mnerv
a788ee5151
- Add -Clear flag to clear all hotspot artifacts (event logs + ARP cache) - Add -ClearHotspot flag to clear WLAN-AutoConfig event logs only - Add -ClearArp flag to clear ARP cache only - Display additional manual clear commands with warnings for broader-impact logs
163 lines
6.8 KiB
PowerShell
163 lines
6.8 KiB
PowerShell
# Get-HotspotConnections.ps1
|
|
# Collects Windows Mobile Hotspot connection artifacts
|
|
|
|
param(
|
|
[switch]$Clear, # Clear all (event logs + ARP cache)
|
|
[switch]$ClearHotspot, # Clear hotspot connection event logs only
|
|
[switch]$ClearArp # Clear ARP cache only
|
|
)
|
|
|
|
# Check for admin privileges
|
|
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
|
|
|
|
if (-not $isAdmin) {
|
|
Write-Host "Error: This script requires Administrator privileges" -ForegroundColor Red
|
|
Write-Host "Please run PowerShell as Administrator and try again" -ForegroundColor Yellow
|
|
exit 1
|
|
}
|
|
|
|
# Handle clear parameters
|
|
if ($Clear -or $ClearHotspot -or $ClearArp) {
|
|
if ($Clear -or $ClearHotspot) {
|
|
Write-Host "Clearing hotspot connection logs..." -ForegroundColor Yellow
|
|
try {
|
|
wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
|
|
Write-Host "WLAN-AutoConfig event log cleared successfully" -ForegroundColor Green
|
|
} catch {
|
|
Write-Host "Error clearing WLAN-AutoConfig log: $_" -ForegroundColor Red
|
|
}
|
|
}
|
|
|
|
if ($Clear -or $ClearArp) {
|
|
Write-Host "Clearing ARP cache..." -ForegroundColor Yellow
|
|
try {
|
|
arp -d * 2>$null
|
|
Write-Host "ARP cache cleared successfully" -ForegroundColor Green
|
|
} catch {
|
|
Write-Host "Error clearing ARP cache: $_" -ForegroundColor Red
|
|
}
|
|
}
|
|
|
|
Write-Host "`n--- Other logs you may want to clear manually ---" -ForegroundColor Magenta
|
|
Write-Host "WARNING: These commands have broader impact" -ForegroundColor Red
|
|
Write-Host ""
|
|
Write-Host "Clear Security log (clears ALL security events):" -ForegroundColor Yellow
|
|
Write-Host " wevtutil cl Security" -ForegroundColor Gray
|
|
Write-Host ""
|
|
Write-Host "Clear hosted network registry settings:" -ForegroundColor Yellow
|
|
Write-Host " Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings' -Force" -ForegroundColor Gray
|
|
Write-Host ""
|
|
Write-Host "Clear WLAN diagnostic log:" -ForegroundColor Yellow
|
|
Write-Host " wevtutil cl `"Microsoft-Windows-WLAN-AutoConfig/Diagnostic`"" -ForegroundColor Gray
|
|
Write-Host ""
|
|
Write-Host "Clear Network Profile log:" -ForegroundColor Yellow
|
|
Write-Host " wevtutil cl `"Microsoft-Windows-NetworkProfile/Operational`"" -ForegroundColor Gray
|
|
Write-Host ""
|
|
Write-Host "Clear Wi-Fi Direct log (used by mobile hotspot):" -ForegroundColor Yellow
|
|
Write-Host " wevtutil cl `"Microsoft-Windows-WiFiDirect-Services-API/Operational`"" -ForegroundColor Gray
|
|
|
|
exit 0
|
|
}
|
|
|
|
Write-Host "=== Windows Mobile Hotspot Connection History ===" -ForegroundColor Cyan
|
|
Write-Host "Note: Windows does not maintain persistent logs of past hotspot clients"
|
|
Write-Host "Only event logs and currently connected devices can be retrieved`n"
|
|
|
|
# Get current hotspot status
|
|
Write-Host "--- Current Hotspot Status ---" -ForegroundColor Yellow
|
|
try {
|
|
$hostedNetwork = netsh wlan show hostednetwork 2>$null
|
|
if ($hostedNetwork) {
|
|
$hostedNetwork | Write-Host
|
|
}
|
|
} catch {
|
|
Write-Host "Error getting hosted network status" -ForegroundColor Red
|
|
}
|
|
|
|
# Get currently connected clients via ARP
|
|
Write-Host "`n--- Currently Connected Devices (ARP Cache) ---" -ForegroundColor Yellow
|
|
try {
|
|
$arp = Get-NetNeighbor -AddressFamily IPv4 -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.State -ne "Unreachable" -and $_.IPAddress -notmatch "^(224\.|239\.)" }
|
|
|
|
if ($arp) {
|
|
$arp | Select-Object IPAddress, LinkLayerAddress, State | Format-Table -AutoSize
|
|
} else {
|
|
Write-Host "No connected devices found in ARP cache" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing ARP cache: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Extract hotspot connection events from WLAN-AutoConfig log
|
|
Write-Host "`n--- Recent Hotspot Connection Events ---" -ForegroundColor Yellow
|
|
try {
|
|
# Event ID 20019 = Client connection to hotspot
|
|
# Event ID 20020 = Connection establishment confirmation
|
|
# Event ID 8005/8006 = Hotspot start/stop
|
|
$events = Get-WinEvent -FilterHashtable @{
|
|
LogName = "Microsoft-Windows-WLAN-AutoConfig/Operational"
|
|
ID = 8005, 8006, 20019, 20020
|
|
} -MaxEvents 50 -ErrorAction SilentlyContinue
|
|
|
|
if ($events) {
|
|
foreach ($event in $events) {
|
|
Write-Host "$($event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan -NoNewline
|
|
Write-Host " [ID:$($event.Id)]" -ForegroundColor Gray -NoNewline
|
|
|
|
# Extract relevant info from message
|
|
$msg = $event.Message
|
|
if ($msg -match "MAC Address: ([0-9A-Fa-f:-]+)") {
|
|
Write-Host " MAC: $($matches[1])" -ForegroundColor Yellow
|
|
} elseif ($msg -match "SSID: (.+)") {
|
|
Write-Host " SSID: $($matches[1])" -ForegroundColor Green
|
|
} else {
|
|
Write-Host ""
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No hotspot events found in logs" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing event logs: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Get wireless authentication events (Event ID 5632)
|
|
Write-Host "`n--- Wireless Authentication Events (Last 20) ---" -ForegroundColor Yellow
|
|
try {
|
|
$authEvents = Get-WinEvent -FilterHashtable @{
|
|
LogName = "Security"
|
|
ID = 5632
|
|
} -MaxEvents 20 -ErrorAction SilentlyContinue
|
|
|
|
if ($authEvents) {
|
|
foreach ($authEvent in $authEvents) {
|
|
Write-Host "$($authEvent.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan
|
|
if ($authEvent.Message -match "Peer MAC Address:\s+([0-9A-Fa-f:-]+)") {
|
|
Write-Host " Peer MAC: $($matches[1])" -ForegroundColor Yellow
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No wireless authentication events found" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Security event log not accessible or no events found" -ForegroundColor Gray
|
|
}
|
|
|
|
# Get hosted network settings from registry
|
|
Write-Host "`n--- Hosted Network Registry Settings ---" -ForegroundColor Yellow
|
|
try {
|
|
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings"
|
|
if (Test-Path $regPath) {
|
|
$props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
|
|
if ($props) {
|
|
Write-Host "Registry path exists with configuration data" -ForegroundColor Green
|
|
Write-Host "(Binary data - use registry editor for details)"
|
|
}
|
|
} else {
|
|
Write-Host "No hosted network settings found in registry" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing registry: $_" -ForegroundColor Red
|
|
}
|