however solution, for enable guest, can be next. you need 2 steps !
1.) first step: (remove UF_ACCOUNTDISABLE flag by calling NetUserSetInfo)
run gpedit.msc
select Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
and set Accounts: Guest account status to Enable
as alternative you can do next:
run lusrmgr.msc and Users > Guest - uncheck "Account is disable"
but, we need do and second step !
2.) second step: (remove "SeDenyInteractiveLogonRight" by calling LsaRemoveAccountRights )
run gpedit.msc (or it already run from first step)
select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
and look for "Deny log on locally". if Guest exist here - remove it !
also be shure that under "Allow log on locally" - Guest exist (by default this is true)
(Deny log on locally
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.)
and we got it:
but just after login as Guest we view desktop blinking (explorer crashed in infinite loop (in "virtual TokenBrokerMonitor::~TokenBrokerMonitor() from shell\roaming\settingsynccore\settingmonitor\tokenbrokermonitor.cpp - SettingSyncCore.dll" - so need be
press CTRL+ALT+DEL and logout from Guest :)
if try Control Panel > All Control Panel Items > User Accounts > Manage Accounts
will be next in windows 10:
first will be called, and here notable line
NTSTATUS CUserManager::Initialize(ILocalMachine*, ILogonEnumUsers*, int, int)
{
...
m_bNotShowGuest = true; // mov byte ptr [rcx + 381h],1
...
}
than called
NTSTATUS CUserManager::_HandleGuestAccountTile()
{
if (_IsGuestAccountEnabled())
{
if (m_bNotShowGuest) _RemoveGuestTile();
return STATUS_SUCCESS;
}
if (_IsGuestAccountEnabledIgnoringLogonRights())
{
if (_GetGuestUserIndex() <= -1)
{
return STATUS_SUCCESS;
}
if (m_bNotShowGuest)
{
_RemoveGuestTile();
return STATUS_SUCCESS;
}
...
}
else
{
if (m_bNotShowGuest)
{
return STATUS_SUCCESS;
}
...
}
}
(yes, code is terrible, but this is not mine)
because m_bNotShowGuest set to TRUE in Initialize, _RemoveGuestTile() is called. the name speaks for itself.
however look for notable 2 func _IsGuestAccountEnabled() and _IsGuestAccountEnabledIgnoringLogonRights()
both called NTSTATUS CLocalMachine::get_isGuestEnabled(ILM_GUEST_FLAGS, PBOOL) with different flags:
ILM_GUEST_INTERACTIVE_LOGON and ILM_GUEST_ACCOUNT
get_isGuestEnabled first awlays called NetUserGetInfo(0, GetGuestAccountName(), 1 /* USER_INFO_1 */, )
and check for UF_ACCOUNTDISABLE flag in usri1_flags, than, if UF_ACCOUNTDISABLE not set and if ILM_GUEST_INTERACTIVE_LOGON(or ILM_GUEST_NETWORK_LOGON) is in first argument - LsaEnumerateAccountRights(PolicyHandle, GetGuestSid(), ) called and search for "SeDenyInteractiveLogonRight"(or
"SeDenyNetworkLogonRight") string. as result NetUserGetInfo called 2 time, but this is very slow function.
code (in CUserManager::_HandleGuestAccountTile) is terrible. for this it is necessary to kill (to dismiss)
when i under debugger set m_bNotShowGuest set to FALSE - i got ability to manage guest account