The netsh createalluserprofile parameter is writeable by any user


  1. NovHak
    Posts : 165
    Windows 10 Professional x64
       New #1

    The netsh createalluserprofile parameter is writeable by any user


    Yet another MS security wonder ?

    I just connected to a wifi hotspot from a non-admin account on my laptop. Since it was only for testing purposes and with no intent of using it in the future, I decided to delete the wireless network profile once I've finished using it.

    Most importantly, the createalluserprofile parameter is set to enabled=no. As far as I know, it means disabled.

    So I begin the process :

    Code:
    netsh...
wlan...
show profiles...
    WHAT ? I see the profile corresponding to the hotspot has been created as an all users profile. Seriously ? Isn't the createalluserprofile parameter supposed to give the option to restrict this to administrators only ? Hence I wasn't much surprised when I noticed I was able to delete said profile without admin rights.

    It seems that making our PCs look like tablet computers is not enough, we get tablet grade security too. Amazing, in some sense !

    So. Is there any way left to achieve this now, or is it gone forever ?
      My Computer
    Quote Quote

  3. Mystere
    Posts : 3,257
    Windows 10 Pro
       New #2

    Where did you find that createalluserprofile is defaulted to no?
      My Computer
    Quote Quote

  4. essenbe
    Posts : 12,801
    Windows 11 Pro
       New #3

    Code:
    Applies To: Windows Server 2008, Windows Vista

Syntax


set createalluserprofile enabled={yes|no}


Parameters


EnabledRequired. Specifies whether all computer users are allowed to create all user profiles.

Remarks



If enabled is set to yes, then every user is allowed to create all user profiles. If enabled is set to no, then only users with administrator permissions are allowed to create all user profiles.
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
      My Computer
    Quote Quote

  6. Mystere
    Posts : 3,257
    Windows 10 Pro
       New #4

    essenbe said:
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
    I think we're aware of that, I'm not sure what your point is. I don't see where it says anything about a default setting.
      My Computer
    Quote Quote

  7. NovHak
    Posts : 165
    Windows 10 Professional x64
    Thread Starter
       New #5

    Mystere said:
    Where did you find that createalluserprofile is defaulted to no?
    Where did I say it defaults to no ? I know it doesn't, I had it explicitly set to no by my humble self a long time ago, and it was (and is) still set to that value.
    @essenbe : I'm not sure to catch the point of your post. Are you suggesting it applies to WS2008 and Vista only ? It used to work in W8, I checked back in the day but not since I upgraded to 10. And anyway, if the option is deprecated, there should be some on-context notification at the very least. None here, I checked...
      My Computer
    Quote Quote

  8. Mystere
    Posts : 3,257
    Windows 10 Pro
       New #6

    Well, it's not clear what you're asking then. What do you see when you type netsh wlan show createalluserprofile?

    You should also know that this change will not affect profiles already created as all user..
      My Computer
    Quote Quote

  9. NovHak
    Posts : 165
    Windows 10 Professional x64
    Thread Starter
       New #7

    Code:
    C:\Users\Olivier>netsh wla sho cre

Tout le monde n'est pas autorisé à créer le profil des utilisateurs.
    Which means « Not everybody is authorised to create the users' profile ». A bad translation indeed, but I'm used to bad translations here and there in Windows...

    I know that previously existing profiles won't be affected.

    What I want is that system-wide wireless profiles are protected from unauthorised tampering such as change, deletion or adding another system-wide wireless profile. That's what setting createalluserprofile enabled=no used to do in W8, now it's ineffective.

    IIRC there's a way to define wireless profiles by policy, maybe these would still be protected, I will have to check this again. Other advices are welcome !
      My Computer
    Quote Quote

  10. Mystere
    Posts : 3,257
    Windows 10 Pro
       New #8

    In English it says the same thing, so it's not really a bad translation.
      My Computer
    Quote Quote

  12. NovHak
    Posts : 165
    Windows 10 Professional x64
    Thread Starter
       New #9

    Strange, as it should be "Not everybody is authorised to create all users profiles". I thought it would be stated correctly in the original language at least !

    Anyway, I will come back here as I try alternate solutions...

    EDIT : Well I'm coming back here, since I didn't see the option to create network profiles by policy, it seems absent from local computer policy (don't confuse with "Network List Manager Policies", it's different).

    As a side note, if people are interested I can post another long standing security problem in Windows that's permitting any user to view another user's complete file hierarchy (all file names, not contents), no matter what the NTFS ACLs are. I find this one very interesting, as it points out imho the complete lack of a real vision of information security.

    But here is the trick, precisely : most Windows users really don't care or will always find excuses.
    Last edited by NovHak; 23 Aug 2016 at 08:41.
      My Computer
    Quote Quote

 

  Related Discussions
I just tidied up installing a 3-hub (one main router, two APs connected over WiFi)-mesh system in my house. It replaces a conventional router and a bunch of WiFi extenders which did the job. Sort of... Anyway, I'm using the TP-Link Deco WiFi6 X60...
Hello, My Bluetooth was not detecting any devices. I started Bluetooth User Support Service and it seemed to work. My PC said it's discoverable. But the problem is I need to restart my PC for it to work but when I do, it just shuts off again! I...
Hi netsh lan show interfaces works, netsh lan show drivers does not work because the command does not exist. is there a way to show/list the lan drivers? driverquery may do it, but who wants to scroll thru that lot. Not urgent,...
Someone else's network keeps popping up in my list of networks in the Windows 10 Action Center. I've used a cmd prompt and followed all instructions for using "netsh wlan" commands to deny all (and then allow my own network to show, but the network...
Problems using IPv6 netsh in command window
in AntiVirus, Firewalls and System Security

Hello, I'm trying to set up an IPv6 tunnel. My first command in the command window is as follows: netsh interface teredo set state disabled. The msg. I get is as follows: The requested operation requires elevation (run as ...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 21:15.
Find Us




Windows 10 Forums