Windows 8, 8.1 and 10 automatically sending NTLM

Windows 8, 8.1 and 10 automatically sending NTLM

I have a problem with windows 8, 8.1 and 10, you should too.

== Update: Windows 7 to windows 10 behave the same way==

I think the main feedback from windows 10 is that it is pretty secure so far, however it haemorrhages plenty of of information about your online activity, this is well documented, there are tools for it.

I stumbled across something interesting, check this out

when a user adds an address to the explorer address bar such as \\ip-address when the user adds the final slash so it's \\ip-address\ Windows 10 will do you the favour of automatically sending your NTLM credentials to the IP Address as seen here

Better at [full screen](

So why is it an issue ?

well, for one the enter key or return key is to action the command, it's a well known identifier to 'yes, i want to execute what i just did' so for this to happen before I hit return, is just stupid.

If I'm super secure I only want my ntlm challenges bouncing around my Active Directory / Domain,

If i'm less secure I might want it only available on the local area network

if i'm stupid i'm happy for them to be sent over the internet... like windows 10 is doing currently.

I spoke to the Microsoft Security Response Centre about this and this is the story so far...


It’s automatically sending my challenges before i hit return

that can’t be right.

fresh install

MS SRC: Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). It makes the queries as you are typing in the address bar. That's how it lists out the folders at the current location as you are typing.



Me: Hey Jonathan

I understand that, I don’t understand why it should happen

granted this would be nice inside of an active directory where there are known entitlements to drives etc

but outside of a AD … on a LAN pre membership or over a WAN you don’t see how this is a concern ?



Thank you for contacting the Microsoft Security Response Center (MSRC). Can you provide a valid POC to that can be used to exploit this?


Are you saying that it's not a serious information leak by its own merit ?

Information being username/hash etc

... so dumb.