Consultor Eletrônico

WinNT shared resources, UNC and SYSTEM account - NullSessionShare

SUMMARY:

Accessing files on a remote computer or accessing local shared resources using UNC (Universal Naming Convention) can be problematic, if the process was spawn from a NT service started with system account.

INTRODUCTION:

Here some examples: You need to use UNC names for accessing files. Everything works fine if started from command line, but it fails if started from Application Server which was spawn from ProService/AdminService started with SYSTEM account.

Or you are starting batch job with different scheduler programs, which are running under SYSTEM account. It works fine if started from command line, but fails if started from the scheduler with error message like:

Error 5: Access is denied or File Not Found


If a process running under system account attempt to establish a connection to a network resource, the operating system attempts to establish a connection as a non-authenticated connection (referred to as a "NULL Session").

If you can not use a user with enough privileges (administration reason or the SW does not allow different startup), you can allow the SYSTEM account access the shared network resources due to modifying the registry.

STEP BY STEP DETAILS:

The registry setting needs to be made on the computer sharing the network resource.

1. Backup your system, note using the Registry Editor incorrectly can cause serious problems

2. Start REGEDT32.EXE

3. Go to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \LanmanServer\Parameters\NullSessionShares

3. On a NEW LINE within the NullSessionShares key, type in the share (the directory or resource name) you want to access with a null session


Note: A shared resource configured in this manner is not secure.

REFERENCES TO WRITTEN DOCUMENTATION:

Microsoft NT Server Documentation.


Ales Zeman (18-FEB-2000)