WiFi Disconnection

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

It is a good idea to monitor what network you machine may be connected to at any time. Unusual or public connections can introduce vulnerabilities and potentially start a time line of events.

Event ID 8003 is a successful disconnection to a wireless network.

When a user disconnects from WiFi, a log is made in the Operational log of the WLAN-AutoConfig folder. This folder can be found under the Applications and Services Logs folder, and then the Microsoft and Windows folder, respectively.

To view a Wireless disconnection log in the command line, launch PowerShell as an administrator.
Because this is an application log, there are two commands that are required to view it from the command line. The first command is
<pre><code>
$xml = @'
<QueryList>
<Query Id="0" Path="Microsoft-Windows-WLAN-AutoConfig/Operational">
<Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational">*[System[(EventID=8003)]]</Select>
</Query>
</QueryList>
'@
</pre></code>
After this command is run, the second command to view the log can be run. This command is
<pre><code>Get-WinEvent -FilterXM: $xml | select -first 1 | Format-Table -wrap</code></pre>
The "select -first 1" section of this command returns only the most recent log to save space and can be dropped to view more logs.
However, the "Format-Table -wrap" part of this command is what shows the full log in the command line and should not be dropped.

View Logs
$xml = @'
<QueryList>
    <Query Id="0" Path="Microsoft-Windows-WLAN-AutoConfig/Operational">
        <Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational">*[System[(EventID=8003)]]
 </Select>
 </Query>
</QueryList>
'@
Get-WinEvent -FilterXM: $xml | select -first 1 | Format-Table -wrap 
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: Powershell
View Log Pile