New tool that decrypts Windows Vault passwords

September 24th, 2016

VaultPasswordView is a new tool for Windows 10/8/7 that decrypts and displays the passwords and other data stored inside 'Windows Vault'. You can use it to decrypt the Windows Vault data of your currently running system, as well as the Windows Vault data stored on external hard drive.  This tool is useful especially for Windows 8 and Windows 10, because the passwords and other security information of Windows Mail , Internet Explorer 10.0/11.0, and Microsoft Edge Web browser are stored inside Windows vault.

Be aware that in order to decrypt the Windows Vault data you have to know the login password and type it in the 'Vault Decryption Options' window.

VaultPasswordView

VaultPasswordView

You can download the VaultPasswordView from this Web page.

 

New event log utilities for Windows 10/8/7/Vista

September 12th, 2016

FullEventLogView is a new utility for Windows 10/8/7/Vista that displays in a table the details of all events from the event logs of Windows, including the event description. It allows you to view the events of your local computer, events of a remote computer on your network, and events stored in .evtx files. It also allows you to export the events list to text/csv/tab-delimited/html/xml file from the GUI and from command-line. FullEventLogView is a replacement for the old MyEventViewer utility which uses old programming interface and thus it doesn't show all new event log added starting from Windows Vista.

FullEventLogView

FullEventLogView

You can download the new FullEventLogView from this Web page.

 

EventLogChannelsView is a new utility for Windows 10/8/7/Vista that shows the list of all event log channels on your system, including the channel name, event log filename, enabled/disabled status, current number of events in the channel, size of the event log file, and more...  It also allows you to easily make some actions on multiple channels at once: enable/disable channels, set their maximum file size, and clear all events stored in the channels.

EventLogChannelsView

EventLogChannelsView

You can download the new EventLogChannelsView from this Web page.

Recovering previous/old passwords using NirSoft password recovery tools and shadow copies of Windows.

August 24th, 2016

In the last few weeks, I added support for recovering passwords from external hard drive contains the most recent versions of Windows (Windows 10, Windows 8, Windows 7) for some of the NirSoft Password-Recovery tools, including IE PassView, ChromePass, Network Password Recovery, and WirelessKeyView.
Until now there was only support for reading external drive passwords of Windows XP or Windows Vista and I had to do a very intensive reverse engineering in order to upgrade my DPAPI decryption code to work with Windows 7 and newer systems.
In addition to the upgrade of existing tools, there are also a few new utilities in development process that are specifically designed to extract passwords from external hard drive.

The combination of external drive support and the shadow copies of Windows also allows you to recover old passwords from a few weeks ago instead of the current passwords stored on your system.

Here's an example for using the external drive support to recover previous passwords stored in your system:

First... You have to run the  ShadowCopyView utility to check the current shadow copies you have on your system.
If the main window of ShadowCopyView is empty, it means that there are no shadow copies and thus you cannot recover old passwords stored in your system.

In the following sample screenshot, you can see that there is a single shadow copy and its path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

 

 

Now... Lets say that you accidentally deleted the passwords stored by Internet Explorer and now you want to recover them, so in IE PassView tool you should go to the 'Advanced Options' window (F8) and , choose the 'Load the passwords from the following user profile' option,  and then type the shadow copy path of your user profile.

For example, if your user profile is stored in c:\users\nirsoft64 and the shadow copy path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 then the correct path that you have to type is  \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\users\nirsoft64 :

 

 

You also have to type the logon password of this user profile, because the logon password is needed to decrypt the passwords.
Assuming that you type the correct user profile path and logon password, IE PassView will decrypt the passwords stored by IE in the date that the shadow copy was created.
You can also use the same technique with the other tools that have external drive support (ChromePass, Network Password Recovery, WirelessKeyView, Dialpass )

Be aware that like any password-recovery tool, these tools trigger warnings and alerts in many Antivirus programs and your Antivirus software, firewall, or even your Web browser may block you from downloading them.

 

 

Find and recover deleted files and previous versions of existing files from Windows shadow copies

July 14th, 2016

PreviousFilesRecovery is a new tool for Windows 10/8/7/Vista that allows you to scan the shadow copies of your local hard drive and find deleted files as well as older versions of existing files. For every file found in a shadow copy, PreviousFilesRecovery displays the following information: filename, folder, the current modified time and size of the file comparing to the modified time and file size inside the shadow copy,  shadow copy name, and the date/time that the shadow copy was created.

If the file you need is found in the shadow copies of Windows, you can easily recover it by copying it into existing folder on your drive.

PreviousFilesRecovery

PreviousFilesRecovery

You can download this new tool from this Web page.

New tool that displays shadow copies on your system

June 27th, 2016

ShadowCopyView is new tool for Windows 10/8/7/Vista that lists the snapshots of your hard drive created by the 'Volume Shadow Copy' service of Windows. Every snapshot contains an older versions of your files and folders from the date that the snapshot was created, you can browse the older version of your files and folders, and optionally copy them into a folder on your disk.
In addition to ShadowCopyView, another tool that searches old and deleted files inside shadow copies will be released soon.

ShadowCopyView

ShadowCopyView

You can download this new tool from this Web page.

New utility to easily start a wifi hotspot on Windows 10/8/7

April 4th, 2016

HostedNetworkStarter is a new utility for Windows 7 and later that allows you to easily create a wifi hotspot with your wireless network adapter, using the Wifi hosted network feature of Windows operating system. With the wifi hotspot created by this tool, you can allow any device with wifi support to access the network and the Internet connection available in your computer.

HostedNetworkStarter

HostedNetworkStarter

 

You can download this new utility from this Web page.

 

 

New utility that displays the details of all Web browser addons/plugins installed in your system

February 29th, 2016

BrowserAddonsView is a new tool for Windows that displays the details of all Web browser addons/plugins installed in your system. BrowserAddonsView can scan and detect the addons of most popular Web browsers: Chrome, Firefox, and Internet Explorer. For Chrome and Firefox, BrowserAddonsView detects and scans all Web browser profiles if there are multiple profiles.

BrowserAddonsView

BrowserAddonsView

You can download this new tool from this Web page.

 

New tool that lists all files opened by other computers on your network

February 6th, 2016

NetworkOpenedFiles is a new tool for Windows that displays the list of all files that are currently opened by other computers on your network. For every opened filename, the following information is displayed: Filename, user name, computer name (On Windows 7/2008 or later), Permissions information (Read/Write/Create), locks count, file owner, file size, file attributes, and more...

NetworkOpenedFiles

NetworkOpenedFiles

 

You can download this new tool from this Web page.

 

New tool that shows the history of connections to wireless networks on your computer

January 9th, 2016

WifiHistoryView is a new tool for Windows 10/8/7/Vista that displays the history of connections to wireless networks on your computer. For every event that the computer connected to a wireless network or disconnected from it, the following information is displayed: The date/time that the event occurred, network name (SSID), profile name, network adapter name, BSSID of the router/Access Point, and more...
WifiHistoryView can read the wifi history information from a running system or from external event log file of another computer.

WifiHistoryView

WifiHistoryView

 

You can download this new tool from this Web page.

 

New utility that displays the details of all MMC snap-ins installed on your system

December 1st, 2015

MMCSnapInsView is a new tool for Windows that displays the details of all MMC snap-ins installed on your system, including name, description, CLSID, dll file, product name, company name, file version, and more...
You can also select multiple MMC snap-ins and then open them in the MMC application.

MMCSnapInsView

MMCSnapInsView

You can download this new tool from this Web page.