Identify Computers with SMBv1 Enabled

Purpose:
You wish to identify computers in your environment with SMBv1 enabled.

Due to recent ransomware attacks that involve vulnerabilities in SMBv1, some customers have requested a way to identify machines that have SMBv1 enabled.

Resolution:
To identify machines that have SMBv1 enabled, you will need to create a scan profile (necessary to identify SMBv1 enablement in Windows 7) and create a collection/report to identify those machines that have SMBv1 enabled.

NOTE:
You will only need to create a Scan Profile to identify Windows 7 machines with SMBv1 enabled. For Windows 8.1 and higher, a Scan Profile is not necessary.

Create the Scan Profile:
For identifying Windows 7 computers only, create a scan profile:

1. Go to File > Preferences (or Ctrl + Comma) > Scan Profiles.

2. Click on New.

3. Click on Add and select Registry from the list of scan profiles.

4. In the Hive field, select HKEY_LOCAL_MACHINE

5. In the Include Pattern(s): field, add the following: SYSTEM\CurrentControlSet\services\mrxsmb10\Start and
SYSTEM\CurrentControlSet\services\LanmanServer\Parameters\SMB1

6. Click OK.

7. Rename the Scan Profile to something sensible and click OK.

8. Select a collection or a group of computers you wish to scan, right-click the selection, and select Scan Collection or Scan Computers, whichever is appropriate.

Once the scan is complete, you can use a collection to identify machines that have SMBv1 enabled.

Create the Dynamic Collection:
For all supported Windows operating systems, create a Dynamic Collection to identify machines with SMBv1 enabled (NOTE: for Windows 7 machines, you must create and run the custom Scan Profile detailed above).

NOTE:
We have included the XML file at the end of this document for this collection should you wish to import it rather than create it from scratch (to import, select File > Import and select the XML you saved). Please note that the collection has been tested to work in PDQ Inventory 12x, and may not work as expected in later versions of PDQ Inventory. It is recommended you test the collection thoroughly to ensure its fitness for use if using a different version than 12x.

1. Click on New Dynamic Collection in the PDQ Inventory Toolbar (or Ctrl + N or click on Collection in the menu and select New Dynamic Collection).

2. Create your collection to look like this (or -much easier- download the XML and import it by selecting File > Import and selecting the downloaded XML).

3. You can convert this into a report by right-clicking the Dynamic Collection you created or imported and selecting New > Report From Collection. This will allow you to add other fields to the report (OS, architecture, for example) that provide more detailed information. For example:

NOTE:
In our testing the values for the Start value translate as follows:

• System = 1
• Auto = 2
• Delayed-auto = 2 (also creates a secondary registry value named Delayed-Autostart with a value of 1)
• Manual = 3
• Disable = 4

See Also:
Knowledge Base Article: WannaCrypt And Friends: Identify And Mitigate Vulnerabilities
Video: WannaCrypt Ransomware Attack Patch / Update
Blog Article: WannaCrypt Ransomware Attack Patch
Microsoft’s Article on Disabling SMBv1