WMI MSNdis_80211_BSSIList requires a survey

Question

To get the current list of wireless access points programmatically in PowerShell, I'm trying to query this WMI class. WMI Explorer 2.0.0.2 shows that it can be accessed via

$computer = $env:COMPUTERNAME
$namespace = "ROOT\WMI"
$classname = "MSNdis_80211_BSSIList"

Write-Output "====================================="
Write-Output "COMPUTER : $computer "
Write-Output "CLASS    : $classname "
Write-Output "====================================="

Get-WmiObject -Class $classname -ComputerName $computer -Namespace $namespace |
    Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container |
    Format-List -Property [a-z]*

When I try to enumerate, I get 0 instances. The description of the adjacent MSNdis_80211_BssIdListScan is

Perform a survey to refresh the NDIS 802.11 BSS list

but has no indication of how to perform a survey. This also appears in wmicore.mof:6892 in the Windows 10 SDK, again with no hint as to what a survey is or how it's done.

I am open to the idea of other methods to get detailed BSS properties, but it seems like my options are limited. I'm looking to enumerate beacon information elements (IEs).

Answer 1

The MSNdis wmi classes in general are no longer updated, and are very rarely the best approach. The 80211 subset are in even worse shape — as far as I'm aware, they actually never worked right. (There was a time when every OID in the NDIS driver model was mechanically ported to WMI, regardless of whether this was at all useful. The 80211 classes are one of the worst products of that effort. I found one of them that was just transcribed incorrectly, so it couldn't have possibly ever worked.) Unlike most of the networking WMI classes, the WLAN area has not been ported to CIM: there's a MSFT_NetXxx class for almost everything except WLAN.

The best-maintained programming surface for WLAN is wlanapi. There are a few other front-ends to that (e.g. netsh.exe wlan), but retrieving IEs is a fairly specialized task and I'm not sure you'll find any other front-end has the IE details you're looking for. As others have already commented, your best path to success is likely to p/invoke your way through WlanGetNetworkBssList. Yes, it's not an easy API to p/invoke. I unfortunately don't have any experience using this API from C#, so I can't give you a solid recommendation of some existing library of p/invokes for wlanapi, but I see there are a few libraries bouncing around github, so you can at least find a starting place there.

You may already be aware of this, but for the benefit of other people browsing this page, please temper your expectations of what kind of IE data you can get back from a consumer-grade station. Many WLAN chips are fairly vague about what IEs they get back, and necessarily do a fair amount of fudging of data. For example, the NDIS driver model suggests that WLAN chips should actually merge the IEs that are received from beacons and probe responses (with one or two necessary exceptions for specific IEs that would just be semantically broken if you did this), so you're getting back a jumble of data that was never actually transmitted in any single network frame. Windows doesn't need every management frame to be reproduced with perfect precision, so our tests don't hold manufacturers to a needlessly-high standard here.

Consumer-grade WLAN chips also can't listen on every channel at every time, so they are designed to do a fair amount of caching and extrapolating of data. This all happens internally in the device firmware, so by the time the BSS list gets to the OS, the data is already fairly well cooked.

All this chip-specific magic behavior varies fairly widely among manufacturers, so you'll get noticeably different results when comparing different radios. If you need one good result, be prepared to shop around for a few different chips. If you are building a general-purpose product for widespread use, be prepared to spend the time to make it robust to different manufacturers' quirks.

Answer 2

I've dusted off my old P/Invoke WLAN code and I've written some code to get the BSS data. (this code comes from my internal test project, I've removed all the unneeded code as far as I could see)

<#
    WLAN PInvoke methods.
    https://learn.microsoft.com/en-us/windows/win32/api/_nwifi/
#>

# C# P/Invoke method signatures and structs
$WlanOpenHandleDef = @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class WLAN
{
    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanOpenHandle(UInt32 dwClientVersion,IntPtr pReserved, out IntPtr pdwNegotiatedVersion, out IntPtr phClientHandle);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanCloseHandle(IntPtr phClientHandle, IntPtr pReserved);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanDisconnect (IntPtr phClientHandle, Guid pInterfaceGuid, IntPtr pReserved);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanEnumInterfaces(IntPtr phClientHandle, IntPtr pReserved, out IntPtr ppInterfaceList);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanGetAvailableNetworkList(IntPtr phClientHandle, Guid pInterfaceGuid, UInt32 dwFlags, IntPtr pReserved, out IntPtr ppAvailableNetworkList);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanScan(IntPtr phClientHandle, Guid pInterfaceGuid, IntPtr pDot11Ssid, IntPtr pIeData, IntPtr pReserved);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanGetProfileList(IntPtr phClientHandle, Guid pInterfaceGuid, IntPtr pReserved, out IntPtr ppProfileList);

