# Get-HotspotConnections.ps1 # Collects Windows Mobile Hotspot connection artifacts # Check for admin privileges $isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $isAdmin) { Write-Host "Error: This script requires Administrator privileges" -ForegroundColor Red Write-Host "Please run PowerShell as Administrator and try again" -ForegroundColor Yellow exit 1 } Write-Host "=== Windows Mobile Hotspot Connection History ===" -ForegroundColor Cyan Write-Host "Note: Windows does not maintain persistent logs of past hotspot clients" Write-Host "Only event logs and currently connected devices can be retrieved`n" # Get current hotspot status Write-Host "--- Current Hotspot Status ---" -ForegroundColor Yellow try { $hostedNetwork = netsh wlan show hostednetwork 2>$null if ($hostedNetwork) { $hostedNetwork | Write-Host } } catch { Write-Host "Error getting hosted network status" -ForegroundColor Red } # Get currently connected clients via ARP Write-Host "`n--- Currently Connected Devices (ARP Cache) ---" -ForegroundColor Yellow try { $arp = Get-NetNeighbor -AddressFamily IPv4 -ErrorAction SilentlyContinue | Where-Object { $_.State -ne "Unreachable" -and $_.IPAddress -notmatch "^(224\.|239\.)" } if ($arp) { $arp | Select-Object IPAddress, LinkLayerAddress, State | Format-Table -AutoSize } else { Write-Host "No connected devices found in ARP cache" -ForegroundColor Gray } } catch { Write-Host "Error accessing ARP cache: $_" -ForegroundColor Red } # Extract hotspot connection events from WLAN-AutoConfig log Write-Host "`n--- Recent Hotspot Connection Events ---" -ForegroundColor Yellow try { # Event ID 20019 = Client connection to hotspot # Event ID 20020 = Connection establishment confirmation # Event ID 8005/8006 = Hotspot start/stop $events = Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-WLAN-AutoConfig/Operational" ID = 8005, 8006, 20019, 20020 } -MaxEvents 50 -ErrorAction SilentlyContinue if ($events) { foreach ($event in $events) { Write-Host "$($event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan -NoNewline Write-Host " [ID:$($event.Id)]" -ForegroundColor Gray -NoNewline # Extract relevant info from message $msg = $event.Message if ($msg -match "MAC Address: ([0-9A-Fa-f:-]+)") { Write-Host " MAC: $($matches[1])" -ForegroundColor Yellow } elseif ($msg -match "SSID: (.+)") { Write-Host " SSID: $($matches[1])" -ForegroundColor Green } else { Write-Host "" } } } else { Write-Host "No hotspot events found in logs" -ForegroundColor Gray } } catch { Write-Host "Error accessing event logs: $_" -ForegroundColor Red } # Get wireless authentication events (Event ID 5632) Write-Host "`n--- Wireless Authentication Events (Last 20) ---" -ForegroundColor Yellow try { $authEvents = Get-WinEvent -FilterHashtable @{ LogName = "Security" ID = 5632 } -MaxEvents 20 -ErrorAction SilentlyContinue if ($authEvents) { foreach ($authEvent in $authEvents) { Write-Host "$($authEvent.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan if ($authEvent.Message -match "Peer MAC Address:\s+([0-9A-Fa-f:-]+)") { Write-Host " Peer MAC: $($matches[1])" -ForegroundColor Yellow } } } else { Write-Host "No wireless authentication events found" -ForegroundColor Gray } } catch { Write-Host "Security event log not accessible or no events found" -ForegroundColor Gray } # Get hosted network settings from registry Write-Host "`n--- Hosted Network Registry Settings ---" -ForegroundColor Yellow try { $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings" if (Test-Path $regPath) { $props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue if ($props) { Write-Host "Registry path exists with configuration data" -ForegroundColor Green Write-Host "(Binary data - use registry editor for details)" } } else { Write-Host "No hosted network settings found in registry" -ForegroundColor Gray } } catch { Write-Host "Error accessing registry: $_" -ForegroundColor Red }