Thursday, October 30, 2008

Latest Utilities Changes

Here's a small summary of latest changes in NirSoft utilities:

  • MozillaCacheView and OperaCacheView: New option in 'Copy Selected Files To...': Save the files in the directory structure of the Web site.
  • USBDeview: Added new option - Open In RegEdit.
  • ShellExView: New restriction - ShellExView won't allow you to disable at once more than 15 shell extensions created by Microsoft.
  • PasswordFox: Added support for specifying the master password (in the 'Select Folders' dialog-box or from command-line).
  • SiteShoter: Added new option: 'Take a screenshot of this Web page every...'

Sunday, October 26, 2008

New utilities are coming soon

There are 5 new utilities that are currently cooked in the kitchen of Nirsoft, and are going to get out of the oven very soon.

So here they are, with a small description for each of them:

  • IPInfoOffline: Allows you to view information about IP addresses, without connecting any external server. It uses a compressed IP addresses database that is stored inside the exe file. For each IP address, the following information is displayed: IP block range, Organization (RIPE, ARIN, APNIC, LACNIC or AFRINIC), Assigned Date, Country Name, and Country Code.

  • DNSDataView: This utility is a GUI alternative to the NSLookup tool that comes with Windows operating system. It allows you to easily retrieve the DNS records (MX, NS, A, SOA) of the specified domains. You can use the default DNS server of your Internet connection, or use any other DNS server that you specify.

  • SkypeLogView: This utility reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account.

  • WirelessNetConsole: Console version of WirelessNetView. It dumps all current detected wireless networks information into the standard output. For each wireless network, the following information is displayed: SSID, Signal Quality in %, PHY types, RSSI, MAC Address, Channel Frequency, and more.

  • UserProfilesView: This utility displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more.

These utilities will probably be ready for the first tasting in the next Saturday (November 1, 2008), and will be served first in this blog, and then later in the entire site, including the utilities and packages sections.

Saturday, October 25, 2008

nirsoft.net in a new server

nirsoft.net is now hosted in a new server. The site will work much faster than before in the peak usage hours, as well as downtimes will be minimal.

Wednesday, October 22, 2008

nirsoft.net was down for several hours

The amount traffic received by nirsoft.net was gradually increased, and that caused the http server to crash due to large amount of requests.
The hosting company removed my site for several hours because the server also hosts a few other sites. I'm now in a process of moving nirsoft.net site to a new server, and that will minimize the site downtime to almost 0%.

Saturday, October 18, 2008

Recover Windows Credentials passwords from external drive.

If you already worked with my password recovery tools, you probably know that most of them can only recover the passwords of the current logged-on user, but they cannot recover the passwords from another user profile or from an external drive.
The reason for this limitation is that most of these tools use some Windows API calls to decrypt the passwords, and these API calls only works for the current logged-on user.

In order to allow my tools to recover the passwords from an external drive,
I used my reverse engineering skills to find out exactly how Windows password decryption works, and wrote the code that do the same thing, but without the restriction of the current logged-on user.

So here's the first tool that uses my new decryption code: Network Password Recovery.
This means that you can now recover the passwords stored inside the Credentials file of Windows XP/Vista/2003/2008 even if you have a dead system that cannot boot anymore.

There is only one restriction: you must know the last log-on password of the user that owned the Credentials file you wish to recover. The SHA hash of the log-on password is used in the process of Credentials file encryption, and without knowing that log-on password, the content of the Credentials file cannot be recovered instantly.

Printing data in NirSoft utilities

Sometimes people ask me "How do I print the data appeared in your tool ?".
Although there is no printing support in my tools, you can easily send the data to a printer by using one of the following options:

  1. Copy & Paste - You can select the data that you wish to print and copy it to the clipboard with Ctrl+C. After that, you can paste it to another application that support printing, like Excel, OpenOffice Spreadsheet, Notepad, and so on.

  2. Print in your Web browser - You can select the data that you wish to print and then save it to html file. After that, you can open the saved html in your Web browser, and then print it.

  3. Save to tab-delimited/comma-delimited file - You can select the data that you wish to print and then save it into a tab-delimited file or comma-delimited file.
    After that, you can open the saved file with any software that can import from tab-delimited/comma-delimited files, and then use that software to print the data.



