Friday, July 08, 2005

Where, oh, where did my little SSID go...?

Got wireless? Ever go to the Control Panel, to the Network Connections applet, open up the properties for the Wireless Network Connection, click on the Wireless Networks tab, and see a whole bunch of SSIDs listed in the "Preferred Networks" box? You probably know how they got there, and you can easily get rid of them...but have you ever wondered where they're kept on the system?

Ever imaged a Windows XP drive and wondered what wireless networks the suspect connected to?

Well, I've been digging around and I've found it. Open up RegEdit and navigate to the following key:

HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces

See a subkey that looks like a GUID there? I've got one on my system, you may have more. Well, click on the subkey and look over in the right-hand panel. If you don't see values named "ActiveSettings", "Static#0000", etc., then move on to the next GUID.

If you find one of these values, right-click it and choose "Modify". See the SSID in the binary data?

Now, my laptop is a Dell system and uses BroadCom software. If you don't see the values I mentioned in your Registry, check your client application for your wireless stuff, and let me know what you've got. I've read on the 'Net that Cisco and 3Com client apps keep the SSIDs in the Registry in plain text.

4 comments:

Anonymous said...

Thanks for the pointer.
While looking for unauthorized access points/WLAN traffic, I ran across a couple client computers doing probe requests for a "company" access point that doesn't exist. Perhaps in the past an employee had one set up, or these folks got "AP spoofed".

H. Carvey said...

Glad you liked it...I'm looking at that key as part of every case now, particularly on XP laptop images.

Unknown said...

This worked wonders. I found over 30 "Static" entries showing access sites. Thanks again.

Anonymous said...

I've noticed also that the BSSID/MAC address can be found within this registry entry.

At around file offset 8. Fortunately I had the MAC address of the access points prior to a recent examination as a result of doing a wireless network assessment using Kismet :-)