WLAN AutoConfig Event Log

windowsUser ActivityDisk Image

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx

Description

The WLAN AutoConfig operational event log records wireless network connection events including SSID names, connection success/failure, authentication types (WPA2, WPA3, Open), disconnect reasons, and BSSID (access point MAC) information.

Forensic Value

WLAN logs establish the physical location context of a device by recording which wireless networks it connected to and when, which is critical for placing a suspect device at a specific location during an incident. The logs capture the authentication method used, helping identify connections to rogue or open access points that may indicate a man-in-the-middle attack. Failed connection attempts and frequent SSID switching can reveal reconnaissance behavior or attempts to connect to attacker-controlled networks. These logs persist even when the network profile is deleted and provide timestamps that correlate with other forensic artifacts.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerPowerShell

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx" --csv C:\output\ --csvf wlan_events.csv

PowerShell

Get-WinEvent -LogName "Microsoft-Windows-WLAN-AutoConfig/Operational" | Export-Csv C:\output\wlan_events.csv -NoTypeInformation

MITRE ATT&CK Techniques

T1557T1040T1200

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical