Author Posts

May 19, 2014 at 3:59 am

Hey all,

I have been trawling through some of the great Tech Ed 2014 sessions that have been online, and watched Case of the Unexplained: Troubleshooting with Mark Russinovich and he said that Powershell v4.0 did not properly enumerate admin shares, where as Accesschk did.

I was curious to know what the good people in here thought about that?

I haven't yet had a chance to test myself, but it is a task I can see needing a good script to check multiple servers.

May 19, 2014 at 6:46 am

I'm not sure what he meant by that, and haven't watched that particular session yet. What PowerShell commands was he referring to?

May 20, 2014 at 4:07 am

Hi Dave,

Thanks for the response. I am now desperately trying to find the part where he said it, and doubting myself!

I watched Mark's demo on Case of the Unexplained, but I also watched "Malware Hunting with Mark Russinovich and the Sysinternals Tools" http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B368#fbid= as well as Aaron Margosis' "Sysinternals Primer" http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B340#fbid=
around the same time, so it may have been in one of the other ones.

I will try and have a look tonight and verify.

May 21, 2014 at 4:05 am

I have had a look and it is Aaron Margosis' “Sysinternals Primer” http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B340#fbid=

Around 29 minutes in he starts talking about the new version of AccessChk that can check SMB Admin shares with the -h switch.

He then mentions that the Powershell v4 command Get-SMBShareAccess queries a hardcoded list rather than the registry, so gets it wrong.

Sorry for the confusion.