How to View All Mapped Drives (Including Non-Persistent) in Windows 8+ as Administrator


4 views

Since Windows 8, administrators face a frustrating limitation when trying to view all mapped network drives across user sessions. While net use and WMI queries worked perfectly in Windows 7, they now return empty results unless executed in the specific user's context.

The core issue stems from UAC and session isolation improvements. When you run:

net use
# Or PowerShell:
Get-WmiObject Win32_LogonSessionMappedDisk

These commands only show drives mapped in your current session context, not all sessions on the machine.

For drives mapped with "Reconnect at sign-in", this PowerShell command reveals them:

Get-ChildItem Registry::HKU*\Network* | 
    ForEach-Object { 
        [PSCustomObject]@{
            User = (Split-Path $_.PSParentPath -Leaf)
            Drive = $_.PSChildName
            Path = (Get-ItemProperty $_.PSPath).RemotePath
        }
    }

For temporary drive mappings, we need to examine active network sessions. This hybrid approach combines multiple techniques:

# Requires admin rights
$sessions = query session
$activeIDs = $sessions | Where-Object { $_ -match '(\d+)\s+Active' } | 
              ForEach-Object { $matches[1] }

$activeIDs | ForEach-Object {
    $driveInfo = @()
    try {
        $driveInfo = Invoke-Command -ScriptBlock {
            net use
        } -Session (New-PSSession -InstanceId $_)
    } catch { }
    
    if ($driveInfo) {
        [PSCustomObject]@{
            SessionID = $_
            Drives = $driveInfo
        }
    }
}

Sysinternals Process Explorer can reveal network connections per process:

  1. Run Process Explorer as Administrator
  2. Ctrl+F to search for "\\" (UNC paths)
  3. Examine "TCP/IP" and "Named Pipes" tabs

For domain environments, consider these centralized approaches:

  • Enable auditing of network share access via Group Policy
  • Deploy a log collection agent to aggregate net use commands
  • Use PowerShell constrained endpoints to periodically collect mapping data

Windows administrators often need to audit network drive mappings across all user sessions. While Windows Vista and 7 showed unavailable mapped drives in net use output (when run elevated), Windows 8+ changed this behavior significantly. The command now returns "There are no entries in the list" even when other users have active mappings.

Common approaches like these don't provide complete visibility:

# Returns empty in Win8+ elevated sessions
net use

# Also ineffective
Get-WmiObject Win32_LogonSessionMappedDisk

The registry method only captures persistent mappings:

Get-ChildItem Registry::HKU*\Network*

Here's a comprehensive PowerShell solution that combines multiple approaches:

function Get-AllMappedDrives {
    # 1. Check current session
    $currentDrives = net use
    
    # 2. Check registry for persistent mappings
    $registryDrives = Get-ChildItem "Registry::HKEY_USERS\*\Network" -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $driveLetter = $_.PSChildName
            $remotePath = Get-ItemProperty -Path $_.PSPath -Name RemotePath -ErrorAction SilentlyContinue
            [PSCustomObject]@{
                Drive = $driveLetter
                Path = $remotePath.RemotePath
                Source = "Registry"
                Session = "Persistent"
            }
        }
    
    # 3. Query active sessions for temporary mappings (requires admin)
    $sessionDrives = query session | 
        Where-Object { $_ -match '^ (\>)?(\w+)\s+\d+\s+' } |
        ForEach-Object {
            $sessionId = ($_ -split '\s+')[2]
            $username = ($_ -split '\s+')[1]
            
            # Use PsExec to run in user context (alternative methods below)
            $tempResult = psexec -i $sessionId -u $username cmd /c "net use" 2>&1
            if ($tempResult -match '([A-Z]):\s+(\\\\\S+)') {
                [PSCustomObject]@{
                    Drive = $matches[1]
                    Path = $matches[2]
                    Source = "Session"
                    Session = $sessionId
                    User = $username
                }
            }
        }
    
    # Output combined results
    $currentDrives, $registryDrives, $sessionDrives
}

If PsExec isn't available, consider these methods:

# Method 1: WMI + CIM
$sessions = Get-CimInstance -ClassName Win32_LogonSession
foreach ($session in $sessions) {
    $logonId = $session.LogonId
    $mapped = Get-CimAssociatedInstance -InputObject $session -ResultClassName Win32_LogonSessionMappedDisk
    # Process mappings...
}

# Method 2: Scheduled Tasks
$scriptBlock = {
    $drives = net use
    $drives | Out-File "C:\Temp\Drives_$($env:USERNAME).txt"
}

Register-ScheduledJob -Name "DriveCapture" -ScriptBlock $scriptBlock -RunNow

For domain environments, consider these enhanced techniques:

# Group Policy Preference Reporting
Get-GPPrefRegistryValue -Context User -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" -Full

# Logon Script Analysis
Get-ChildItem "\\domain\NETLOGON\*.bat" | Select-String "net use"

# Terminal Services/RDS specific
qwinsta /server:computername

Remember that:

  • UAC virtualization affects drive mapping visibility
  • Some methods require local admin rights
  • Temporary mappings exist only during the user session
  • Always audit in a security-compliant manner