This guide shows you how to retrieve recent WiFi connection history from the Windows Registry using the Python _winreg module/library. The _winreg module provides easy read or write access to the Windows Registry. That being said, you should backup your registry before making changes. If you change the wrong settings, it can crash your system.
Knowing recent WiFi connections, that a PC/Laptop has connected to, can help build a map of where it has been.
The script should work for Windows Vista and above. I am currently using a Windows 10 machine with Python 2.7 installed. If you do not have Python installed on Windows, there is a great guide available at https://www.londonappdeveloper.com/.
A basic understanding of Python (or any other programming language) is required, but I will try to comment the code as best as possible.
Note: You do not have to install the Eclipse IDE (Integrated Development Environment), but you can. I myself use Sublime Text 3 as an IDE.
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the Registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the Registry. — wikipedia.com
The registry also stores data regarding the WiFi connections the system has recently connected to. To access the registry GUI (Graphical User Interface), you can type ‘regedit’ in the Start > Run window. You can also query the registry using the Windows command prompt. The Wireless networks that a Windows Vista and above OS has connected to are stored in the following registry subkey:
To query the Windows Registry you can open also open command prompt and type:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\" /s
Note: make sure you run command prompt as administrator in order to access all the information in the registry. Otherwise it may not work.
Your output should look similar to:
As you can see from the query output above, for each network the computer has connected to, we are provided with ProfileGuid, Description, Source, DnsSuffix, FirstNetwork, and the Mac Address.
Create Python Script to Read the registry with _winreg
For our python script, we will be interested in the Network SSID (FirstNetwork) and the Mac address (DefaultGatewayMac). Luckily, the Windows registry stores all these values in an array that we can access using the _winreg library/module. The _winreg library is installed by default when installing Python on Windows. For more information regarding the _winreg library, and all its available functions, see https://docs.python.org/2/library/_winreg.html.
Reading the results from our registry query, the FirstNetwork (SSID) is index 4 and DefaultGatewayMac (Mac Address) is index 5.
While it’s generally easy to access data from an array, the actual Mac address is returned as hex bytes, for example \x00\x11\x22\x33\x44\x55, not in the form we want (00:11:22:33:44:55). So first, write a python function to convert the data:
def hex2addr(val): address = '' #empty variable for ch in val: #for character in value address += ('%02x '% ord(ch)) #return 2 digit address = address.replace(' ',':')[0:17] #replace space/padding with colon & format length return address
Although you can probably read the MAC the way it is provided, it can prove useful to convert it to the correct format if you need to do further analysis on it.
Next, lets define the
main() function of our script:
from _winreg import * #add to top to import _winreg lib def main(): print 'Reading recent WiFi connections...' netlist = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged' #define net variable key = OpenKey(HKEY_LOCAL_MACHINE, netlist) #use openkey function print '\n**Networks You have Joined:' #print statement for i in range(10): #iterate through the last 10 subkeys try: guid = EnumKey(key, i) #get subkey value store in variable netKey = OpenKey(key, str(guid)) #open the subkey (n, addr, t) = EnumValue(netKey, 5) #Enumerates values of an open registry key, returning a tuple. returns (x, y, z).. (n, name, t) = EnumValue(netKey, 4) #...interested in tuple y macAddress = hex2addr(addr) #send addr to convert function created earlier ssid = str(name) #convert name to string print '[*] ' + ssid + ', ' + macAddress #print string CloseKey(netKey) #use closekey function to close subkey #handle exception if any except Exception,e: print '[-] Error ='+str(e) if __name__ == '__main__': main()
The complete, uncommented version of the code should look like:
from _winreg import * def hex2addr(val): address = '' for ch in val: address += ('%02x '% ord(ch)) address = address.replace(' ',':')[0:17] return address def main(): print 'Reading recent WiFi connections...' netlist = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged' key = OpenKey(HKEY_LOCAL_MACHINE, netlist) print '\n**Networks You have Joined:' for i in range(10): try: guid = EnumKey(key, i) netKey = OpenKey(key, str(guid)) (n, addr, t) = EnumValue(netKey, 5) (n, name, t) = EnumValue(netKey, 4) macAddress = hex2addr(addr) ssid = str(name) print '[*] ' + ssid + ', ' + macAddress CloseKey(netKey) except Exception,e: print '[-] Error ='+str(e) if __name__ == '__main__': main()
I saved the python script file as recentWifis.py, but feel free to save it as whatever you like. Now, if you run the script, you should get an output similar to:
c:\windows\system32>python recentWifis.py **Networks You have Joined: [*] Simple Inc VPN, 00:e5:05:b3:d3:dd [-] Error ='NoneType' object is not iterable [*] 462WG4, f7:f4:eb:35:b0:dd [*] Starbucks_5thAve, f2:e4:45:2e:22:00 [*] Nationals_Park, f4:32:b4:a4:88:d4 [-] Error =[Error 259] No more data is available [-] Error =[Error 259] No more data is available [-] Error =[Error 259] No more data is available [-] Error =[Error 259] No more data is available [-] Error =[Error 259] No more data is available
As you can see, the script cycles through each of the subkeys (up to 10 in this case) in the registry, and prints the SSID and the MAC address the system has recently connected to. If there is an error/exception, it is also printed.
The output above is fabricated, just because I am on a desktop and only connect to my home network. This technique can be very useful in determining where an individual/system has been if they are using a laptop. It can help build a map of the systems locations. You can even pinpoint the location (get exact GPS coordinates) by updating the Python script to query the database available at http://wigle.net. I might update this article on how to do that another time, as it is just supposed to be an introduction to reading from the Windows Registry using the _winreg module.