Skip to main content

Disable insecure "SMBv1" protocol

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script improves network security by disabling the outdated SMBv1 protocol.

SMBv1, or Server Message Block version 1, is an outdated network protocol developed for file and printer sharing across networks 1 2. This protocol is well-known for its vulnerabilities to cyber attacks 1 2 3 4 5. Microsoft deprecated SMBv1 in 2014 6 7. Since 2007, newer and more secure versions of this protocol have replaced SMBv1 in modern versions of Windows 6. It is still enabled by default in older Windows versions 1. Microsoft advises disabling this protocol to strengthen security 1 8. SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 2.

The primary reasons for disabling SMBv1 include:

  • It uses the outdated MD5 hash algorithm, vulnerable to security attacks 3.
  • It fails to meet modern security standards set by FIPS 3, CISA (US-CERT) 5, CIS (Department of Defense) 3, and Microsoft Security Baseline 8.
  • It lacks the efficiency and performance improvements present in newer versions of the protocol 2.
  • It is vulnerable to various cyber threats 1 2 3 4 5, , including ransomware and malware 1 2.

Disabling SMBv1 may lead to compatibility issues with older network devices and software 1 3 6 9. This may affect file sharing and print services on systems like Windows Server 2003 3 and some older Network Attached Storage (NAS) devices 3. These systems are insecure and are no longer supported.

This script makes the following changes to your system:

  • Removal of SMBv1 components:
  • SMB1Protocol 2 3 4 10 (also known as FS-SMB1 2 11)
  • SMB1Protocol-Client 10
  • SMB1Protocol-Server 10.
  • Disabling the mrxsmb10 (SMB 1.x MiniRedirector 12) driver, linked with SMBv1 1 4 13, and adjusting related settings to keep older systems stable 1 4 13.
  • Disabling server side processing of SMBv1 protocol using HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1 registry key 1 14 15.

These changes require a system reboot to take effect 1 4 9.

Caution

This may cause compatibility issues with older devices or software.

Overview of default feature statuses

SMB1Protocol:

Feature nameSMB1Protocol
Display nameSMB 1.0/CIFS File Sharing Support
DescriptionSupport for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol.
Default (Windows 11 ≥ 23H2)🔴 Disabled
Default (Windows 10 ≥ 22H2)🔴 Disabled

SMB1Protocol-Client:

Feature nameSMB1Protocol-Client
Display nameSMB 1.0/CIFS Client
DescriptionSupport for the SMB 1.0/CIFS client for accessing legacy servers.
Default (Windows 11 ≥ 23H2)🔴 Disabled
Default (Windows 10 ≥ 22H2)🔴 Disabled

SMB1Protocol-Server:

Feature nameSMB1Protocol-Server
Display nameSMB 1.0/CIFS Server
DescriptionSupport for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood.
Default (Windows 11 ≥ 23H2)🔴 Disabled
Default (Windows 10 ≥ 22H2)🔴 Disabled

Overview of default service statuses

SMB 1.x MiniRedirector (mrxsmb10):

OS VersionStatusStart type
Windows 11 (≥ 23H2)🟡 MissingN/A
Windows 10 (≥ 22H2)🟡 MissingN/A

This script uses Batch (batchfile) scripting language.

Safe for General Use

This script is recommended for all users. It helps to improve privacy without affecting stability.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable insecure protocols category. This category focuses on enhancing user privacy by disabling legacy and insecure communication protocols. It targets protocols that expose users to security vulnerabilities due to their outdated nature. Retaining obsolete protocols creates a false sense of security because they may seem secure... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable insecure "SMBv1" protocol.
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Disable the "SMB1Protocol" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable the "SMB1Protocol-Client" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Client'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable the "SMB1Protocol-Server" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Server'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable service(s): `mrxsmb10`
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'mrxsmb10'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) { Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try { Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch { Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else { Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if (!$startupType) { $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if ($startupType -eq 'Disabled') { Write-Host "^""$serviceName is already disabled, no further action is needed"^""; Exit 0; }; <# -- 4. Disable service #>; try { Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch { Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }"
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' /v 'SMBv1' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$message = 'For the changes to fully take effect, please restart your computer.'; $warn = $false; if ($warn) { Write-Warning "^""$message"^""; } else { Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Revert the 'SMB1Protocol' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Revert the 'SMB1Protocol-Client' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Client'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Revert the 'SMB1Protocol-Server' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Server'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Restore service(s) to default state: `mrxsmb10`
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'mrxsmb10'; $defaultStartupMode = 'Automatic'; $ignoreMissingOnRevert = $true <# $false #>; Write-Host "^""Reverting service `"^""$serviceName`"^"" start to `"^""$defaultStartupMode`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if (!$service) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The service `"^""$serviceName`"^"" is not found. No action required."^""; Exit 0; }; Write-Warning "^""Failed to revert changes to the service `"^""$serviceName`"^"". The service is not found."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if (!$startupType) { $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if (!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if ($startupType -eq "^""$defaultStartupMode"^"") { Write-Host "^""`"^""$serviceName`"^"" has already expected startup mode: `"^""$defaultStartupMode`"^"". No action required."^""; } else { try { Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Reverted `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start, this may require restarting your computer."^""; } catch { Write-Error "^""Failed to enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if ($defaultStartupMode -eq 'Automatic' -or $defaultStartupMode -eq 'Boot' -or $defaultStartupMode -eq 'System') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try { Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch { Write-Warning "^""Failed to start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else { Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }"
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' /v 'SMBv1' /f 2>$null"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$message = 'For the changes to fully take effect, please restart your computer.'; $warn = $false; if ($warn) { Write-Warning "^""$message"^""; } else { Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: