Disable insecure "SMBv1" protocol
Overview
This script improves your privacy on Windows.
These changes use Windows system commands to update your settings.
This script improves network security by disabling the outdated SMBv1 protocol.
SMBv1, or Server Message Block version 1, is an outdated network protocol developed for file and printer sharing across networks 1 2. This protocol is well-known for its vulnerabilities to cyber attacks 1 2 3 4 5. Microsoft deprecated SMBv1 in 2014 6 7. Since 2007, newer and more secure versions of this protocol have replaced SMBv1 in modern versions of Windows 6. It is still enabled by default in older Windows versions 1. Microsoft advises disabling this protocol to strengthen security 1 8. SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 2.
The primary reasons for disabling SMBv1 include:
- It uses the outdated MD5 hash algorithm, vulnerable to security attacks 3.
- It fails to meet modern security standards set by FIPS 3, CISA (US-CERT) 5, CIS (Department of Defense) 3, and Microsoft Security Baseline 8.
- It lacks the efficiency and performance improvements present in newer versions of the protocol 2.
- It is vulnerable to various cyber threats 1 2 3 4 5, , including ransomware and malware 1 2.
Disabling SMBv1 may lead to compatibility issues with older network devices and software 1 3 6 9. This may affect file sharing and print services on systems like Windows Server 2003 3 and some older Network Attached Storage (NAS) devices 3. These systems are insecure and are no longer supported.
This script makes the following changes to your system:
- Removal of SMBv1 components:
SMB1Protocol
2 3 4 10 (also known asFS-SMB1
2 11)SMB1Protocol-Client
10SMB1Protocol-Server
10.- Disabling the
mrxsmb10
(SMB 1.x MiniRedirector 12) driver, linked with SMBv1 1 4 13, and adjusting related settings to keep older systems stable 1 4 13. - Disabling server side processing of SMBv1 protocol using
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1
registry key 1 14 15.
These changes require a system reboot to take effect 1 4 9.
This may cause compatibility issues with older devices or software.
Overview of default feature statuses
SMB1Protocol
:
Feature name | SMB1Protocol |
Display name | SMB 1.0/CIFS File Sharing Support |
Description | Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol. |
Default (Windows 11 ≥ 23H2) | 🔴 Disabled |
Default (Windows 10 ≥ 22H2) | 🔴 Disabled |
SMB1Protocol-Client
:
Feature name | SMB1Protocol-Client |
Display name | SMB 1.0/CIFS Client |
Description | Support for the SMB 1.0/CIFS client for accessing legacy servers. |
Default (Windows 11 ≥ 23H2) | 🔴 Disabled |
Default (Windows 10 ≥ 22H2) | 🔴 Disabled |
SMB1Protocol-Server
:
Feature name | SMB1Protocol-Server |
Display name | SMB 1.0/CIFS Server |
Description | Support for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood. |
Default (Windows 11 ≥ 23H2) | 🔴 Disabled |
Default (Windows 10 ≥ 22H2) | 🔴 Disabled |
Overview of default service statuses
SMB 1.x MiniRedirector (mrxsmb10
):
OS Version | Status | Start type |
---|---|---|
Windows 11 (≥ 23H2) | 🟡 Missing | N/A |
Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
This script uses Batch (batchfile) scripting language.
This script is recommended for all users. It helps to improve privacy without affecting stability.
Implementation Details
-
Language: batch
-
Required Privileges: Administrator rights
-
Compatibility: Windows only
-
Reversibility: Can be undone using provided revert script
Explore Categories
- Disable insecure protocols
- Disable insecure connections
- Improve network security
- Security improvements
This action belongs to Disable insecure protocols category. This category focuses on enhancing user privacy by disabling legacy and insecure communication protocols. It targets protocols that expose users to security vulnerabilities due to their outdated nature. Retaining obsolete protocols creates a false sense of security because they may seem secure... Read more on category page ▶
This action belongs to Disable insecure connections category. This category includes scripts designed to enhance users' security and privacy by disabling outdated or vulnerable connections across the system. It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology vulnerabilities, including... Read more on category page ▶
This action belongs to Improve network security category. This category is dedicated to improving network security. It aims to minimize vulnerabilities by offering various settings that improve the integrity and confidentiality of data transmitted over the network. It features a range of measures to protect data transmission from unauthorized access,... Read more on category page ▶
This action belongs to Security improvements category. This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your system against various types of cyber threats and unauthorized access. Read more on category page ▶
Apply now
Choose one of three ways to apply:
- Automatically via privacy.sexy: The easiest and safest option.
- Manually by downloading: Requires downloading a file.
- Manually by copying: Advanced flexibility.
