During a recent investigation I came across a process communicating with a file path of z:\. Knowing most likely this was a mapped network share I had no idea how to obtain the mapped address. Below are the instructions to pull this information out of the windows registry.

First you'll have to identify the target users SID. You can achieve this with wmic:

wmic useraccount get name,sid

Administrator S-1-5-21-1180699209-877415012-3182924384-500
Guest S-1-5-21-1180699209-877415012-3182924384-501
HomeGroupUser$ S-1-5-21-1180699209-877415012-3182924384-1002

Once you have the SID run the following reg query:

reg query "HKEY_USERS\[SID]\Network" /s
 
HKEY_USERS\[SID]\Network\Y
    RemotePath    REG_SZ    \\server1\share
    UserName    REG_DWORD    0x0
    ProviderName    REG_SZ    Microsoft Windows Network
    ProviderType    REG_DWORD    0x20000
    ConnectionType    REG_DWORD    0x1
    DeferFlags    REG_DWORD    0x1
 
HKEY_USERS\[SID]\Network\Z
    RemotePath    REG_SZ    \\server2\temp
    UserName    REG_DWORD    0x0
    ProviderName    REG_SZ    Microsoft Windows Network
    ProviderType    REG_DWORD    0x20000
    ConnectionType    REG_DWORD    0x1
    DeferFlags    REG_DWORD    0x4

You can see the mapped addresses under RemotePath. Hopefully this comes in handy.