Archive for December, 2012

Recently, I have received multiple reports from users of Internet Explorer 10 ( On Windows 8 ) saying that my history/cache utilities fail to work with IE10, and they are right…
As opposed to all previous versions of Internet Explorer that used the same file structure to store the history/cache/cookies information, IE10 uses a completely new file structure. Instead of the old index.dat file, IE10 stores all cache/history information inside a single Jet Blue database (Also known as ESE database or .edb file). This database file is WebCacheV24.dat, and it’s located under C:\Users\[User Profile]\AppData\Local\Microsoft\Windows\WebCache folder

I have already developed the code to read this file in order to update my tools for Internet Explorer 10, but there is still one major problem with this file: While Internet Explorer is opened, and also a few minutes after it’s closed, this file is completely locked, and other software (like my tools) cannot open it. There is one solution to bypass this database locking problem – by copying the database into another location using ‘Volume Shadow Copy’ service and then reading the copy of the database.

Reading the locked database using the ‘Volume Shadow Copy’ method has a few drawbacks:

  1. This process and quite slow and aggressive.
  2. It works only with full admin rights.
  3. On 64-bit systems, only 64-bit application can use this service.
  4. The copied locked database doesn’t contain the latest browsing history. The latest history/cache is written to the database a few minutes after closing the IE10 Web browser, when the file is unlocked.

Generally, I prefer to avoid from using this ‘Volume Shadow Copy’ method and find a better way to read the locked database of IE10. For now, I updated only one tool, BrowsingHistoryView, for reading the browsing history of IE10. There is also an option to read the history when the database file is locked (using Volume Shadow Copy), but it’s active only when running BrowsingHistoryView.exe with /UseVolumeShadowCopy command-line parameter:

BrowsingHistoryView.exe /UseVolumeShadowCopy

If you have a system with Internet Explorer 10, you’re welcomed to try it and see if it’s reasonable to use this ‘Volume Shadow Copy’ method regularly. Remember that you have to execute BrowsingHistoryView as administrator, otherwise, it won’t be able to read the history file while it’s locked.

A few utilities of NirSoft, including CurrPorts, SmartSniff, NetworkTrafficView, and CountryTraceRoute (which has been released just a few weeks ago) now supports the free IP geolocation database of MaxMind, in addition to the support of IP to country database.

The database of MaxMind is larger than the database of, and for some of the IP addresses, city information is also provided.

In order to start using the MaxMind database with the NirSoft utilities specified above, simply go to this Web page, download the GeoLite City database in binary/gzip format (The filename is GeoLiteCity.dat.gz), and then put this file in the same folder where the .exe files of NirSoft utilities are located.
When you run a utility that supports this database, it automatically loads the database and uses it to display the country/city information for every IP address.

CurrPorts with the GeoLite City database

CurrPorts with the GeoLite City database