Windows Shared folder permission from Registry keys

ControlSet2? 😯

Normally you have a ControlSet001 and a ControlSet002 and a CurrentControlSet which is a copy (actually a hardlink) to either of them, which is the "source" of CurrentControlSet is in \System\Select key.

Additionally, are you sure that you have a \Services\LanmanServer\Shares\permissions hive?

Should be \services\LanmanServer\Shares\Security

You can setup a "dummy" machine and export/re-merge the relevant keys
https://www.veritas.com/support/en_US/article.TECH159845
https://support.microsoft.com/en-us/kb/125996

jaclaz

Hi Jaclaz,

Thanks for the reply. I'm sorry. I typed the registry paths as remembered since I didn't have access to them at the time of posting.

I choose "ControlSet002" over "ControlSet001" because, I thought "ControlSet002" to be the configuration which was used in the last boot. However, according to kb100010, when I do an investigation, I should pick ControlSet001 right?

And I tried to do a re-merge and it didn't work. I'm investigating a "Windows 2008 server" and I merged the "HKLM\ControlSet002\Services\LanmanServer\Shares" to a "Windows 7" machine registry entry "HKLM\CurrentControlSet\Services\LanmanServer\Shares".

There were several share folders listed in Win2008 machine while I only had one similar share in Windows 7 machine. I though merging would change the permission of share folder of Win7 machine. But it didn't work.

What should I do next?
Do I have to have same user set as Win2008 machine?
Do I have to have all the shares which was available in Win2008?

I'll run these test cases and will let you know if I succeed. Please suggest me if I'm doing anything wrong.

Thanks again Jaclaz

I choose "ControlSet002" over "ControlSet001" because, I thought "ControlSet002" to be the configuration which was used in the last boot. However, according to kb100010, when I do an investigation, I should pick ControlSet001 right?

Not really-really, you choose the appropriate one
http//www.imdb.com/title/tt0097216/quotes?item=qt0362962
wink
depending on contents of "Select" key.
As said "normally" (and in - say - 99% of cases) you have only ControlSet001 and ControlSet002 but machines/installs exists where there are many such sets (I have seen up to ControlSet012 or 013, and I have seen reports of up to ControlSet025).

Cannot say about the (failed) merging, you should have a new install of Server 2008, 7 is newer and possibly something changed, the mentioned KB is only up to 2008
https://support.microsoft.com/en-us/kb/125996
even if the good MS guys tend to always reuse the same (good ol') code from NT 3.1-4 (circa 1993/4), sometimes they do change something…

jaclaz

Dear Jaclaz,

Thanks a lot for guiding me through this. Learned about selecting the correct control set by using "select" key and was able to restore the shares in a new Windows 2008 virtual machine.

The issue was with the way I export the registry keys from my victims computer. I used Eric Zimmerman's Registry explorer and I think the windows registry doesn't like the comments in the exported file of "Registry explorer" and did not accept it when I tried to import. But it worked fine when I removed the comments.

Thanks a lot again. You saved my day.

glad you got it working.

if you can share the file that Registry Explorer generated that windows didnt like i will see what i can do to fix it. the comments should be ignored by Windows when importing