Windows 10: The netsh createalluserprofile parameter is writeable by any user

Yet another MS security wonder ?

I just connected to a wifi hotspot from a non-admin account on my laptop. Since it was only for testing purposes and with no intent of using it in the future, I decided to delete the wireless network profile once I've finished using it.

Most importantly, the createalluserprofile parameter is set to enabled=no. As far as I know, it means disabled.

So I begin the process :

Code: netsh... wlan... show profiles...[/quote] WHAT ? I see the profile corresponding to the hotspot has been created as an all users profile. Seriously ? Isn't the createalluserprofile parameter supposed to give the option to restrict this to administrators only ? Hence I wasn't much surprised when I noticed I was able to delete said profile without admin rights.

It seems that making our PCs look like tablet computers is not enough, we get tablet grade security too. Amazing, in some sense !

So. Is there any way left to achieve this now, or is it gone forever ?

:)

 

Windows 10 Teredo Pseudo Tunnelling.

I can not get teredo tunelling to work correctly on my computer, this means i am unable to use any of the xbox app online features.

The adapter does not show up in device manager, even with hidden devices shown, the readout of "netsh int teredo show state" is as follows:

C:\Users\liamj>netsh int teredo show state

Teredo Parameters

---------------------------------------------

Type : client

Server Name : win10.ipv6.microsoft.com

Client Refresh Interval : 30 seconds

Client Port : unspecified

C:\Users\liamj>

Peer Networking Grouping runs automatically and is working, as is PNRP Machine Name Publication Service.

Computer/HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Disabled Components is set to value 0

Any and every attempt I've made to fix this issue following advice both on microsofts own support pages and other outlets has thus far been fruitless, any help would be greatly appreciated.

Cheers,

 

"The parameter is incorrect." Can't access any programs.

All of my desktop icons and the font look like they are zoomed in. On top of that, I'm unable to access anything-- I can't open anything in the start menu and the task bar has been completely cleared. When I try to open something from the start menu like
control panel, I get the error message "The parameter is incorrect" under a line that states the location of the control panel in my files. Is this a virus? Or is it an issue with Windows 10? Should I use system restore if I can?

 

Where did you find that createalluserprofile is defaulted to no?

 

Code: Applies To: Windows Server 2008, Windows Vista Syntax set createalluserprofile enabled={yes|no} Parameters EnabledRequired. Specifies whether all computer users are allowed to create all user profiles. Remarks If enabled is set to yes, then every user is allowed to create all user profiles. If enabled is set to no, then only users with administrator permissions are allowed to create all user profiles.[/quote] Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008

 

I think we're aware of that, I'm not sure what your point is. I don't see where it says anything about a default setting.

 

Where did I say it defaults to no ? I know it doesn't, I had it explicitly set to no by my humble self a long time ago, and it was (and is) still set to that value.
@essenbe : I'm not sure to catch the point of your post. Are you suggesting it applies to WS2008 and Vista only ? It used to work in W8, I checked back in the day but not since I upgraded to 10. And anyway, if the option is deprecated, there should be some on-context notification at the very least. None here, I checked...

 

Well, it's not clear what you're asking then. What do you see when you type netsh wlan show createalluserprofile?

You should also know that this change will not affect profiles already created as all user..

 

Code: C:\Users\Olivier>netsh wla sho cre Tout le monde n'est pas autorisé créer le profil des utilisateurs.[/quote] Which means « Not everybody is authorised to create the users' profile ». A bad translation indeed, but I'm used to bad translations here and there in Windows...

I know that previously existing profiles won't be affected.

What I want is that system-wide wireless profiles are protected from unauthorised tampering such as change, deletion or adding another system-wide wireless profile. That's what setting createalluserprofile enabled=no used to do in W8, now it's ineffective.

IIRC there's a way to define wireless profiles by policy, maybe these would still be protected, I will have to check this again. Other advices are welcome !

 

In English it says the same thing, so it's not really a bad translation.

 

Strange, as it should be "Not everybody is authorised to create all users profiles". I thought it would be stated correctly in the original language at least !

Anyway, I will come back here as I try alternate solutions...

EDIT : Well I'm coming back here, since I didn't see the option to create network profiles by policy, it seems absent from local computer policy (don't confuse with "Network List Manager Policies", it's different).

As a side note, if people are interested I can post another long standing security problem in Windows that's permitting any user to view another user's complete file hierarchy (all file names, not contents), no matter what the NTFS ACLs are. I find this one very interesting, as it points out imho the complete lack of a real vision of information security.

But here is the trick, precisely : most Windows users really don't care or will always find excuses.