Archive for October, 2008

Here’s a small summary of latest changes in NirSoft utilities:

  • MozillaCacheView and OperaCacheView: New option in ‘Copy Selected Files To…’: Save the files in the directory structure of the Web site.
  • USBDeview: Added new option – Open In RegEdit.
  • ShellExView: New restriction – ShellExView won’t allow you to disable at once more than 15 shell extensions created by Microsoft.
  • PasswordFox: Added support for specifying the master password (in the ‘Select Folders’ dialog-box or from command-line).
  • SiteShoter: Added new option: ‘Take a screenshot of this Web page every…’

There are 5 new utilities that are currently cooked in the kitchen of Nirsoft, and are going to get out of the oven very soon.

So here they are, with a small description for each of them:

  • IPInfoOffline: Allows you to view information about IP addresses, without connecting any external server. It uses a compressed IP addresses database that is stored inside the exe file. For each IP address, the following information is displayed: IP block range, Organization (RIPE, ARIN, APNIC, LACNIC or AFRINIC), Assigned Date, Country Name, and Country Code.
  • DNSDataView: This utility is a GUI alternative to the NSLookup tool that comes with Windows operating system. It allows you to easily retrieve the DNS records (MX, NS, A, SOA) of the specified domains. You can use the default DNS server of your Internet connection, or use any other DNS server that you specify.
  • SkypeLogView: This utility reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account.
  • WirelessNetConsole: Console version of WirelessNetView. It dumps all current detected wireless networks information into the standard output. For each wireless network, the following information is displayed: SSID, Signal Quality in %, PHY types, RSSI, MAC Address, Channel Frequency, and more.
  • UserProfilesView: This utility displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more.

These utilities will probably be ready for the first tasting in the next Saturday (November 1, 2008), and will be served first in this blog, and then later in the entire site, including the utilities and packages sections. is now hosted in a new server. The site will work much faster than before in the peak usage hours, as well as downtimes will be minimal.

The amount traffic received by was gradually increased, and that caused the http server to crash due to large amount of requests.
The hosting company removed my site for several hours because the server also hosts a few other sites. I’m now in a process of moving site to a new server, and that will minimize the site downtime to almost 0%.

If you already worked with my password recovery tools, you probably know that most of them can only recover the passwords of the current logged-on user, but they cannot recover the passwords from another user profile or from an external drive.
The reason for this limitation is that most of these tools use some Windows API calls to decrypt the passwords, and these API calls only works for the current logged-on user.

In order to allow my tools to recover the passwords from an external drive,
I used my reverse engineering skills to find out exactly how Windows password decryption works, and wrote the code that do the same thing, but without the restriction of the current logged-on user.

So here’s the first tool that uses my new decryption code: Network Password Recovery.
This means that you can now recover the passwords stored inside the Credentials file of Windows XP/Vista/2003/2008 even if you have a dead system that cannot boot anymore.

There is only one restriction: you must know the last log-on password of the user that owned the Credentials file you wish to recover. The SHA hash of the log-on password is used in the process of Credentials file encryption, and without knowing that log-on password, the content of the Credentials file cannot be recovered instantly.

Sometimes people ask me “How do I print the data appeared in your tool ?”.
Although there is no printing support in my tools, you can easily send the data to a printer by using one of the following options:

  1. Copy & Paste – You can select the data that you wish to print and copy it to the clipboard with Ctrl+C. After that, you can paste it to another application that support printing, like Excel, OpenOffice Spreadsheet, Notepad, and so on.
  2. Print in your Web browser – You can select the data that you wish to print and then save it to html file. After that, you can open the saved html in your Web browser, and then print it.
  3. Save to tab-delimited/comma-delimited file – You can select the data that you wish to print and then save it into a tab-delimited file or comma-delimited file.
    After that, you can open the saved file with any software that can import from tab-delimited/comma-delimited files, and then use that software to print the data.

There is a new feature in IECacheView utility that allows you to extract files from the cache of Internet Explorer into the same directory structure of the original Web site.
Just for example, in the following screenshot of IECacheView, you can see the list of cache files downloaded from NirSoft Blog:

If you select all these files, go to “Copy Selected Files To”, and then choose the “Save the files in the directory structure of the Web site” option, the folders structure after saving the files from the cache will look like this one:

If you work on Windows XP, you probably already familiar with the animated search puppy that show its unessential tricks while you make a search. However, this puppy has a small “feature” that many people don’t know about.
If you make a search, and then leave the search window opened without touching it for a long time, the search puppy get tired and goes to sleep….

Good Night !

While looking into the cache folder of Google Chrome Web browser, I found out that the file structure inside this folder looks a little familiar.
Similar to the cache of Mozilla/Firefox browsers, it has 3 data files, numbered from 1 to 3, when file number 1 is the smallest file, and the largest file is file number 3. It also has a cache map file, which numbered as ‘0’, and other files with hexadecimal numbers which contains the binary content of some cached files.

Here’s an example for the file structure in the cache folder of Chrome:

And here’s the cache folder of Firefox:

After looking more deeply into the cache folder of Chrome, I found out that the internal structures of the cache files are a little different from the structures of Firefox, but it still was very easy to figure out how to read these files, and you can see the result in my new ChromeCacheView utility.

It seems that there is a weird bug in beta 2 release of Internet Explorer 8.
When browsing into the main page of NirSoft Web site, the transition effect stops in the middle of the transition process, and the user may think that the Web browser just hang. However, after resizing the window a little, everything returns back to normal.

Here’s an example of how my site may look when browsing it with IE8: