How to Generate a Shared Folders Audit Report in Batch Script
In a networked business environment, shared folders (SMB/CIFS) are how files are distributed across the organization. However, forgotten shares can be a significant security risk, if a folder containing sensitive data is accidentally left shared with permissive access, it becomes a potential data breach. A Batch script can query the system to list every active share, its physical path, permissions, and type, providing an essential map for security auditing and server maintenance.
This guide will explain how to audit shared folders using net share and PowerShell.
Method 1: Comprehensive Share Audit Report
This method generates a complete report of all active shares including their paths, types, descriptions, and critically, share-level permissions.
@echo off
setlocal
for /f "delims=" %%t in (
'powershell -NoProfile -Command "Get-Date -Format yyyyMMdd_HHmmss"'
) do set "Stamp=%%t"
set "ReportFile=%~dp0SharesReport_%COMPUTERNAME%_%Stamp%.txt"
echo [INFO] Generating shared folders audit report...
:: =============================================
:: Report Header
:: =============================================
(
echo ==================================================
echo SHARED FOLDERS AUDIT REPORT
echo ==================================================
) > "%ReportFile%"
for /f "delims=" %%d in ('powershell -NoProfile -Command "Get-Date -Format yyyy-MM-dd"') do set "_date=%%d"
for /f "delims=" %%t in ('powershell -NoProfile -Command "Get-Date -Format HH:mm:ss"') do set "_time=%%t"
echo Generated: %_date% %_time% >> "%ReportFile%"
echo Computer: %COMPUTERNAME% >> "%ReportFile%"
echo. >> "%ReportFile%"
:: =============================================
:: Section 1: Share Summary
:: =============================================
echo [1/3] Collecting share information...
echo --- [1] ACTIVE SHARES --- >> "%ReportFile%"
echo. >> "%ReportFile%"
powershell -NoProfile -Command ^
"$shares = Get-CimInstance Win32_Share;" ^
"if (-not $shares) { Write-Output ' No shares found.'; exit 0 };" ^
"$shares | ForEach-Object {" ^
" $typeStr = switch ($_.Type) {" ^
" 0 { 'Disk' }" ^
" 1 { 'Printer' }" ^
" 2 { 'Device' }" ^
" 3 { 'IPC' }" ^
" 2147483648 { 'Disk (Admin)' }" ^
" 2147483649 { 'Printer (Admin)' }" ^
" 2147483651 { 'IPC (Admin)' }" ^
" default { $_.Type }" ^
" };" ^
" $hidden = if ($_.Name.EndsWith('$')) { 'Yes' } else { 'No' };" ^
" [PSCustomObject]@{" ^
" Name = $_.Name;" ^
" Path = if ($_.Path) { $_.Path } else { 'N/A' };" ^
" Type = $typeStr;" ^
" Hidden = $hidden;" ^
" Description = if ($_.Description) { $_.Description } else { '-' }" ^
" }" ^
"} | Format-Table -AutoSize -Wrap" >> "%ReportFile%"
echo. >> "%ReportFile%"
:: =============================================
:: Section 2: Share Permissions (Security Focus)
:: =============================================
echo [2/3] Auditing share permissions...
echo --- [2] SHARE-LEVEL PERMISSIONS --- >> "%ReportFile%"
echo. >> "%ReportFile%"
:: net share provides per-share permission details
powershell -NoProfile -Command ^
"$shares = Get-CimInstance Win32_Share | Where-Object { $_.Type -eq 0 };" ^
"foreach ($s in $shares) {" ^
" Write-Output \" Share: \\\\$env:COMPUTERNAME\\$($s.Name)\";" ^
" Write-Output \" Path: $($s.Path)\";" ^
" $perms = Get-SmbShareAccess -Name $s.Name -ErrorAction SilentlyContinue;" ^
" if ($perms) {" ^
" $perms | ForEach-Object {" ^
" Write-Output \" $($_.AccessControlType): $($_.AccountName) = $($_.AccessRight)\"" ^
" }" ^
" } else {" ^
" Write-Output ' (Could not retrieve permissions - may require admin rights)'" ^
" };" ^
" Write-Output ''" ^
"}" >> "%ReportFile%"
echo. >> "%ReportFile%"
:: =============================================
:: Section 3: Security Concerns
:: =============================================
echo [3/3] Checking for security concerns...
