3

Typically, I'd just use something like this to get the info I need:

Get-PSDrive -PSProvider FileSystem | Where-Object {$_.DisplayRoot -match "^\\\\"} | Select-Object -Property Root,DisplayRoot

However, we're working with an RMM that runs in the NT Authority\System context so the results are always blank.

I've had to do something similar before - where I find what user is logged in and find their SID and then figure out the path to the HKCU from there. But I cannot sort out how to get the drive letter & path for each mapped drive. Below is what I've got so far. (If there's a better way, by all means, tell me.)

$Username = (Get-WMIObject -ClassName Win32_ComputerSystem).Username
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$User = New-Object System.Security.Principal.NTAccount($Username)
$SID = $User.Translate([System.Security.Principal.SecurityIdentifier])
$RegistryPath = "HKU:$($sid.Value)\Network"

With that code, I can typically sort the absolute path of HKCU for the user. At that point, I run something like this to list out all their mapped drives and their paths.

Get-ChildItem $RegistryPath

The output I get is what you see below:

Name                           Property
----                           --------
g                              RemotePath     : \\FS1\Company
                               UserName       :
                               ProviderName   : Microsoft Windows Network
                               ProviderType   : 131072
                               ConnectionType : 1
                               ConnectFlags   : 0
                               DeferFlags     : 4
                               UseOptions     : {68, 101, 102, 67...}
M                              RemotePath     : \\FS1\ManagementTeam
                               UserName       : 0
                               ProviderName   : Microsoft Windows Network
                               ProviderType   : 131072
                               ConnectionType : 1
                               ConnectFlags   : 0
                               DeferFlags     : 4
                               UseOptions     : {68, 101, 102, 67...}
o                              RemotePath     : \\FS1\Operations
                               UserName       :
                               ProviderName   : Microsoft Windows Network
                               ProviderType   : 131072
                               ConnectionType : 1
                               ConnectFlags   : 0
                               DeferFlags     : 4
                               UseOptions     : {68, 101, 102, 67...}

I tried piping the above command to a Select-Object and just grabbing the Name and RemotePath but I only get back the Name; the RemotePath is blank. For that matter, the Name has some extra fluff I don't need but I can live with it if need be.

Sample output:

Name                                                               RemotePath
----                                                               ----------
HKEY_USERS\S-1-5-21-645643383-2545892271-1688843945-1108\Network\g
HKEY_USERS\S-1-5-21-645643383-2545892271-1688843945-1108\Network\M
HKEY_USERS\S-1-5-21-645643383-2545892271-1688843945-1108\Network\o

All I'm trying to do is get the drive letter and its path.
Something like this would be ideal:

Name  RemotePath
----  ----------
G     \\FS1\Company
M     \\FS1\ManagementTeam
O     \\FS1\Operations
Improve this question

1 Answer 1

Reset to default
3

To get your desired output, for the Name property you can use PSChildName and for the RemotePath property you can use .GetValue('RemotePath'); using Select-Object calculated properties the code would become:

$sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
Get-ChildItem "Registry::HKEY_USERS\$($sid.Value)\Network" |
    Select-Object @(
        @{ N = 'Name'; E = 'PSChildName' }
        @{ N = 'RemotePath'; E = { $_.GetValue('RemotePath') }})

To understand how PowerShell generates this default table output, you can inspect extended type definition using Get-FormatData:

$format = Get-FormatData Microsoft.Win32.RegistryKey
$format.FormatViewDefinition[0].Control.Rows[0].Columns | Format-Table -Wrap
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That code works well! I had to omit the first line because it returned the S-1-5-18 SID which is for a special system account but, I already knew how to get around that issue. Under normal circumstances, I could do just as you've done - if I weren't in a remote shell through our RMM, running as a system account. I've messed around with some calculated properties int he past. I always have to look up how they work and try to understand them. I'll have to dig into your links some more and see what I can learn from them.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.