Alternative 1. Apply with Privacy.sexy
privacy.sexy is free and open-source application that lets securely apply this action easily.
You can fully restore this action (revert back to the original behavior) using the application.
privacy.sexy instructions
- Open or download the desktop application
- Search for the script name:
Disable insecure "SMBv1" protocol
. - Check the script by clicking on the checkbox.
- Click on Run button at the bottom of the page.
Alternative 2. Download
This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.
-
Download the script file by clicking on the button below:
-
Run the script file by clicking on it.
Download revert script
This file restores your system to its original state, before this script is applied.
Alternative 3. Copy
This is for advanced users. Consider automatically applying or downloading the script for simpler way.
- Open Command Prompt as administrator.
HELP: Step-by-step guide
-
Click on Start menu
- Windows 11
- Windows 10
-
Type cmd
- Windows 11
- Windows 10
-
Right click on Command Prompt select Run as administrator
- Windows 11
- Windows 10
-
Click on Yes to run Command Prompt
- Windows 11
- Windows 10
- Windows 11
- Windows 10
- Copy the following code:
:: Disable the "SMB1Protocol" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable the "SMB1Protocol-Client" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Client'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable the "SMB1Protocol-Server" feature
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Server'; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled. No action required."^""; Exit 0; }; try { Write-Host "^""Disabling feature: `"^""$featureName`"^""."^""; Disable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to disable the feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully disabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Disable service(s): `mrxsmb10`
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'mrxsmb10'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) { Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try { Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch { Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else { Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if (!$startupType) { $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if ($startupType -eq 'Disabled') { Write-Host "^""$serviceName is already disabled, no further action is needed"^""; Exit 0; }; <# -- 4. Disable service #>; try { Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch { Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }"
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' /v 'SMBv1' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$message = 'For the changes to fully take effect, please restart your computer.'; $warn = $false; if ($warn) { Write-Warning "^""$message"^""; } else { Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"
- Right click on command prompt to paste it.
- Press Enter to apply remaining code.
Copy restore code
Copy and run the following code to restore changes:
:: Revert the 'SMB1Protocol' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Revert the 'SMB1Protocol-Client' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Client'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Revert the 'SMB1Protocol-Server' feature to its default settings
PowerShell -ExecutionPolicy Unrestricted -Command "$featureName = 'SMB1Protocol-Server'; $ignoreMissingOnRevert = $false; $disabledByDefault = $true <# $false #>; $feature = Get-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -ErrorAction Stop; if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is not found. No action required."^""; Exit 0; }; Write-Error "^""Failed to revert changes to the feature `"^""$featureName`"^"". The feature is not found."^""; Exit 1; }; if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already enabled. No action required."^""; Exit 0; }; if ($disabledByDefault) { Write-Output "^""Skipping: The feature `"^""$featureName`"^"" is already disabled and this is the default configuration."^""; Exit 0; }; try { Write-Host "^""Enabling feature: `"^""$featureName`"^""."^""; Enable-WindowsOptionalFeature -FeatureName "^""$featureName"^"" -Online -NoRestart -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null; } catch { Write-Error "^""Failed to enable feature `"^""$featureName`"^"": $($_.Exception.Message)"^""; Exit 1; }; Write-Output "^""Successfully enabled the feature `"^""$featureName`"^""."^""; Exit 0"
:: Restore service(s) to default state: `mrxsmb10`
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'mrxsmb10'; $defaultStartupMode = 'Automatic'; $ignoreMissingOnRevert = $true <# $false #>; Write-Host "^""Reverting service `"^""$serviceName`"^"" start to `"^""$defaultStartupMode`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if (!$service) { if ($ignoreMissingOnRevert) { Write-Output "^""Skipping: The service `"^""$serviceName`"^"" is not found. No action required."^""; Exit 0; }; Write-Warning "^""Failed to revert changes to the service `"^""$serviceName`"^"". The service is not found."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if (!$startupType) { $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if (!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if ($startupType -eq "^""$defaultStartupMode"^"") { Write-Host "^""`"^""$serviceName`"^"" has already expected startup mode: `"^""$defaultStartupMode`"^"". No action required."^""; } else { try { Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Reverted `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start, this may require restarting your computer."^""; } catch { Write-Error "^""Failed to enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if ($defaultStartupMode -eq 'Automatic' -or $defaultStartupMode -eq 'Boot' -or $defaultStartupMode -eq 'System') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try { Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch { Write-Warning "^""Failed to start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else { Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }"
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' /v 'SMBv1' /f 2>$null"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$message = 'For the changes to fully take effect, please restart your computer.'; $warn = $false; if ($warn) { Write-Warning "^""$message"^""; } else { Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"
Support
This website relies on your support.
Your donation helps keep the project alive and improves its content ❤️.
Share this page: