26 PM
    Sunday, September 13, 2020 9:29 PM
  • I am able to access the administrative shares (using IP and hostname) of the VM from my host machine. I installed the VM using an ISO. 

    I shared the C drive of my host machine and I was able access it from my VM. But, built-in admin share access still doesn't work.



    Thanks, Rajiv Iyer

    Tuesday, September 15, 2020 4:21 PM
  • I am able to access the administrative shares (using IP and hostname) of the VM from my host machine. I installed the VM using an ISO. 

    I shared the C drive of my host machine and I was able access it from my VM. But, built-in admin share access still doesn't work.


    Then you or someone else who has access to the host machine must have changed something on it to disable/block the administrative shares. Have you examined Group Policy settings?   
    Tuesday, September 15, 2020 4:50 PM
  • The VM from which I am trying to connect is on workgroup. The VM is hosted on my personal computer and I am the only one who uses it. I checked the Group Policy on the VM and didn't find anything which might be causing the issue.

    I have opened all TCP and UDP (Inbound & Outbound) on the VM. I collected the Firewall Rules, Firewall Logs and Resultant GPO from both Host and VM. 

    I have uploaded the files here. You may find it for your reference.


    Thanks, Rajiv Iyer




    • Edited by Rajiv IR Wednesday, September 16, 2020 5:17 PM
    Wednesday, September 16, 2020 5:14 PM
  • Well if you can access any network share then the ports are open so it can't be a firewall problem. 

    I looked at Host-IRPC_GP.html but there's really nothing there. 

    Wednesday, September 16, 2020 10:46 PM