Windows 10: The netsh createalluserprofile parameter is writeable by any user

  1. Posts : 121
    Windows 10 Professional x64
       20 Aug 2016 #1

    The netsh createalluserprofile parameter is writeable by any user

    Yet another MS security wonder ?

    I just connected to a wifi hotspot from a non-admin account on my laptop. Since it was only for testing purposes and with no intent of using it in the future, I decided to delete the wireless network profile once I've finished using it.

    Most importantly, the createalluserprofile parameter is set to enabled=no. As far as I know, it means disabled.

    So I begin the process :

    show profiles...
    WHAT ? I see the profile corresponding to the hotspot has been created as an all users profile. Seriously ? Isn't the createalluserprofile parameter supposed to give the option to restrict this to administrators only ? Hence I wasn't much surprised when I noticed I was able to delete said profile without admin rights.

    It seems that making our PCs look like tablet computers is not enough, we get tablet grade security too. Amazing, in some sense !

    So. Is there any way left to achieve this now, or is it gone forever ?
      My ComputerSystem Spec

  2.    20 Aug 2016 #2

    Where did you find that createalluserprofile is defaulted to no?
      My ComputerSystem Spec

  3. Posts : 10,819
    Windows 10 Pro and Windows 10 Pro Insider
       20 Aug 2016 #3

    Applies To: Windows Server 2008, Windows Vista
    set createalluserprofile enabled={yes|no}
    EnabledRequired. Specifies whether all computer users are allowed to create all user profiles.
    If enabled is set to yes, then every user is allowed to create all user profiles. If enabled is set to no, then only users with administrator permissions are allowed to create all user profiles.
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
      My ComputersSystem Spec

  4.    20 Aug 2016 #4

    essenbe said: View Post
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
    I think we're aware of that, I'm not sure what your point is. I don't see where it says anything about a default setting.
      My ComputerSystem Spec

  5. Posts : 121
    Windows 10 Professional x64
    Thread Starter
       21 Aug 2016 #5

    Mystere said: View Post
    Where did you find that createalluserprofile is defaulted to no?
    Where did I say it defaults to no ? I know it doesn't, I had it explicitly set to no by my humble self a long time ago, and it was (and is) still set to that value.
    @essenbe : I'm not sure to catch the point of your post. Are you suggesting it applies to WS2008 and Vista only ? It used to work in W8, I checked back in the day but not since I upgraded to 10. And anyway, if the option is deprecated, there should be some on-context notification at the very least. None here, I checked...
      My ComputerSystem Spec

  6.    21 Aug 2016 #6

    Well, it's not clear what you're asking then. What do you see when you type netsh wlan show createalluserprofile?

    You should also know that this change will not affect profiles already created as all user..
      My ComputerSystem Spec

  7. Posts : 121
    Windows 10 Professional x64
    Thread Starter
       21 Aug 2016 #7

    C:\Users\Olivier>netsh wla sho cre
    Tout le monde n'est pas autorisé à créer le profil des utilisateurs.
    Which means « Not everybody is authorised to create the users' profile ». A bad translation indeed, but I'm used to bad translations here and there in Windows...

    I know that previously existing profiles won't be affected.

    What I want is that system-wide wireless profiles are protected from unauthorised tampering such as change, deletion or adding another system-wide wireless profile. That's what setting createalluserprofile enabled=no used to do in W8, now it's ineffective.

    IIRC there's a way to define wireless profiles by policy, maybe these would still be protected, I will have to check this again. Other advices are welcome !
      My ComputerSystem Spec

  •    21 Aug 2016 #8

    In English it says the same thing, so it's not really a bad translation.
      My ComputerSystem Spec

  • Posts : 121
    Windows 10 Professional x64
    Thread Starter
       22 Aug 2016 #9

    Strange, as it should be "Not everybody is authorised to create all users profiles". I thought it would be stated correctly in the original language at least !

    Anyway, I will come back here as I try alternate solutions...

    EDIT : Well I'm coming back here, since I didn't see the option to create network profiles by policy, it seems absent from local computer policy (don't confuse with "Network List Manager Policies", it's different).

    As a side note, if people are interested I can post another long standing security problem in Windows that's permitting any user to view another user's complete file hierarchy (all file names, not contents), no matter what the NTFS ACLs are. I find this one very interesting, as it points out imho the complete lack of a real vision of information security.

    But here is the trick, precisely : most Windows users really don't care or will always find excuses.
    Last edited by NovHak; 23 Aug 2016 at 08:41.
      My ComputerSystem Spec


    Related Threads
    I found information to use to connect to a Wifi using the netsh command line. I used this command to connect to Wifi and this SSID is not at my...
    Hello, Every month or so comes a time where Google Chrome will stop working, I had a post about it here but no solution was found, until I found a video that shows that you need to run a netsh winsock reset in the command prompt, and it worked ...
    Hi All, I have been building my own machines for as long as I can remember and since upgrading to Windows 10 last year all was fine until I tried burning a few disk to archive. Problem: When inserting any writeable DVD-R, CD-R, or BR-R into...
    New post added.
    This popped up after I d/l 10158, under settings, advanced options, notice that my microsoft account requires attention to get insider builds, FIX ME says that I could not sign in, parameter is incorrect. I am downloading 10159 at present. What...
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    © Designer Media Ltd
    All times are GMT -5. The time now is 01:56.
    Find Us