Within the Registry, the following key is of interest
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID}
Beneath the key, there is an ActiveSettings value (in addition to Static#000n values) that are binary data types. I can "see" the SSID for a wireless connection, but what I'd like to do is see if anyone has any information on parsing the rest of the data.
I'm told that Safend has a product that does this, but reverse engineering commercial applications is usually against the EULA.
I did some Google searching this morning, and found a 2 yr old post from someone at MS that said that the structure definition changes constantly, but I'd like to find something I could use to parse the data for each variation.
Thanks,
Harlan
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\GUID
This key contains wireless network information for adapter using Windows Wireless Zero Configuration Service.
Under the GUID subkey, there are binary registry values named Static#0000, Static#0001, etc. (depending on the
number of listed SSID) which correspond to the respective list of SSID in “Preferred Networks” box in Wireless
Network Connection configuration (Carvey, 2005e). The registry value contains the SSID name in binary form. If
registry value ActiveSettings contains an SSID name, it may signify last connected SSID. However, the result is
not consistent when tested. If suspect connect to wireless networks using other 3rd party program that is usually
bundled with the network adapter, instead of using Wireless Zero Configuration, no trace is left on this key.
Forensic examiner can use this key with the previous network adapter GUID key to determine the last assigned IP
address (Carvey, 2005e).
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
The first key maintains a list of mapped network drive, including the server name and shared folder (Shannon,
2004). The value in this key is still retained even though the mapped network drive has been permanently
removed or disconnected. In addition, permanent subkey (unless manually removed from registry) regarding
mapped network drive is also created in the second key, and the subkey is named in the form of
##servername#sharedfolder.
Interesting that no data is left unless using the MS Zero Config Utility. Just checked a couple of laptops here, one uses the Intel Utility another the D-Link utility and nothing. I will have to search and see where the corresponding data for those utilities is stored in the registry. I will see if I can submit a ticket to MS on our service contract and see what they say.
BitHead,
Thanks for the reply, but maybe I'm missing something…which is entirely possible…how does your response address my question?
Thanks,
Harlan
I was trying to determine if Ms. Wong provided any more information to what you have found or is there more?
I submitted a ticket to MS about reading the rest of the values. It went in under a non-business critical 24-48 hour response. I will see how they respond.
Did I misread the book excerpt, or did you reply with a reference that the author actually took from Harlan? LOL
I just saw the Footnotes (Carvey, 2005)
Did I misread the book excerpt, or did you reply with a reference that the author actually took from Harlan? LOL
That's why I didn't get the original question.
BitHead,
What didn't you get about the original question?
If you already wrote what Ms Wong attributed to you, and she followed with, "The registry value contains the SSID name in binary form. If
registry value ActiveSettings contains an SSID name, it may signify last connected SSID. However, the result is not consistent when tested", are you trying to determine what is consistent?
I thought I understood when I posted the question to MS support. Just trying to follow up to their reply (that it contains the SSID).
are you trying to determine what is consistent?
My understanding of the original question is that Harlan is asking has anyone experience of the data structure for this registry entry so that it can be interpreted.
I agree wih Ms Wong, the registry entry does not appear to be consistent, or perhaps there is more to its datastructure dependent on the properties of the associated SSID.
Harlan, I've used this key in the past to prove last association with an AP and its SSID, but was aided by the fact that the entry also contained a MAC address. Sometimes the MAC address is there sometimes it is not!
BitHead,
> I can "see" the SSID for a wireless connection, but what I'd like to do is see
> if anyone has any information on parsing the rest of the data.
I'm sorry if I wasn't clear enough…let me try again.
Beneath the key I mentioned, there are several values, one being named "ActiveSettings". This is a binary data type. As I said, I can see the SSID in the binary data, but what I'm trying to determine is any way to parse the rest of the binary data in the "ActiveSettings" value.
Sorry for not being more clear.
Thanks,
Harlan