    [DllImport("Wlanapi.dll")]
    public extern static UInt32 WlanGetNetworkBssList(IntPtr phClientHandle, Guid pInterfaceGuid, IntPtr pDot11Ssid, int dot11BssType, bool bSecurityEnabled, IntPtr pReserved, out IntPtr ppWlanBssList);

}

public enum DOT11_BSS_TYPE
{ 
  dot11_BSS_type_infrastructure  = 1,
  dot11_BSS_type_independent     = 2,
  dot11_BSS_type_any             = 3
}


public enum DOT11_AUTH_ALGORITHM : uint
{ 
  DOT11_AUTH_ALGO_80211_OPEN        = 1,
  DOT11_AUTH_ALGO_80211_SHARED_KEY  = 2,
  DOT11_AUTH_ALGO_WPA               = 3,
  DOT11_AUTH_ALGO_WPA_PSK           = 4,
  DOT11_AUTH_ALGO_WPA_NONE          = 5,
  DOT11_AUTH_ALGO_RSNA              = 6,
  DOT11_AUTH_ALGO_RSNA_PSK          = 7,
  DOT11_AUTH_ALGO_IHV_START         = 0x80000000,
  DOT11_AUTH_ALGO_IHV_END           = 0xffffffff
}

public enum DOT11_PHY_TYPE : uint
{ 
  dot11_phy_type_unknown     = 0,
  dot11_phy_type_any         = 0,
  dot11_phy_type_fhss        = 1,
  dot11_phy_type_dsss        = 2,
  dot11_phy_type_irbaseband  = 3,
  dot11_phy_type_ofdm        = 4,
  dot11_phy_type_hrdsss      = 5,
  dot11_phy_type_erp         = 6,
  dot11_phy_type_ht          = 7,
  dot11_phy_type_vht         = 8,
  dot11_phy_type_IHV_start   = 0x80000000,
  dot11_phy_type_IHV_end     = 0xffffffff
}

[StructLayout(LayoutKind.Sequential,CharSet = CharSet.Unicode)]
public struct WLAN_INTERFACE_INFO
{
    public Guid InterfaceGuid;
    [MarshalAs(UnmanagedType.ByValTStr,SizeConst = 256)]
    public string strInterfaceDescription;
    public UInt32 isState;
}

[StructLayout(LayoutKind.Sequential)]
public struct WLAN_INTERFACE_INFO_LIST
{
    public UInt32 dwNumberOfItems;
    public UInt32 dwIndex;
    public IntPtr InterfaceInfo;
}


[StructLayout(LayoutKind.Sequential)]
public struct WLAN_BSS_LIST
{
    public UInt32 dwTotalSize;
    public UInt32 dwNumberOfItems;
    public IntPtr wlanBssEntries;
}


[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct DOT11_SSID
{
    public UInt32 uSSIDLength;
    [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 32)]
    public string ucSSID;
}

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct WLAN_RATE_SET
{
    public UInt64 uRateSetLength;
    [MarshalAs(UnmanagedType.ByValArray,SizeConst = 126)]
    public UInt16[] usRateSet;
}


[StructLayout(LayoutKind.Sequential,CharSet = CharSet.Unicode)]
public struct WLAN_BSS_ENTRY
{
    public DOT11_SSID dot11Ssid;
    public UInt64 uPhyId;
    [MarshalAs(UnmanagedType.ByValArray,SizeConst = 6)]
    public byte[] DOT11_MAC_ADDRESS;
    public DOT11_BSS_TYPE dot11BssType;
    public DOT11_PHY_TYPE dot11BssPhyType;
    public Int64 lRssi;
    public UInt64 uLinkQuality;
    public bool bInRegDomain;
    public UInt16 usBeaconPeriod;
    public UInt64 ullTimestamp; // check length, this is ulonglong in signature
    public UInt64 ullHostTimestamp; // check length, this is ulonglong in signature
    public UInt16 usCapabilityInformation;
    public UInt64 ulChCenterFrequency;
    public WLAN_RATE_SET wlanRateSet;
    public UInt64 ulIeOffset;
    public UInt64 ulIeSize;
}

