During a recent investigation I came across a process communicating with a file path of z:\. Knowing most likely this was a mapped network share I had no idea how to obtain the mapped address. Below are the instructions to pull this information out of the windows registry.
First you’ll have to identify the target users SID. You can achieve this with wmic:
Once you have the SID run the following reg query:
You can see the mapped addresses under RemotePath. Hopefully this comes in handy.