During a recent investigation I came across a process communicating with a file path of `z:\`. Knowing most likely this was a mapped network share I had no idea how to obtain the mapped address. Below are the instructions to pull this information out of the windows registry.

First you'll have to identify the target users SID. You can achieve this with `wmic`:

``````wmic useraccount get name,sid

Guest S-1-5-21-1180699209-877415012-3182924384-501
HomeGroupUser\$ S-1-5-21-1180699209-877415012-3182924384-1002
``````

Once you have the SID run the following `reg query`:

``````reg query "HKEY_USERS\[SID]\Network" /s

HKEY_USERS\[SID]\Network\Y
RemotePath    REG_SZ    \\server1\share
ProviderName    REG_SZ    Microsoft Windows Network
ProviderType    REG_DWORD    0x20000
ConnectionType    REG_DWORD    0x1
DeferFlags    REG_DWORD    0x1

HKEY_USERS\[SID]\Network\Z
RemotePath    REG_SZ    \\server2\temp
You can see the mapped addresses under `RemotePath`. Hopefully this comes in handy.