Retrieving recent WiFi connections using Python _winreg module

This guide shows you how to retrieve recent WiFi connection history from the Windows Registry using the Python _winreg module/library. The _winreg module provides easy read or write access to the Windows Registry. That being said, you should backup your registry before making changes. If you change the wrong settings, it can crash your system.

Knowing recent WiFi connections, that a PC/Laptop has connected to, can help build a map of where it has been.

The script should work for Windows Vista and above. I am currently using a Windows 10 machine with Python 2.7 installed. If you do not have Python installed on Windows, there is a great guide available at https://www.londonappdeveloper.com/.

A basic understanding of Python (or any other programming language) is required, but I will try to comment the code as best as possible.

Windows Registry

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the Registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the Registry. — wikipedia.com

The registry also stores data regarding the WiFi connections the system has recently connected to. To access the registry GUI (Graphical User Interface), you can type ‘regedit’ in the Start > Run window. You can also query the registry using the Windows command prompt. The Wireless networks that a Windows Vista and above OS has connected to are stored in the following registry subkey:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\

To query the Windows Registry you can open also open command prompt and type:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\" /s

Your output should look similar to:

python _winreg

As you can see from the query output above, for each network the computer has connected to, we are provided with ProfileGuid, Description, Source, DnsSuffix, FirstNetwork, and the Mac Address.

Create Python Script to Read the registry with _winreg

For our python script, we will be interested in the Network SSID (FirstNetwork) and the Mac address (DefaultGatewayMac). Luckily, the Windows registry stores all these values in an array that we can access using the _winreg library/module. The _winreg library is installed by default when installing Python on Windows. For more information regarding the _winreg library, and all its available functions, see https://docs.python.org/2/library/_winreg.html.

Reading the results from our registry query, the FirstNetwork (SSID) is index 4 and DefaultGatewayMac (Mac Address) is index 5.

While it’s generally easy to access data from an array, the actual Mac address is returned as hex bytes, for example \x00\x11\x22\x33\x44\x55, not in the form we want (00:11:22:33:44:55). So first, write a python function to convert the data:


def hex2addr(val): 
  address = '' #empty variable
  for ch in val:  #for character in value
    address += ('%02x '% ord(ch)) #return 2 digit 
    address = address.replace(' ',':')[0:17] #replace space/padding with colon & format length
  return address

Although you can probably read the MAC the way it is provided, it can prove useful to convert it to the correct format if you need to do further analysis on it.

Next, lets define the main() function of our script:


from _winreg import *  #add to top to import _winreg lib

def main():
	
  print 'Reading recent WiFi connections...'
  netlist = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged' #define net variable
  key = OpenKey(HKEY_LOCAL_MACHINE, netlist) #use openkey function
  print '\n**Networks You have Joined:' #print statement
  for i in range(10): #iterate through the last 10 subkeys
    try:
			
	guid = EnumKey(key, i) #get subkey value store in variable
	netKey = OpenKey(key, str(guid)) #open the subkey
	(n, addr, t) = EnumValue(netKey, 5) #Enumerates values of an open registry key, returning a tuple. returns (x, y, z)..
	(n, name, t) = EnumValue(netKey, 4) #...interested in tuple y
	macAddress = hex2addr(addr)  #send addr to convert function created earlier
	ssid = str(name)  #convert name to string
	print '[*] ' + ssid + ', ' + macAddress  #print string
	CloseKey(netKey)  #use closekey function to close subkey
        
        #handle exception if any
	except Exception,e:  
	  print '[-] Error ='+str(e)

if __name__ == '__main__':
	main()

The complete, uncommented version of the code should look like:


from _winreg import *  

def hex2addr(val): 
  address = ''
  for ch in val:
    address += ('%02x '% ord(ch))
    address = address.replace(' ',':')[0:17]
  return address

def main():
	
  print 'Reading recent WiFi connections...'
  netlist = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged'
  key = OpenKey(HKEY_LOCAL_MACHINE, netlist)
  print '\n**Networks You have Joined:'
  for i in range(10):
  	try:
			
	  	guid = EnumKey(key, i)
	 	netKey = OpenKey(key, str(guid))
	  	(n, addr, t) = EnumValue(netKey, 5)
	  	(n, name, t) = EnumValue(netKey, 4)
	  	macAddress = hex2addr(addr)
	  	ssid = str(name)
	  	print '[*] ' + ssid + ', ' + macAddress
	  	CloseKey(netKey)
	  	
	except Exception,e:
	  	print '[-] Error ='+str(e)

if __name__ == '__main__':
	main()

I saved the python script file as recentWifis.py, but feel free to save it as whatever you like. Now, if you run the script, you should get an output similar to:

c:\windows\system32>python recentWifis.py
**Networks You have Joined:
[*] Simple Inc VPN, 00:e5:05:b3:d3:dd
[-] Error ='NoneType' object is not iterable
[*] 462WG4, f7:f4:eb:35:b0:dd
[*] Starbucks_5thAve, f2:e4:45:2e:22:00
[*] Nationals_Park, f4:32:b4:a4:88:d4
[-] Error =[Error 259] No more data is available
[-] Error =[Error 259] No more data is available
[-] Error =[Error 259] No more data is available
[-] Error =[Error 259] No more data is available
[-] Error =[Error 259] No more data is available

As you can see, the script cycles through each of the subkeys (up to 10 in this case) in the registry, and prints the SSID and the MAC address the system has recently connected to. If there is an error/exception, it is also printed.

Summary

The output above is fabricated, just because I am on a desktop and only connect to my home network. This technique can be very useful in determining where an individual/system has been if they are using a laptop. It can help build a map of the systems locations. You can even pinpoint the location (get exact GPS coordinates) by updating the Python script to query the database available at http://wigle.net. I might update this article on how to do that another time, as it is just supposed to be an introduction to reading from the Windows Registry using the _winreg module.

Leave a Reply

Your email address will not be published. Required fields are marked *