NirBlog

The new version of WebBrowserPassView utility (v1.40) has the ability to extract the passwords stored by Internet Explorer 10.0
You might think that I added only one feature for this new release, but I actually added 2 features: one for supporting Internet Explorer 10.0 on Windows 8 and the other to support Internet Explorer 10.0 on Windows 7.

That’s because IE10 stores the passwords in completely 2 different ways. On Windows 7, it still stores the passwords like the previous versions of IE, under the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
The passwords under this Registry key are encrypted with the URL string and thus  WebBrowserPassView needs to scan the browsing history of IE to decrypt these passwords. Due to the changes on IE10, WebBrowserPassView failed to read the IE history and thus it also failed to get the passwords. The new version of WebBrowserPassView reads the history of IE10 properly and thus the password decryption process also works properly.

On IE10 under Windows 8 it’s a completely different story: The passwords are now stored inside the ‘Windows Vault’, located in the file system under C:\Users\[User Name]\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
WebBrowserPassView extracts these passwords by using the undocumented Credential Vault Client Library  (vaultcli.dll)

The support for IE10 passwords is also added to the Password Security Scanner tool, and soon it’ll also be added to the IE PassView utility.

A few months ago, I released a new version of BrowsingHistoryView that extracted the history of Internet Explorer 10 from the locked WebCacheV01.dat (or WebCacheV24.dat) database file by using the ‘Volume Shadow Copy’ service.
The previous solution was not very successful, because it required full admin rights, it was very slow, and it also tend to fail on some systems.

The new version of BrowsingHistoryView (v1.30) provides much better solution to read the locked database of IE10. It locates the process that maintains the opened file, duplicates the file handle, and then uses the duplicated handle to copy the content of the locked database to into a temporary file. BrowsingHistoryView reads the history from the created temporary file and then deletes the temporary file.

So far, in all my tests, this method works very smoothly and it doesn’t require to run BrowsingHistoryView as admin.

If you have Internet Explorer 10, you are welcomed to download and test the new version of BrowsingHistoryView from this Web page.

TcpLogView is a new utility that monitors the opened TCP connections on your system, and adds a new log line every time that a TCP connection is opened or closed. For every log line, the following information is displayed: Even Time, Event Type (Open, Close, Listen), Local Address, Remote Address, Remote Host Name, Local Port, Remote Port, Process ID, Process Name, and the country information of the Remote IP (Requires to download IP to country file separately.)

Be aware that TcpLogView creates the TCP log by taking a snapshot of currently open TCP connections, and comparing it to the previous snapshot, so if a TCP connection is opened for a very short time, then TcpLogView will not be able to capture it.

TcpLogView

You can download TcpLogView from this Web page.

NetConnectChoose is a new utility that allows you to easily choose the default Internet connection that will be used by all Internet applications, when you have more than a single Internet connection on the same time. (Each connection on different network adapter)
It also displays extensive information about every active network/Internet connection, including network adapter name, MAC Address, Name Servers, MTU, Interface Speed, current incoming/outgoing data speed, number of received/sent packets, received/sent bytes, and more…

NetConnectChoose

You can download this new utility from this Web page.

JumpListsView is a new utility that displays the information stored by the ‘Jump Lists’ feature of Windows 7 and Windows 8. For every record found in the Jump Lists, the following information is displayed: The filename that the user opened, the date/time of the file opening event, the ID of the application that was used to open the file, the size/time/attributes of the file on the time that the file was opened, and more…

JumpListsView

You can download this new utility from this Web page.

NetworkInterfacesView is a new utility for Windows that displays the list of all network adapters/interfaces installed on your system. It displays network interfaces that are currently active, as well as network interfaces that have been installed previously, and now they are not connected (like USB wireless network adapters).
For every network interface found on your system, the following information is displayed (if it’s stored in the Registry): Device Name, Connection Name, IP Address, Subnet Mask, Default Gateway, DHCP Server, Status, MAC Address and more…
You can select one or more network interface items and then export them to xml/html/csv/tab-delimited file, or copy them into the clipboard and then paste them into Excel or other spreadsheet application.

NetworkInterfacesView

You can download NetworkInterfacesView from this Web page.

ESEDatabaseView is a new utility that reads and displays the data stored inside Extensible Storage Engine (ESE) database (Also known as ‘Jet Blue’ or .edb file). It displays a list of all tables available in the opened database file, allows you to choose the desired table to view, and then when you choose a table, it displays all records found in the selected table. ESEDatabaseView also allows you to easily choose one or more records, and then export them into comma-delimited/tab-delimited/html/xml file, or copy the records to the clipboard (Ctrl+C) and then paste them into Excel or other spreadsheet application.

Be aware that currently ESEDatabaseView is somewhat a Beta version and thus it might fail to read field values with complex data structure.

ESEDatabaseView is available to download from this Web page.

ESEDatabaseView

Recently, I have received multiple reports from users of Internet Explorer 10 ( On Windows 8 ) saying that my history/cache utilities fail to work with IE10, and they are right…
As opposed to all previous versions of Internet Explorer that used the same file structure to store the history/cache/cookies information, IE10 uses a completely new file structure. Instead of the old index.dat file, IE10 stores all cache/history information inside a single Jet Blue database (Also known as ESE database or .edb file). This database file is WebCacheV24.dat, and it’s located under C:\Users\[User Profile]\AppData\Local\Microsoft\Windows\WebCache folder

I have already developed the code to read this file in order to update my tools for Internet Explorer 10, but there is still one major problem with this file: While Internet Explorer is opened, and also a few minutes after it’s closed, this file is completely locked, and other software (like my tools) cannot open it. There is one solution to bypass this database locking problem – by copying the database into another location using ‘Volume Shadow Copy’ service and then reading the copy of the database.

Reading the locked database using the ‘Volume Shadow Copy’ method has a few drawbacks:

1. This process and quite slow and aggressive.
2. It works only with full admin rights.
3. On 64-bit systems, only 64-bit application can use this service.
4. The copied locked database doesn’t contain the latest browsing history. The latest history/cache is written to the database a few minutes after closing the IE10 Web browser, when the file is unlocked.

Generally, I prefer to avoid from using this ‘Volume Shadow Copy’ method and find a better way to read the locked database of IE10. For now, I updated only one tool, BrowsingHistoryView, for reading the browsing history of IE10. There is also an option to read the history when the database file is locked (using Volume Shadow Copy), but it’s active only when running BrowsingHistoryView.exe with /UseVolumeShadowCopy command-line parameter:

BrowsingHistoryView.exe /UseVolumeShadowCopy

If you have a system with Internet Explorer 10, you’re welcomed to try it and see if it’s reasonable to use this ‘Volume Shadow Copy’ method regularly. Remember that you have to execute BrowsingHistoryView as administrator, otherwise, it won’t be able to read the history file while it’s locked.

A few utilities of NirSoft, including CurrPorts, SmartSniff, NetworkTrafficView, and CountryTraceRoute (which has been released just a few weeks ago) now supports the free IP geolocation database of MaxMind, in addition to the support of software77.net IP to country database.

The database of MaxMind is larger than the database of software77.net, and for some of the IP addresses, city information is also provided.

In order to start using the MaxMind database with the NirSoft utilities specified above, simply go to this Web page, download the GeoLite City database in binary/gzip format (The filename is GeoLiteCity.dat.gz), and then put this file in the same folder where the .exe files of NirSoft utilities are located.
When you run a utility that supports this database, it automatically loads the database and uses it to display the country/city information for every IP address.

CurrPorts with the GeoLite City database

LastActivityView is a new utility for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more…

LastActivityView

You can download this new utility from this Web page.