'@

Add-Type -TypeDefinition $WlanOpenHandleDef

function Get-WirelessInterfaces {
[CmdletBinding()]
param()

begin {
# Create the pointers for the handle.
$NegotiatedVersion = [System.IntPtr]::Zero
$ClientHandle = [System.IntPtr]::Zero
# open a handle
[void][WLAN]::WlanOpenHandle(2,[IntPtr]::Zero, [ref]$NegotiatedVersion,[ref]$ClientHandle)   
}

process {
# ResultList with all the interfaces => we use this at the end to populate with the data
$ResultInterfaceList = [System.Collections.Generic.List[Object]]::new()

# Create the pointer for the return object
$InterfaceInfoListPtr = [System.IntPtr]::Zero
# Enumerate the interfaces
[void][WLAN]::WlanEnumInterfaces($ClientHandle,[System.IntPtr]::Zero,[ref]$InterfaceInfoListPtr)

# Marshal the pointer with the interfacelist to the correct struct
$InterfaceInfoList = [System.Runtime.InteropServices.Marshal]::PtrToStructure($InterfaceInfoListPtr,[type][WLAN_INTERFACE_INFO_LIST])
# Get the size of the WLAN_INTERACE_INFO struct (should be 532 bytes)
$InterfaceInfoStructSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type][WLAN_INTERFACE_INFO])

# now we run a loop where we populate the items in a list by marshalling them.
# we'll have to increment each item with the size + 8.
for ($i = 0; $i -lt $InterfaceInfoList.dwNumberOfItems; $i++) { 
    # we'll have to offset some data on each iteration. We do this by taking the size * index and add 8. So index 0 starts at offset 8 related from the pointer)
    $Buffer = (($InterfaceInfoListPtr.ToInt64() + ($i * $InterfaceInfoStructSize) + 8))
    $InterfaceInformation = [System.Runtime.InteropServices.Marshal]::PtrToStructure($Buffer,[type][WLAN_INTERFACE_INFO])
    $ResultInterfaceList.Add($InterfaceInformation)
    }

    $ResultInterfaceList
}

end {
# close the handle
[void][WLAN]::WlanCloseHandle($ClientHandle,[System.IntPtr]::Zero)
}

}



# Sample function to get all BSS data.. I'm only outputting
# the basic struct data without formatting a nice object
function Get-WirelessBSS {
[CmdletBinding()]
param()
$NegotiatedVersion = [System.IntPtr]::Zero
$ClientHandle = [System.IntPtr]::Zero
$BSSCallResult = [System.IntPtr]::Zero
$Interfaces = Get-WirelessInterfaces

# open a handle
[void][WLAN]::WlanOpenHandle(2,[IntPtr]::Zero, [ref]$NegotiatedVersion,[ref]$ClientHandle) 

# Get the Bsslist
[void][wlan]::WlanGetNetworkBssList($ClientHandle,$Interfaces.InterfaceGuid, [System.IntPtr]::Zero, $null, $false, [System.IntPtr]::Zero, [ref]$BSSCallResult)
# Marshall the result to a struct
$BSSList = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BSSCallResult,[type][WLAN_BSS_LIST])

# list for the results..
$BSSResultList = [System.Collections.Generic.List[Object]]::new()

# Get the size of the WLAN_BSS_ENTRY struct
$WLAN_BSS_StructSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type][WLAN_BSS_ENTRY])

# now we marshall the data from the struct
for ($i = 0; $i -lt $BSSList.dwNumberOfItems; $i++) {
Write-Verbose "Processing entry $($i) out of $($BSSList.dwNumberOfItems)"
    # we'll have to offset some data on each iteration. We do this by taking the size * index and add 8. So index 0 starts at offset 8 related from the pointer)
    $Buffer = (($BSSCallResult.ToInt64() + ($i * $WLAN_BSS_StructSize) + 8))
    $BSSInformation = [System.Runtime.InteropServices.Marshal]::PtrToStructure($Buffer,[type][WLAN_BSS_ENTRY])
    $BSSResultList.Add($BSSInformation)
    }

# return the list
$BSSResultList
}

# get BSS Data
Get-WirelessBSS