SMB on Windows 10 (and maybe 8.1)

Following on from my previous web page about SMB on Windows 7, this page has a look at SMB on Windows 10 - at first sight there didn`t seem to be much to say about it, but after a little digging, I came to the conclusion it was worth a page.

But firstly, here is a recap of why I started to look at SMB - it starts of the same as the start of the previous web page, but then deviates.

Recently there has been a major attack world wide by the creators of ransomware known as WannaCrypt, and it has had a major effect on numerous computer systems - however there seems to be a wide diversity of opinion about which versions of Windows were affected - it was exclusively Windows computers that were infected.

WannaCrypt has been very successful in propagating, because although it can be picked up by a computer through an email attachment, it is also a worm, so as well as attacking the individual computer, it can propagate across networks.

WannaCrypt propagates using a vulnerability in SMBv1, an early form of networking used by Microsoft to enable file and printer sharing in Windows 2000 and Windows XP.

SMBv1 lives on in later versions of Windows, including Windows 7, Windows 8, and Windows 10, because Microsoft have this obsession with making every new version of Windows backward compatible with every previous version of Windows.

Microsoft have issued patches for SMB to try and remove the vulnerability - even for Windows XP - so a fully patched computer should be immune to the worm - I haven`t seen any comment as to whether a patched computer can still be infected by WannaCrypt via an email attachment.

However since SMBv1 is such an old protocol, not many people require it now, and if you are interested in hardening your computer then it is a good idea to disable it, especially if you are going to run Server and Workstation to interconnect with other computers running Windows 7 or later, and not to computers running Windows 2000 or Windows XP.

SMBv1 has been known to be buggy for a long time, so there may well be other vulnerabilities in it that either haven`t been found, or have been found, and the information hasn`t been made public.

The WannaCrypt outbreak started with a bang, and propagated around the world very quickly, however after a few days it died away a bit.

Now that the fire fighting is less intense, lots of people are coming away with lots of theories about it, one of them being Microsoft, who have climbed up onto their soapbox and are loudly complaining about various agencies hoarding vulnerabilities to use them serreptitiously.

Now Microsoft are shouting a bit too loudly, and are being a bit two faced about this, and I wonder what they are trying to hide.

There are numerous websites that are saying that Windows 10 is not affected by the WannaCrypt malware, however that isn`t the end of the story for two reasons - firstly there is information on the Microsoft website that Windows 10 most certainly is vulnerable until it is fully patched.

Secondly - by default, the file and printer sharing service on Windows 10 uses SMBv2 or SMBv3, depending on the capability of the other computer, that is the way the file sharing service is configured.

However, also by default, Windows 10 is running SMBv1 silently in the background, even though there are few signs that this is happening, and even though the file sharing service is not configured to use it.

So an unpatched Windows 10 may well be vulnerable to the WannaCrypt worm, or other worms that use the same propagation method.

There is also the question as to why Microsoft have set up Windows 10 so that by default it is running SMBv1 in the background, even though by default the file sharing service won`t use it, and it is by no means trivial to get the file sharing service to fully use SMBv1, as it requires the use of the command line, registry hacks, and powershell.

However the fact that SMBv1 is running means that Windows 10 is open to vulnerablilities in SMBv1 - and also open to backdoors in SMBv1 if they exist.

Could be a very handy way for anyone who knows about it to get access onto a computer remotely without the owner knowing about it.

And if you are familiar with the amount of information that by default Microsoft pulls off every installation of Windows 10, it is fairly obvious that Microsoft have little regard for owners or users privacy.

SMBv1 and SMBv2 start-up

If you disable LanmanServer and LanmanWorkstation through the services GUI so that file and printer sharing are now completely disabled, then SMBv2 stops as well - as you would expect.

However SMBv1 does not stop - it is still running.

As far as I can see, both mrxsmb10 and mrxsmb20 are started in the same way, however in the registry their Start DWORD have different values, so that mrxsmb10 will always start automatically, whatever the state of LanmanServer and LanmanWorkstation, and even though the file sharing service is not configured to use SMBv1.

Does is mean that mrxsmb10.sys has some function quite apart from its stated association with file and printer sharing, and Microsoft wants it running even though file and printer sharing has been disabled.

Eliminating SMBv1 from Windows 10

Fortunately Microsoft have made it very easy to get rid of SMBv1 entirely - go to

• Control Panel
• Programs and Features
• Turn Windows Features on and off
• untick the box for SMB 1.0/CIFS File Sharing Support
• do a reboot

Job done !

This simple process reconfigures Windows and deletes the mrxsmb10.sys file from C:/Windows/System32/drivers/.

Windows 8.1

Some or all of the above may also apply to Windows 8.1 ( not Windows 8 ) - however since I have sometimes used my Windows 8.1 laptop on some public Wi-Fi`s and data networks that I know nothing about, I have it very tightly screwed down, and can`t say with any certainty what the default state of Windows 8.1 is.

However if I enable "SMB 1.0/CIFS File Sharing Support" as above ( it works the same way ) then it appears that again SMBv1 is running silently in the background even though the file sharing service is not configured to use it.

So as with Windows 7 and with Windows 10, it is worth getting rid of SMBv1 if you don`t really need it.

And remember, you only need SMBv1 if you want to interconnect with Windows 2000 or Windows XP - you should not need SMBv1 if you want to interconnect to Windows 7, Windows 8.1, or Windows 10.

Disclaimer

The usual disclaimer applies - this all works on my computers, but I can give no guarantee that it will work on your computer(s), and you make these changes to your computer(s) entirely at your own risk.

• home page
• image gallery
• about this website
• about the colour bar

website design by ron-t

website hosting by freevirtualservers.com

© 2024   Ron Turner

+                                   +  

• grayscale