Share via

Enabling SMB guest access via registry breaks the Workstation service beyond repair

Bajt, Branimir 20 Reputation points
2023-12-14T17:28:11.5266667+00:00

In effort to enable insecure guest access for SMB via powershell script on Windows Server 2022, I've followed steps recommended in this article : https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

There are two ways of setting insecure guest access for SMB :

  • via Group Policy (manual setup, this seems to work fine)
  • via Windows Registry entries (problematic one!)

As I'm doing automated setup, I've used powershell to execute registry entry config as explained in aforementioned web page :

To set the value without using Group Policy, set the following DWORD registry value to 1 (insecure guest auth enabled) or 0 (insecure guest auth disabled):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

*AllowInsecureGuestAuth
*
However, after executing this config and after OS restarts, Workstation service is not able to start any more. Exception being thrown is : Windows could not start the Workstation service on Local Computer. Error 2: The System cannot find the file specified.

There is no way, at least I was not able to find one, to undo this. How can one fix this and make this setting automated? Re-installing Windows OS and applying the setting manually is only way to fix this.

Windows for business Windows Server User experience Other
Accepted answer
  1. MotoX80 36,291 Reputation points
    2023-12-14T18:48:35.54+00:00

    I've used powershell to execute registry entry config as explained in aforementioned web page :

    Can you share the command that you ran?

    Did you specify a REG_DWORD type?

    (From Win10 VM.)

    C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
    EnablePlainTextPassword    REG_DWORD    0x0
    EnableSecuritySignature    REG_DWORD    0x1
    RequireSecuritySignature    REG_DWORD    0x0
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\System32\wkssvc.dll
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    AllowInsecureGuestAuth    REG_DWORD    0x1

    I ran this.

    reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth /t REG_DWORD /d 1
    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bajt, Branimir 20 Reputation points
    2023-12-15T09:36:19.0166667+00:00

    I've used this two commands : 

        New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -force -ErrorAction SilentlyContinue
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name AllowInsecureGuestAuth -Value "1" -Type DWORD -force

    First one checks the Parameters Item/Path, second one adds a DWORD AllowInsecureGuestAuth key with value set to 1.

    Btw. when I execute :
    **reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
    **
    I'm getting only this : 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
    AllowInsecureGuestAuth    REG_DWORD    0x1

    ... I don't see any other parameters.

    Furthermore, if you do a config using Local Group Policy Editor :

    *1. Open the Local Group Policy Editor (gpedit.msc) on your Windows device.
    2. In the console tree, select Computer Configuration > Administrative Templates > Network > Lanman Workstation.
    3. For the setting, right-click Enable insecure guest logons and select Edit.
    4.Select Enabled > OK.

    For monitoring and inventory purposes, this group policy sets the following DWORD registry value to 1 (insecure guest auth enabled) or 0 (insecure guest auth disabled):*
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation\
    AllowInsecureGuestAuth

    ... but, there are no visible entries added to that specific registry path when you do this. Nevertheless, it works.

  2. Anonymous
    2023-12-18T02:27:29.1333333+00:00

    Hi,

    Modifying the registry can cause serious problems if not done correctly. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

    How to back up and restore the registry in Windows - Microsoft Support

    PC resetting and startup repair are worth having a try.

    Reference: “Recovery options in Windows” for step-by-step formation:

    Recovery options in Windows - Microsoft Support

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.