Enable SMBv1 on Windows 10 per GPO

SMBv1 is an insecure protocol that you should not use if by any means possible. Windows 10 has SMBv1 disabled by default. In order to enable it you would need to go to the Control Panel and activate the Windows Feature “SMB 1.0/CIFS File Sharing Support” and at a bare minim the “SMB 1.0/CIFS Client“. You actually might just want to do that cause you really shouldn’t add more SMBv1 servers to your network.

Before you proceed reading – if you really need to enable this protocol – please make sure your systems are all patched! Especially your target servers should be patched as well – assuming they are Windows XP / 2003 / Vista / 2008 / 7 / 2008 R2 / 8 / 8.1 / 2012 / 2012 R2 / 2016 and 10. I highly recommend to look at this Microsoft link: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. Additionally do I want to mention that Windows XP and Windows 2003 can be patched as well – though they are not on the list of the previous link. Look at Microsoft KB4012598 for more information or use this download link https://www.microsoft.com/en-us/download/details.aspx?id=55245. I can not warn enough about SMBv1 – you open the doors for malware here that can bring down your network in minutes and cause huge damage!

Please note – I did not research in detail if other previous Windows versions did disabled SMBv1 already by default, this article might in any case apply to Windows 7, 8 and 8.1 as well and be applicable to Windows 2008, 2008 R2, 2012, 2012 R2 and 2016 as well as newer Windows versions to come.

Now, the issue with Windows 10 and SMBv1 disabled is that often old legacy Windows 2003 servers are around that can’t just be upgraded or replaced. In order to access any file share you would need to enable SMBv1 on the client workstations. This could sure be done by preparing your installation image etc. – but if you did not plan for this or want to have more granular control, you might consider using Group Policies / GPO to enabled this Windows Feature.

It is further worth noting that the easiest way to find the issue is not trying to access the UNC share via the server-name rather then directly typing in the IP address in your attempt. This way you actually get a way clearer error-message from Windows. I mention this, to show you and explain that there actually is a difference between trying to access a server-name and an IP address per UNC path – especially when it comes down to Windows 10 and the error messages you might see.

Officially enabling a Windows Feature is not supported per GPOs nor is there much information out there on how to enable SMBv1 per GPO. Having faced this challenge recently, I found a good working way that is pretty easy to implement.

1. enable the feature on 1x Windows 10 client
   1. export / document the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10
   2. copy the file %windir%\system32\drivers\mrxsmb10.sys
2. create a GPO
   1. put the mrxsmb10.sys in the GPO or a central accessible file (the target computer account must be able to read the file! – I often put it in either NETLOGON or directly in the GPO / scripts folder)
   2. Computer Configuration \ Preferences \ Windows Settings \ Files
      1. create a new entry to copy the file to the target system
      2. Source file: where you centrally placed the mrxsmb10.sys
      3. Destination file: %windir%\system32\drivers\mrxsmb10.sys
   3. Computer Configuration \ Preferences \ Windows Settings \ Registry
      1. Create or import all the registry keys from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10

A registry hive export would look like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Windows Registry Editor Version 5.00   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10] "DisplayName"="@%systemroot%\\system32\\wkssvc.dll,-1004" "ErrorControl"=dword:00000001 "Group"="Network" "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\   52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6d,00,72,00,78,00,73,00,6d,00,62,\   00,31,00,30,00,2e,00,73,00,79,00,73,00,00,00 "Start"=dword:00000002 "Tag"=dword:00000006 "Type"=dword:00000002 "Description"="@%systemroot%\\system32\\wkssvc.dll,-1005" "DependOnService"=hex(7):6d,00,72,00,78,00,73,00,6d,00,62,00,00,00,00,00

Apply the GPO to your target systems / workstations and reboot them – after that you will be able to access the necessary shares. The downside is – you don’t really see the feature as enabled in the Windows-Features. It will work nevertheless.

Restore D3 VME for Windows

These steps outline the process of restoring your VME.  Normally we store almost nothing in the VME, as it should be.  ALL your data resides in the FSI. So restoring is fairly painless.

The steps are:

1. Stop your D3 service (either in the SERVICES window, or using the SHUTDOWN command inside a pick window.
2. Copy the following file, and overlay into the directory shown:
   
   *PRIOR TO VERSION 7.4.X
   C:\program files\d3\i386\win32\disk0.d3v
   to     c:\program files\d3\d3virtual
   
   Change the "C:" with the drive letter where you have D3 installed.
   
   If you get an error, "can not copy to file in use" type message, D3 is not stopped yet.  Make sure step 1 is done above, and wait until it is finished.
   
   You may have made a copy of your disk0.d3v file in the d3virtual directory.  It is probably a good idea, that once your VME is up and running, that you copy the disk0.d3v file over to disk0.sav (same directory).  When copying the file, do not use the one in i386, use your save copy.  This will save you from copying all of the files from dm.old shown below.
   
   *D3NT VERSION 7.4.X OR GREATERC:\program files\d3\d3programs\disk0.exe
   to     c:\program files\d3\d3virtual
   
   Change the "C:" with the drive letter where you have D3 installed.
3. Open a DOS window (either start-programs-DOS, or start-run and type:
   
    "cmd".  A window will open.  Change to your d3 directory.
   
   cd \program files\d3\d3programs
   
   At the ">" prompt, type D3VME /RESTORE
   
   When prompted, answer:
       ok to proceed        Y
       restore from         (should be option 1), but the file that ends
                                               with .D3P
       disable file reallocation     <enter>
       restore from volume 1         <enter>
   
   You should end up with a Pick Logon prompt. Enter DM user and DM account. Check your user count with MAXUSERS. You should see the number of ports that you normally have.  Type "WHICH CDA", to see your version. It should also be correct.
4. Type SHUTDOWN in your DOS window and allow D3 to shutdown properly.  The window should say "disconnected from host" or it may close automatically.  If it does not close, wait for the message and then close the window.
5. Go to SERVICES on the console and highlight the D3 virtual machine, click on START. D3 should start in about a minute.
6. Open a D3 window with an emulator, and log into the DM account.
7. You will need to restore the DM account for the prior night's tape as DM_OLD.  Do your set-device (all of your tapes should be there). Attach to your tape drive and do:
     T-REW
     T-REW
      ACCOUNT-RESTORE DM_OLD (Z
      from   DM
   
   This will be the first account on your tape, and should take only a couple of minutes to restore.
8.  At this point, you will have all of your users items still in the file. You can confirm with a "Sort USERS" command from TCL.
9. The following items should be copies from DM_OLD into your current DM account. From you DM account type,
   
       COPY DM_OLD,PIBS,
         to  (PIBS
   
        COPY DM_OLD,MD, USER-COLDSTART PRINTERS START.PROCESS
         to  (MD
   
        COPY DM_OLD,BP, FILE-SAVE (O
          to (BP
   
        type    compile bp file-save
10. Type USER-COLDSTART, this will start your printers and your night time process.
11. You should be able to let your users back on the machine now, and all should be OK.