12

In my understanding of security, an administrator should be able to view all connections to and from a computer - just as they can view all processes/owner, network connections/owning process. However, Windows 8 seems to have disabled this.

As administrator running an elevated in Win Vista+ when you run net use you get back all drives mapped, listed as unavailable. In Windows 8, the same command run from an elevated prompt returns "There are no entries in the list". The behavior is identical for powershell Get-WmiObject Win32_LogonSessionMappedDisk.

A workaround for persistent mappings is to run Get-ChildItem Registry::HKU*\Network*. This does not include temporary mappings (in my particular example it was created through explorer on an administrator account and I did not select "Reconnect at sign-in")

Is there a direct/simple way for Administrator to view connections of any user (short of a script that runs under each user context)? I have read Some Programs Cannot Access Network Locations When UAC Is Enabled but I do not think it particularly applies.

I have seen this answer, but it still does not address non-persistent drives How can I tell what network drives users have mapped?

Community
  • 1
jeubank12
  • 221
  • 1
  • 2
  • 4
  • Does the Powershell Cmdlet `Get-SmbMapping` help? – Ryan Ries Oct 29 '13 at 23:54
  • No, same result. I also tested it on Win7 last night (wrong version of powershell) and it gives the same results when you get an elevated prompt through a standard user. – jeubank12 Oct 30 '13 at 13:09
  • A command with a more verbose output is `wmic netuse`. You'll likely want to write this to a file and open it as tab-separated values. – Jason Nov 12 '13 at 22:58
  • From the security perspective, a list of _mappings_ is useless. One can, after all, access these shares directly via the UNC path without ever mapping them. – RomanSt Oct 27 '14 at 01:42

1 Answers1

4

On Windows 7, if UAC is enabled and you open Command Prompt with "Run as Administrator", you won't see the mapped drives either. On Windows 8, you'll notice that even when UAC is disabled, you still have to "Run as Administrator".

The reason why Administrator doesn't see the mapped drives is explained in the Technet article you linked. In a nutshell, you are running with only an Administrator token, and the mapped drives are given to the Standard user token. Windows 7 with UAC disabled runs the Command Prompt with both tokens.

The resolution in that article also works with Windows 8. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, create a DWORD value of EnableLinkedConnections, set it to 1, and restart.

Administrator Command Prompt

Jason
  • 718
  • 5
  • 15
  • This addresses viewing the drives if you are the administrator on the system and the user at the same time. What about viewing non-persistent connections of any user on a system/network? (Which is why I asked here instead of superuser) – jeubank12 Nov 26 '13 at 05:47