NetworkList

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

NetworkList keeps a permanent registry of every network profile the machine has ever connected to — wired and wireless. Each entry stores the network name, the gateway MAC address and connection timestamps. For investigators tracking a mobile endpoint or staged exfiltration, this is the machine's travel log.

Key Name Profiles\{GUID} — subkey per network profile containing ProfileName, DateCreated and DateLastConnected (FILETIME-encoded)

Trace Type Connectivity

Hive SOFTWARE Cross-reference with Signatures\Unmanaged under the same path for gateway MAC address and SSID fingerprinting.

Last Write Time Per-profile Last Write Time aligns with the last connection event to that network — useful for confirming when a suspect's device was in a specific location.

User Specific No Stored in the machine-wide SOFTWARE hive. Network history reflects the device's connections regardless of which user was logged in.

Forensic Value

Place a device at a physical location: Matching a network profile to a known router proves physical presence. Cross-reference this with System EventLogs (Event ID 7001/7002) for logon/logoff correlation.
Detect attacker infrastructure connections: Personal hotspot names or suspect guest networks connected to during an exfiltration window directly implicate specific actors.
Build a device mobility timeline: Created and LastConnected timestamps reconstruct the movement history of a mobile endpoint.

For more Info check out these Articles: System EventLogs