echo --- [3] SECURITY CONCERNS --- >> "%ReportFile%"
echo. >> "%ReportFile%"
powershell -NoProfile -Command ^
"$concerns = @();" ^
"$shares = Get-CimInstance Win32_Share | Where-Object { $_.Type -eq 0 };" ^
"foreach ($s in $shares) {" ^
" $perms = Get-SmbShareAccess -Name $s.Name -ErrorAction SilentlyContinue;" ^
" if ($perms) {" ^
" $everyoneAccess = $perms | Where-Object {" ^
" $_.AccountName -match 'Everyone|Tout le monde|Jeder|Tutti' -and" ^
" $_.AccessControlType -eq 'Allow'" ^
" };" ^
" if ($everyoneAccess) {" ^
" $concerns += [PSCustomObject]@{" ^
" Share = $s.Name;" ^
" Path = $s.Path;" ^
" Issue = \"'Everyone' has $($everyoneAccess.AccessRight -join ', ') access\"" ^
" }" ^
" }" ^
" }" ^
"};" ^
"$customHidden = Get-CimInstance Win32_Share | Where-Object {" ^
" $_.Name.EndsWith('$') -and $_.Name -notin 'C$','D$','E$','ADMIN$','IPC$','print$' -and" ^
" $_.Type -eq 0" ^
"};" ^
"foreach ($h in $customHidden) {" ^
" $concerns += [PSCustomObject]@{" ^
" Share = $h.Name;" ^
" Path = $h.Path;" ^
" Issue = 'Custom hidden share (not a standard admin share)'" ^
" }" ^
"};" ^
"if ($concerns) {" ^
" Write-Output \" Found $($concerns.Count) concern(s):\";" ^
" Write-Output '';" ^
" $concerns | ForEach-Object {" ^
" Write-Output \" [$($_.Share)] $($_.Issue)\";" ^
" Write-Output \" Path: $($_.Path)\"" ^
" }" ^
"} else {" ^
" Write-Output ' No security concerns found.'" ^
"}" >> "%ReportFile%"
echo. >> "%ReportFile%"
echo ================================================== >> "%ReportFile%"
echo [OK] Share audit report saved to: %ReportFile%
endlocal
exit /b 0
Sample report output:
==================================================
SHARED FOLDERS AUDIT REPORT
==================================================
Generated: 2026-03-28 09:23:07
Computer: DESKTOP-N77483E
--- [1] ACTIVE SHARES ---
Name Path Type Hidden Description
---- ---- ---- ------ -----------
C$ C:\ Disk (Admin) Yes Default share
ADMIN$ C:\Windows Disk (Admin) Yes Remote Admin
IPC$ N/A IPC (Admin) Yes Remote IPC
SharedDocs C:\SharedDocuments Disk No Office documents
Finance$ D:\Finance Disk Yes -
Backups E:\Backups Disk No Nightly backup target
--- [2] SHARE-LEVEL PERMISSIONS ---
Share: \\WORKSTATION-07\SharedDocs
Path: C:\SharedDocuments
Allow: Everyone = Read
Allow: CORP\FileAdmins = Full
Share: \\WORKSTATION-07\Finance$
Path: D:\Finance
Allow: Everyone = Full
Share: \\WORKSTATION-07\Backups
Path: E:\Backups
Allow: CORP\BackupService = Full
--- [3] SECURITY CONCERNS ---
Found 2 concern(s):
[Finance$] 'Everyone' has Full access
Path: D:\Finance
[Finance$] Custom hidden share (not a standard admin share)
Path: D:\Finance
Why share permissions are critical:
A shared folder report that only lists share names and paths is incomplete for security auditing. The critical question is who can access it. A share named Finance$ with "Everyone: Full Control" is a severe security vulnerability regardless of how well the folder is hidden. Section 2 shows the actual share-level access control list, and Section 3 automatically flags the most common security issues.
Share types explained:
| Type Value | Description |
|---|---|
| 0 | Disk share (user-created) |
| 1 | Printer share |
| 3 | IPC (Inter-Process Communication) |
| 2147483648+ | Administrative shares (Type + 0x80000000 flag) |
Method 2: Quick Share Listing with net share
For a quick overview without PowerShell, net share provides the basic share list. This works on any Windows version without PowerShell prerequisites.
@echo off
setlocal
echo [INFO] Active shares on %COMPUTERNAME%:
echo --------------------------------------------------
net share
echo --------------------------------------------------
:: For detailed info on a specific share:
:: net share ShareName
endlocal
exit /b 0
Limitations:
net share shows share names, paths, and descriptions in a fixed-width table. It does not show permissions, share type, or hidden status (beyond the $ suffix). For security auditing, use Method 1.
Method 3: Fleet-Wide Share Inventory CSV
For auditing shares across multiple servers, export share details to a shared CSV.
@echo off
setlocal
set "CSVFile=\\Server\Audit\share_inventory.csv"
if not exist "%CSVFile%" (
echo "Timestamp","Computer","ShareName","Path","Type","Hidden","EveryoneAccess" > "%CSVFile%" 2>nul
)
powershell -NoProfile -Command ^
"$ts = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^
"$shares = Get-CimInstance Win32_Share | Where-Object { $_.Type -eq 0 };" ^
"foreach ($s in $shares) {" ^
" $hidden = $s.Name.EndsWith('$');" ^
" $everyoneAccess = 'None';" ^
" $perms = Get-SmbShareAccess -Name $s.Name -ErrorAction SilentlyContinue;" ^
" if ($perms) {" ^
" $ea = $perms | Where-Object { $_.AccountName -match 'Everyone' -and $_.AccessControlType -eq 'Allow' };" ^
" if ($ea) { $everyoneAccess = $ea.AccessRight -join ',' }" ^
" };" ^
" Write-Output ('\"' + $ts + '\",\"' + $env:COMPUTERNAME + '\",\"' + $s.Name + '\",\"' + $s.Path + '\",\"Disk\",\"' + $hidden + '\",\"' + $everyoneAccess + '\"')" ^
"}" >> "%CSVFile%" 2>nul
echo [OK] Share data exported for %COMPUTERNAME%.
endlocal
exit /b 0
What to look for in the fleet CSV:
- Shares with
EveryoneAccess = Full: Highest priority security risk. Anyone on the network has complete control over these files. - Custom hidden shares (
Hidden = Truebut notC$,ADMIN$, etc.): May indicate shares created to avoid detection, investigate their purpose. - Shares pointing to root directories (
Path = C:\orD:\): Exposes the entire drive contents to the network. - Shares on machines that shouldn't be file servers: Workstations with unexpected shares may indicate unauthorized file sharing.
How to Avoid Common Errors
Wrong Way: Using wmic share for Detailed Auditing
:: DEPRECATED:wmic output contains \r characters that corrupt parsing
wmic share get Name,Path,Description,Status /format:table
wmic is deprecated since Windows 10 21H1, and its output contains invisible \r characters. More importantly, wmic share cannot show share-level permissions, the most critical security information.
Correct Way: Use Get-CimInstance Win32_Share for share metadata and Get-SmbShareAccess for permissions.
Problem: Share Permissions vs. NTFS Permissions
A shared folder has two layers of access control:
- Share permissions (set via
net shareor the Sharing tab): Control who can access the folder over the network. - NTFS permissions (set via the Security tab): Control who can access the folder locally or remotely.
The effective permission is the most restrictive of the two. A share with "Everyone: Full Control" but NTFS permissions limited to "Domain Admins" is actually restricted to Domain Admins.
Solution: This guide audits share-level permissions. For a complete security assessment, also audit NTFS permissions on the shared folder paths:
Get-Acl "C:\SharedDocuments" | Format-List
Problem: "Everyone" Has Different Names in Different Languages
The "Everyone" group is localized: "Tout le monde" (French), "Jeder" (German), "Tutti" (Italian). A simple string match for "Everyone" misses these.
Solution: Method 1's security concern detection matches multiple common localizations. For fully language-independent detection, use the well-known SID S-1-1-0:
# Language-independent Everyone detection
$everyoneSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0")
$everyoneName = $everyoneSID.Translate([System.Security.Principal.NTAccount]).Value
Problem: Administrative Shares Cannot Be Removed Safely
Shares like C$, ADMIN$, and IPC$ are created by Windows for remote administration. Deleting them may break remote management tools, Group Policy, and SCCM.
Solution: Report administrative shares for awareness but do not recommend their removal. Focus security remediation on user-created shares (Type 0) that have overly permissive access.
Best Practices and Rules
1. Audit Share Permissions, Not Just Share Names
A share list without permissions tells you what doors exist but not who has the keys. Always include share-level access control (Method 1, Section 2) in security audits.
2. Flag "Everyone" Access as a Priority Finding
Any share granting access to "Everyone" (especially "Full Control") should be reviewed immediately. Even "Read" access to Everyone may be inappropriate for sensitive data.
3. Investigate Custom Hidden Shares
Standard administrative shares (C$, ADMIN$, IPC$) are expected. Any other share ending with $ was deliberately hidden and should be investigated for its purpose and authorization.
4. Review NTFS Permissions Alongside Share Permissions
Share permissions and NTFS permissions are independent layers. A complete security audit examines both. A share with "Everyone: Full" but restrictive NTFS permissions is less dangerous than it appears, but it's still poor practice and should be tightened.
5. Remove Unused Shares Promptly
Shares created for completed projects, former employees, or one-time transfers should be removed:
net share "OldProject" /delete
Document the removal in your change management system.
6. Schedule Regular Audits
Shares can be created by anyone with sufficient privileges, including software installers, scripts, and well-meaning but unauthorized users. Run Method 3 monthly to detect new shares that haven't been approved.
Conclusions
Generating a shared folders report is an essential task for maintaining a secure network. By auditing not just share names and paths but also share-level permissions and security concerns, you gain the visibility needed to identify data exposure risks. Automated detection of "Everyone" access, custom hidden shares, and overly permissive configurations transforms a passive inventory into an active security assessment that protects your organization's data.