This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

File retrieval in user context

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File retrieval in user context

Arman_Zaheri
L2 Linker

‎02-24-2025 07:39 AM

Hello,

Is it possible to retrieve a file which is only accessible in user's context? I have an incident which user opened a file from a network mapped drive. That drive might not be accessible by anyone except for the user.

 

Which user context is used when we initiate File retrieval via:

1. Cortex console or an agent script

2. Live terminal

 

Thank you very much

 

0 Likes Likes
2 REPLIES 2

Mudhireddy
L4 Transporter

‎02-24-2025 10:28 AM

Yes, retrieving a file that is only accessible in the user’s context (such as a network-mapped drive) using Cortex XDR can be challenging because the XDR agent runs as SYSTEM, which may not have access to the user’s mapped drives. However, there are workarounds to retrieve the file:

 

1. Use Live Terminal (Best for Interactive Access)
If the user is online, the best method is to use Live Terminal to access the user's session and retrieve the file.

Steps:

Go to Cortex XDR → Response → Live Terminal
Select the affected endpoint.

Run the following PowerShell command to check the user’s network drives:
powershell
Get-PSDrive -PSProvider FileSystem

This will list the user’s mapped network drives (e.g., Z:\).


Copy the file from the network drive to a local path that XDR can access:
powershell
Copy-Item "Z:\path\to\file.txt" -Destination "C:\Temp\file.txt"
Use File Fetch (see Method 2) to retrieve the file from C:\Temp

 

Best Regards,
Suresh
0 Likes Likes

Arman_Zaheri
L2 Linker

‎02-24-2025 10:37 AM

Thanks for your response. Two questions regarding live terminal:

1. I checked live terminal before, it's also running under SYSTEM. But I'll check this again to make sure.

2. Assuming this statement is true, how can we automate this retrieval? The endpoint might not be online at the moment.

 

BR,

0 Likes Likes
  • 172 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks