Archive for the ‘NirSoft Tips’ Category

A few words about the cache / history on Internet Explorer 10

Saturday, December 8th, 2012

Recently, I have received multiple reports from users of Internet Explorer 10 ( On Windows 8 ) saying that my history/cache utilities fail to work with IE10, and they are right...
As opposed to all previous versions of Internet Explorer that used the same file structure to store the history/cache/cookies information, IE10 uses a completely new file structure. Instead of the old index.dat file, IE10 stores all cache/history information inside a single Jet Blue database (Also known as ESE database or .edb file). This database file is WebCacheV24.dat, and it's located under C:\Users\[User Profile]\AppData\Local\Microsoft\Windows\WebCache folder

I have already developed the code to read this file in order to update my tools for Internet Explorer 10, but there is still one major problem with this file: While Internet Explorer is opened, and also a few minutes after it's closed, this file is completely locked, and other software (like my tools) cannot open it. There is one solution to bypass this database locking problem - by copying the database into another location using 'Volume Shadow Copy' service and then reading the copy of the database.

Reading the locked database using the 'Volume Shadow Copy' method has a few drawbacks:

  1. This process and quite slow and aggressive.
  2. It works only with full admin rights.
  3. On 64-bit systems, only 64-bit application can use this service.
  4. The copied locked database doesn't contain the latest browsing history. The latest history/cache is written to the database a few minutes after closing the IE10 Web browser, when the file is unlocked.

Generally, I prefer to avoid from using this 'Volume Shadow Copy' method and find a better way to read the locked database of IE10. For now, I updated only one tool, BrowsingHistoryView, for reading the browsing history of IE10. There is also an option to read the history when the database file is locked (using Volume Shadow Copy), but it's active only when running BrowsingHistoryView.exe with /UseVolumeShadowCopy command-line parameter:

BrowsingHistoryView.exe /UseVolumeShadowCopy

If you have a system with Internet Explorer 10, you're welcomed to try it and see if it's reasonable to use this 'Volume Shadow Copy' method regularly. Remember that you have to execute BrowsingHistoryView as administrator, otherwise, it won't be able to read the history file while it's locked.

Download RTMP video/audio streams with combination of RTMPDumpHelper and RTMPDump toolkit

Sunday, June 10th, 2012

RTMPDump toolkit is a quite impressive open source project that allows you to download RTMP video/audio streams. However, using this tool under Windows operating system is not very easy.

My new utility, RTMPDumpHelper, is exactly what need in order to easily download  RTMP streams with RTMPDump toolkit under Windows operating system.  By combining this utility and the proxy server of RTMPDump toolkit, you can simply open a Web page containing RTMP video stream in your favorite Web browser, and while watching the video, it'll be saved to your disk automatically as .flv or .mp4 file.

RTMPDumpHelper and RTMPDump toolkit

RTMPDumpHelper and RTMPDump toolkit

You can download my new RTMPDumpHelper utility from this Web page.

The RTMPDump toolkit is available to download from this Web page.

How to Recover a lost password of your Gmail account

Wednesday, June 8th, 2011

If you can't remember the login password of your Gmail account, there is still a chance that you can easily recover your lost password, as long as the password is stored in your computer by the email software or by the Web browser that you use.

There are 2 freeware utilities that can help you to recover your lost Gmail password: Mail PassView to recover the password from popular email clients, like Outlook and Windows Live Mail, and WebBrowserPassView, to recover the password from your Web Browser.

Here's some information about how to use these 2 utilities to recover your lost Gmail password:

  • Mail PassView: If you use a popular email software to receive and send messages on your Gmail account, like Outlook, Outlook Express, Windows Live Mail, or Thunderbird - You can use this utility to recover your Gmail password, assuming that you allowed your email software to save the password.
    In order to use this utility to recover your password, download Mail PassView from directly from this link.
    After you download it, open the zip file and run the mailpv.exe executable. Be aware that because this utility can extract password from your system, your Antivirus software may display an alert and even block you from running this .exe file.

    After running Mail PassView, the main window displays the details of all email accounts found in your system. In order to find the password of your Gmail account, you should locate the record where the value of the server column is pop.gmail.com or imap.gmail.com

    If you located the correct gmail record, you should see the Gmail password that you need under the Password column, as demonstrated in the following sample screenshot:

    Recover lost Gmail password with Mail PassView

    Recover lost Gmail password with Mail PassView

  • WebBrowserPassView: If you use a Web browser (Internet Explorer, Firefox, Opera, or Google Chrome) to login into your Gmail account, This utility can help you to recover your lost Gmail password, assuming that you chose to remember this password.
    In order to use this utility to recover your password, you can download it directly from this link.After you download it, open the zip file and run the  WebBrowserPassView.exe executable.  Be aware that because this utility can extract password from your system, your Antivirus software may display an alert and even block you from running this .exe file.After running WebBrowserPassView, the main window displays the list of all passwords stored by your Web browsers.
    In order to find the password of your Gmail account, you should locate the record where the URL column is https://www.google.com/accounts/servicelogin

    If you located the correct record, you should see the Gmail password that you need under the password column, as demonstrated in the following sample screenshot:

    Recover lost Gmail password with WebBrowserPassView

    Recover lost Gmail password with WebBrowserPassView

How to Recover a lost password of your facebook account

Wednesday, June 8th, 2011

If you can't remember the login password of your facebook account, there is still a chance that you can easily recover your lost password, as long as the password is stored in your computer by the Web browser you use.

You can try to recover your facebook password by using the WebBrowserPassView utility. This utility can recover the password from 4 different Web browsers - Internet Explorer, Firefox, Opera and Google Chrome. You can download this utility directly from this link.

After you download it, open the zip file and run the WebBrowserPassView.exe executable. Be aware that because this utility can extract password from your system, your Antivirus software may display an alert and even block you from running this .exe file.

After running WebBrowserPassView, the main window will display all the passwords stored by your Web browser. In order to find your facebook password, you have to locate the record line where the URL is http://www.facebook.com or http://www.facebook.com/login.php
If you located the correct facebook record, the password that you need will be found under the 'Password' column, as you can see the in the following sample screenshot:

Recover Facebook Password

Recover Facebook Password

If you can't find any record with facebook link, your facebook password is probably not stored by your Web browser. Also, be aware that WebBrowserPassView cannot locate your password if it's protected by a master password, or if it's stored by a Web browser other than Firefox/IE/Opera/Chrome.

How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff

Monday, November 8th, 2010

A few months ago, I released a new version of both SmartSniff and SniffPass with support for using them with Microsoft Network Monitor 3.x

In the release details, I also specified that 'Wifi Monitor Mode' button was added for using 'Monitor Mode' under Windows Vista/7/2008, but without giving extensive explanation about how to use this feature. So in this blog post, I'll add more details about this 'Wifi Monitor Mode' and how to use it on SmartSniff and SniffPass.

When a wireless network card enters into a 'Monitor Mode', it listens to specific channel that you choose and captures all the packets that are sent by wireless networks on your area in the specific channel that you selected.  If the wireless network that sent the packet is unsecured,   SmartSniff and SniffPass will be able to show you the packets data.

Before I start to explain you how to use this mode, here's the system requirements for using  'Monitor Mode':

  1. Unfortunately, this mode is only supported on Windows Vista, Windows 7, and Windows Server 2008. Windows XP is not supported.
  2. Both the network card and the device driver must support this mode. I currently don't have a list network cards that support this mode under Windows. However, if you manage to get your card into monitor mode, it'll be nice if you post your card model as comment to this Blog post.
    Also, be aware that according to Microsoft, some Wifi drivers may cause a system crash when entering into monitor mode.

Finally, here's the instructions for using 'Wifi Monitor Mode' with SmartSniff and SniffPass:

  1. First, download and install the latest version of Microsoft Network Monitor 3.x if it's not already installed on your system.
  2. Run SmartSniff if you want to capture general TCP data or SniffPass if  you only want to capture passwords. Be aware that SniffPass can only capture passwords that are not encrypted. Most Web sites and services of large companies use SSL to encrypt the passwords, and thus SniffPass cannot capture them.
  3. Go to the 'Capture Options' window (F9), choose  'Network Monitor Driver 3.x' as a capture method, and then click the 'Wifi Monitor Mode' button.
  4. In the opened 'Wifi Scanning Options' window, choose the right wireless card (in most cases you should have only one) and then check the 'Switch to Monitor Mode' option.
  5. You can now select to scan a single channel or to switch between multiple channels every x milliseconds.  After you selected the desired channels, click the Apply button.

    Wifi Scanning Options

    Wifi Scanning Options

  6. The most important thing: Leave this window opened !
    When you close this window, the network card will exit from monitor mode and it'll return back to its normal state.
  7. In 'Capture Options' window of SmartSniff/SniffPass - select the right wireless card and then press the 'Ok' .
  8. Finally, press F5 to start the capture. If you have any active unsecured networks in your area, you'll be able to see the captured data.
  9. After you finish, close the 'Wifi Scanning Options' window, so your wireless card will return back to normal.

The information in this article is provided for educational purposes only and for making people aware of the risks of using unsecured wireless networks.  it's not intended to be used for any illegal activity.

How to use SmartSniff to view general TCP connections activity

Monday, September 20th, 2010

SmartSniff is a TCP/IP sniffer utility that allows you to capture TCP/IP packets on  your network adapter, and view the captured data as sequence of conversations between clients and servers.  By making some changes in the 'Advanced Options' window, you can use  SmartSniff as alternative to CurrPorts utility, and only view the general TCP connections activity on your network adapter, without capturing the data.  SmartSniff shows some information that is not available in CurrPorts utility, including number of packets, total transferred data, and current data speed in KB/Sec.

Here's how to configure SmartSniff to only show general TCP connections activity:

  1. Open the 'Advanced Options' window (Ctrl+O).
  2. Select the 'Only Display TCP/IP statistics' option, so SmartSniff won't create a large capture file.
  3. Select the 'Retrieve process information' option, so SmartSniff will display the process of every connection, like CurrPorts utility.
  4. Select the 'Display only active connections', so SmartSniff will automatically remove all closed connections from the list.sniffer_options
  5. Click the  'Ok' button in the  'Advanced Options' window. In the main window, Select the 'Hide Lower Pane' option under the Options menu. The lower pane is not needed when you don't capture the TCP data.
  6. Start capture (F5) and watch the  TCP connections activity.

sniffer_statistics

How to configure Windows to create MiniDump files on BSOD

Tuesday, July 27th, 2010

BlueScreenView utility allows you to watch the blue screen crashes  occurred in your system by reading and analyzing the MiniDump files created on every crash by the operating system. The MiniDump files are usually created under C:\WINDOWS\Minidump, unless the path was modified in the system failure settings of Windows.

In most systems, Windows is already configured to create these MiniDump files as the default system failure configuration.

However, if from some reason MiniDump files are not created in your system during a blue screen crash, you should follow the instructions below in order to configure Windows to create them.

For Windows XP:

  1. Right-click on the  'My Computer' icon and choose 'Properties'. Alternatively, you can also go to Control Panel and open the 'System' applet.
  2. In the opened window, click the 'Advanced' tab and then inside the 'Startup And Recovery' frame, click the 'Settings' button.

    System Properties Window

    System Properties Window

  3. In the opened 'Startup And Recovery' window,  there is 'Write Debugging Information' section. You should set the combo-box in this section to 'Small memory dump', and then click 'ok' to confirm the change.

    Startup And Recovery

    Startup And Recovery

For Windows 7:

  1. Go to the Control Panel, choose 'System And Security', and then click 'System', and then click the 'Advanced System Settings' link.
  2. In the opened window, click the 'Advanced' tab and then inside the 'Startup And Recovery' frame, click the 'Settings' button.
  3. In the opened 'Startup And Recovery' window,  there is 'Write Debugging Information' section. You should set the combo-box in this section to 'Small memory dump', and then click 'ok' to confirm the change.

You can also make this MiniDump change in the Registry, by setting the following value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled"=dword:00000003

However, be aware that this Registry change affects the system only after reboot.

Creating current temperature map with MetarWeather and Google Earth

Wednesday, June 23rd, 2010

The latest release of MetarWeather utility allows you to watch the current  temperature around the world on the maps of Google Earth.

In order to use this feature:

  1. Download the latest METAR reports data file from  METAR Data Access Web site.
  2. Open the downloaded METAR file with MetarWeather (Ctrl+F) and wait until the METAR reports are loaded and displayed in the main window.
  3. Select all (Ctrl+A) the lines and choose the 'Save As' option (Ctrl+S)
  4. In the save dialog-box, choose 'KML File - Temperature for Google Earth' as a file type and save the .kml filename
  5. Finally, from Google Earth, open the created .KML file.

The result should look like the following map:

Google Earth Temperature Map

Google Earth Temperature Map

How to recover lost ADSL password or other ISP password

Monday, June 14th, 2010

If you forgot or lost the password that you use to connect the Internet (With ADSL, cables, or other ISP account), you still have a chance to recover it, if this password is stored in your Windows operating system or in your router.

Here's a list of 4 methods to recover your ADSL/ISP password:

  1. If you use Windows operating system to connect the Internet (with PPTP, LT2P, or PPPoE), you can use the Dialupass utility to recover your ISP password. When you run this utility, it can instantly recover your password, as long as the password is stored by Windows.
  2. If you got an email account from your Internet service provider, and the same password is used for both email account and the Internet connection, you can try to use the Mail PassView utility to recover your ISP password. If this password is stored by popular email software, like Outlook, Outlook Express, or Windows Live Mail, Mail PassView will be able to recover it.
  3. If you use a router to connect the Internet, you can try to use RouterPassView utility to recover the password from the configuration file of your router.
    In order to use this utility, you have to logon into your router, go to the backup/restore section, and choose to backup the router configuration into a file. After that, open the created configuration file with RouterPassView utility. If the config file of your router is supported, your password will be recovered instantly.
  4. If you use a router to connect the Internet, you can also try to use the AsterWin IE utility. This utility is quite old and was written many years ago in Visual Basic 6, but it still works with the latest version of Internet Explorer.In order to use this tool to recover the ISP password from your router, you should logon into your router, and then go to the router page that contains the ISP or ADSL logon details. after that, run AsterWin IE utility and click the 'Show Internet Explorer Passwords' window. This trick will not work for all routers, because some routers deliberately blocked this recovery option, from security reasons.

How to connect a remote Windows 7/Vista/XP computer with NirSoft utilities

Thursday, October 22nd, 2009

Some of NirSoft utilities like ServiWin, ProduKey, USBDeview, MyEventViewer, RegScannerNirCmd, and DevManView (a new device manager utility that will be released soon) allows you to connect a remote computer on your network and get the same result as you use it in the local computer.  In order to use this remote computer feature, you must have full administrator access to the remote computer.

Even if you have the admin user name and password of the remote machine that you wish to connect, you still have to configure it properly in order to get full  administrator access.
If you have a network with a domain controller, and you are the administrator of this domain, your life is a little easier, because some of configuration changes required to get admin access remotely are made by Windows automatically when the computer joins the domain.

Here's a list of security configuration changes that you have to do in the remote machine, in order to get the administrator access remotely:

1.  Configure your Firewall. Depending on  the firewall that you use on the remote computer, you may need to change the firewall configuration in order to be able to connect the computer.
If you use the Windows firewall,you should go to 'Allow Programs'/Exceptions section and verify that the 'File And Printer Sharing' option is checked.'

Enable 'File And Printer Sharing' in Windows Firewall

Enable 'File And Printer Sharing' in Windows Firewall

If you have another Firewall that filter the traffic by port numbers, you should configure it to accept incoming TCP/UDP packets with ports 135-139.
Warning: On your router that connect you to the Internet, you must verify that it's not configure to forward ports 135-139 from the Internet into your machine. If the router is configured this way, your computer is in high risk of being penetrated by hackers and Trojans.

2. Change network security and sharing mode to classic:  On Windows XP, the default network sharing mode is 'Guest Only', which means that even if you log-on remotely as admin user, you'll only get the access rights of regular user. In order to change this mode, go to the 'Local Security Settings' in Administrative Tools of Control Panel, and under Local Policies->Security Options, find the option of 'Network and security model for local accounts' and change it to classic mode.

Sharing and security model

Sharing and security model

Alternatively, you can change the following Registry value to get the same effect:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000

3.  Turn off the Remote User Account Control in Windows Vista and Windows 7:
By default, the User Account Control component of Windows 7/Vista doesn't allow to get administrator access on a remote machine. In order to turn off this restriction, you should set the following Registry value:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

For more information about this Registry value, read here.

4. Starting the 'Remote Registry' service. Some of NirSoft utilities, like ProduKey and USBDeview, get the data from the remote machine by reading it from the Registry database.  On Windows 7/Vista, the 'Remote Registry' service is not started automatically by default,  so you have to start it in order allow these utilities to work on the remote machine.
You can start this service by using the Services module in Administrative Tools of Windows or by using the ServiWin utility of NirSoft.

Remote Registry Service

Remote Registry Service

5. Connecting the remote machine. After making the above changes, you should be able to connect the remote machine and get full admin rights.
You can connect the remote machine by typing a path of admin share in the 'Run' text-box of Windows, for example:
\\192.168.0.11\c$
\\192.168.0.12\admin$
\\MyComp01\admin$

After a few seconds, Windows will ask you to type the user name and password for connecting the remote machine.

Connect the admin share of remote computer

Connect the admin share of remote computer

You can also connect the machine by using the 'Net Use' command, for example:
net use \\192.168.0.15 "MyPassword" /user:"MyPC\admin"

After connecting the remote machine, you'll also be able to connect it with all NirSoft utilities that have the remote computer feature.