Wednesday, October 8, 2008

Extract files from IE cache with directory structure

There is a new feature in IECacheView utility that allows you to extract files from the cache of Internet Explorer into the same directory structure of the original Web site.
Just for example, in the following screenshot of IECacheView, you can see the list of cache files downloaded from NirSoft Blog:



If you select all these files, go to "Copy Selected Files To", and then choose the "Save the files in the directory structure of the Web site" option, the folders structure after saving the files from the cache will look like this one:

Windows search puppy goes to sleep

If you work on Windows XP, you probably already familiar with the animated search puppy that show its unessential tricks while you make a search. However, this puppy has a small "feature" that many people don't know about.
If you make a search, and then leave the search window opened without touching it for a long time, the search puppy get tired and goes to sleep....




Good Night !

Sunday, October 5, 2008

Cache viewer for Chrome Web browser

While looking into the cache folder of Google Chrome Web browser, I found out that the file structure inside this folder looks a little familiar.
Similar to the cache of Mozilla/Firefox browsers, it has 3 data files, numbered from 1 to 3, when file number 1 is the smallest file, and the largest file is file number 3. It also has a cache map file, which numbered as '0', and other files with hexadecimal numbers which contains the binary content of some cached files.

Here's an example for the file structure in the cache folder of Chrome:



And here's the cache folder of Firefox:




After looking more deeply into the cache folder of Chrome, I found out that the internal structures of the cache files are a little different from the structures of Firefox, but it still was very easy to figure out how to read these files, and you can see the result in my new ChromeCacheView utility.

Bug in IE8 transition effect

It seems that there is a weird bug in beta 2 release of Internet Explorer 8.
When browsing into the main page of NirSoft Web site, the transition effect stops in the middle of the transition process, and the user may think that the Web browser just hang. However, after resizing the window a little, everything returns back to normal.

Here's an example of how my site may look when browsing it with IE8:

Saturday, October 4, 2008

Current AVG False Positives

Messages like "You have a Virus in your software" are received into my Inbox on daily basis, and a lots of them comes from AVG Antivirus. So I decided to check the current status of AVG false positives, by scanning the utilities folder of my site.
First, I copied the utils folder of my site into a new place (I don't really want that AVG will touch my original site folder...), and then I allowed AVG Antivirus to scan the folder.
After AVG finished the scan, it splited the scan result into 2 categories: Infections and Spyware.
Most of the alerts on my utilities folder appeared under the 'Spyware' section.
I really would want to understand what is going in the minds of AVG guys when they decided to detect my software as Spyware.

Anyway, I used my own SysExporter utility to grab the scan result from AVG and display it as HTML. Luckily, SysExporter is not detected as infection by AVG, otherwise, it wouldn't allow me to run and use it.
So here's the AVG "False Positive" list, the Spyware section:

C:\Utils\asterie.zip Potentially harmful program HackTool.DOI
C:\Utils\asterie.zip:\asterie.exe Potentially harmful program HackTool.DOI
C:\Utils\netpass.zip Potentially harmful program HackTool.FAJ
C:\Utils\netpass.zip:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\ziz1384.tmp:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\pspv.zip Potentially harmful program HackTool.CBX
C:\Utils\pspv.zip:\pspv.exe Potentially harmful program HackTool.CBX
C:\Utils\sniffpass.zip Potentially harmful program HackTool.FMT
C:\Utils\sniffpass.zip:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\ziz1384.tmp:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\vncpassview.zip Potentially harmful program HackTool.EEI
C:\Utils\vncpassview.zip:\VNCPassView.exe Potentially harmful program HackTool.EEI



And this one is the Infections section:


C:\Utils\lsasecretsdump.zip Trojan horse Generic10.SZR
C:\Utils\lsasecretsdump.zip:\LSASecretsDump.exe Trojan horse Generic10.SZR


And finally, here's another issue with AVG and other Antivirus software:
When you exit from the Antivirus software, it won't display any Virus/Trojan/Spyware warning, but the service of the Antivirus is still running in the background, and prohibits you from running any file that is detected as infected.
This mean that if you try to run one of my tools that are detected as Spyware/Virus while AVG application is not running, you'll get the following error message:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item".

Most people that get this kind of error, think that there is a bug in my software, and don't know that the Antivirus is the one that cause the problem.

Thursday, October 2, 2008

OpenedFilesView - Hide system files

I added 2 new options to OpenedFilesView that allows you to hide system files when you don't really want to watch them:

  • Hide System Process Files: Hide all files opened by 'System' process.
  • Hide Svchost Files: Hide all files opened by svchost process.
Choosing the above 2 option can decrease the size of opened files list by dozens of items, and allow you to only watch the opened files of non-system applications. These options are available starting from version 1.25 of OpenedFilesView.