1.    20 Aug 2016 #1
    Join Date : Apr 2016
    Posts : 116
    Windows 10 Professional x64

    The netsh createalluserprofile parameter is writeable by any user


    Yet another MS security wonder ?

    I just connected to a wifi hotspot from a non-admin account on my laptop. Since it was only for testing purposes and with no intent of using it in the future, I decided to delete the wireless network profile once I've finished using it.

    Most importantly, the createalluserprofile parameter is set to enabled=no. As far as I know, it means disabled.

    So I begin the process :

    Code:
    netsh...
    wlan...
    show profiles...
    WHAT ? I see the profile corresponding to the hotspot has been created as an all users profile. Seriously ? Isn't the createalluserprofile parameter supposed to give the option to restrict this to administrators only ? Hence I wasn't much surprised when I noticed I was able to delete said profile without admin rights.

    It seems that making our PCs look like tablet computers is not enough, we get tablet grade security too. Amazing, in some sense !

    So. Is there any way left to achieve this now, or is it gone forever ?
      My ComputerSystem Spec
  2.    20 Aug 2016 #2
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    Where did you find that createalluserprofile is defaulted to no?
      My ComputerSystem Spec
  3.    20 Aug 2016 #3
    Join Date : Oct 2013
    NW Florida
    Posts : 9,246
    Windows 10 Enterprise and Pro/Windows 7 Enterprise/Linux Mint

    Code:
    Applies To: Windows Server 2008, Windows Vista
    
    Syntax
    
    
    set createalluserprofile enabled={yes|no}
    
    
    Parameters
    
    
    EnabledRequired. Specifies whether all computer users are allowed to create all user profiles.
    
    Remarks
    
    
    
    If enabled is set to yes, then every user is allowed to create all user profiles. If enabled is set to no, then only users with administrator permissions are allowed to create all user profiles.
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
      My ComputersSystem Spec
  4.    20 Aug 2016 #4
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    Quote Originally Posted by essenbe View Post
    Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
    I think we're aware of that, I'm not sure what your point is. I don't see where it says anything about a default setting.
      My ComputerSystem Spec
  5.    21 Aug 2016 #5
    Join Date : Apr 2016
    Posts : 116
    Windows 10 Professional x64
    Thread Starter

    Quote Originally Posted by Mystere View Post
    Where did you find that createalluserprofile is defaulted to no?
    Where did I say it defaults to no ? I know it doesn't, I had it explicitly set to no by my humble self a long time ago, and it was (and is) still set to that value.
    @essenbe : I'm not sure to catch the point of your post. Are you suggesting it applies to WS2008 and Vista only ? It used to work in W8, I checked back in the day but not since I upgraded to 10. And anyway, if the option is deprecated, there should be some on-context notification at the very least. None here, I checked...
      My ComputerSystem Spec
  6.    21 Aug 2016 #6
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    Well, it's not clear what you're asking then. What do you see when you type netsh wlan show createalluserprofile?

    You should also know that this change will not affect profiles already created as all user..
      My ComputerSystem Spec
  7.    21 Aug 2016 #7
    Join Date : Apr 2016
    Posts : 116
    Windows 10 Professional x64
    Thread Starter

    Code:
    C:\Users\Olivier>netsh wla sho cre
    
    Tout le monde n'est pas autorisé à créer le profil des utilisateurs.
    Which means « Not everybody is authorised to create the users' profile ». A bad translation indeed, but I'm used to bad translations here and there in Windows...

    I know that previously existing profiles won't be affected.

    What I want is that system-wide wireless profiles are protected from unauthorised tampering such as change, deletion or adding another system-wide wireless profile. That's what setting createalluserprofile enabled=no used to do in W8, now it's ineffective.

    IIRC there's a way to define wireless profiles by policy, maybe these would still be protected, I will have to check this again. Other advices are welcome !
      My ComputerSystem Spec
  8.    21 Aug 2016 #8
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    In English it says the same thing, so it's not really a bad translation.
      My ComputerSystem Spec
  9.    22 Aug 2016 #9
    Join Date : Apr 2016
    Posts : 116
    Windows 10 Professional x64
    Thread Starter

    Strange, as it should be "Not everybody is authorised to create all users profiles". I thought it would be stated correctly in the original language at least !

    Anyway, I will come back here as I try alternate solutions...

    EDIT : Well I'm coming back here, since I didn't see the option to create network profiles by policy, it seems absent from local computer policy (don't confuse with "Network List Manager Policies", it's different).

    As a side note, if people are interested I can post another long standing security problem in Windows that's permitting any user to view another user's complete file hierarchy (all file names, not contents), no matter what the NTFS ACLs are. I find this one very interesting, as it points out imho the complete lack of a real vision of information security.

    But here is the trick, precisely : most Windows users really don't care or will always find excuses.
    Last edited by NovHak; 23 Aug 2016 at 08:41.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
NETSH behaviour changed in Windows 10. Not giving error when it should
I found information to use to connect to a Wifi using the netsh command line. http://www.hanselman.com/blog/HowToConnectToAWirelessWIFINetworkFromTheCommandLineInWindows7.aspx I used this command to connect to Wifi and this SSID is not at my...
Network and Sharing
What does netsh winsock reset does and why it fixes Google Chrome?
Hello, Every month or so comes a time where Google Chrome will stop working, I had a post about it here but no solution was found, until I found a video that shows that you need to run a netsh winsock reset in the command prompt, and it worked ...
Network and Sharing
Solved 100% HD Drive Usage when inserting writeable CDR, DVDR
Hi All, I have been building my own machines for as long as I can remember and since upgrading to Windows 10 last year all was fine until I tried burning a few disk to archive. Problem: When inserting any writeable DVD-R, CD-R, or BR-R into...
Drivers and Hardware
Disk Drive Issue when inserting writeable CDR, DVDR
New post added.
Drivers and Hardware
Solved Get insider builds - Incorrect parameter
This popped up after I d/l 10158, under settings, advanced options, notice that my microsoft account requires attention to get insider builds, FIX ME says that I could not sign in, parameter is incorrect. I am downloading 10159 at present. What...
Windows Insider
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:04.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums