Query Map Network Drives from the Registry

AID2112302017.YAML

#####aid_begin
#description: fetch the information of the map network drive mrus
#id: aid2112302017
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |-
#  the first key maintains a list of mapped network drive, including the server name and shared folder. the value in this key is still retained even though the mapped network drive has been permanently removed or disconnected.             
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU"

PreviousQuery Startup Services from the Registry NextQuery Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information

Last updated 2 years ago