NirBlog

Recently, I have received multiple reports from users of Internet Explorer 10 ( On Windows 8 ) saying that my history/cache utilities fail to work with IE10, and they are right…
As opposed to all previous versions of Internet Explorer that used the same file structure to store the history/cache/cookies information, IE10 uses a completely new file structure. Instead of the old index.dat file, IE10 stores all cache/history information inside a single Jet Blue database (Also known as ESE database or .edb file). This database file is WebCacheV24.dat, and it’s located under C:\Users\[User Profile]\AppData\Local\Microsoft\Windows\WebCache folder

I have already developed the code to read this file in order to update my tools for Internet Explorer 10, but there is still one major problem with this file: While Internet Explorer is opened, and also a few minutes after it’s closed, this file is completely locked, and other software (like my tools) cannot open it. There is one solution to bypass this database locking problem – by copying the database into another location using ‘Volume Shadow Copy’ service and then reading the copy of the database.

Reading the locked database using the ‘Volume Shadow Copy’ method has a few drawbacks:

1. This process and quite slow and aggressive.
2. It works only with full admin rights.
3. On 64-bit systems, only 64-bit application can use this service.
4. The copied locked database doesn’t contain the latest browsing history. The latest history/cache is written to the database a few minutes after closing the IE10 Web browser, when the file is unlocked.

Generally, I prefer to avoid from using this ‘Volume Shadow Copy’ method and find a better way to read the locked database of IE10. For now, I updated only one tool, BrowsingHistoryView, for reading the browsing history of IE10. There is also an option to read the history when the database file is locked (using Volume Shadow Copy), but it’s active only when running BrowsingHistoryView.exe with /UseVolumeShadowCopy command-line parameter:

BrowsingHistoryView.exe /UseVolumeShadowCopy

If you have a system with Internet Explorer 10, you’re welcomed to try it and see if it’s reasonable to use this ‘Volume Shadow Copy’ method regularly. Remember that you have to execute BrowsingHistoryView as administrator, otherwise, it won’t be able to read the history file while it’s locked.

A few utilities of NirSoft, including CurrPorts, SmartSniff, NetworkTrafficView, and CountryTraceRoute (which has been released just a few weeks ago) now supports the free IP geolocation database of MaxMind, in addition to the support of software77.net IP to country database.

The database of MaxMind is larger than the database of software77.net, and for some of the IP addresses, city information is also provided.

In order to start using the MaxMind database with the NirSoft utilities specified above, simply go to this Web page, download the GeoLite City database in binary/gzip format (The filename is GeoLiteCity.dat.gz), and then put this file in the same folder where the .exe files of NirSoft utilities are located.
When you run a utility that supports this database, it automatically loads the database and uses it to display the country/city information for every IP address.

CurrPorts with the GeoLite City database

LastActivityView is a new utility for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more…

LastActivityView

You can download this new utility from this Web page.

A few years ago, I wrote a Blog post about false positive problems that I have in many of my tools, and I received many responses from users and developers that experience the same problem.
Today the false positive issues still exist, but it seems that people are more aware to the false positive problems, because I get less complaints about virus alerts in my software than what I have gotten in the past.

Some of my tools have 2 different builds – one for using on 32-bit systems and one for using on 64-bit systems.
WirelessKeyView is one of these tools that is available in 2 builds – 32-bit and 64-bit. Both 32-bit and 64-bit builds of WirelessKeyView are compiled with exactly the same code and the same compiler options, and naturally they also do exactly the same actions. The only reason for creating the 64-bit build is because WirelessKeyView injects code into a system process in order to get the wireless keys, and 32-bit process cannot execute code on 64-bit process.

When sending the latest 32-bit version of WirelessKeyView to VirusTotal Web site, it shows false positive alerts from 16 different Antivirus programs:

VirusTotal WirelessKeyView 32-bit

Many people think that VirusTotal Web site can be used to find out whether a software is good or bad. Google probably thinks that too, because just recently they purchased this VirusTotal Web site. But the above sample proves that it’s not correct. WirelessKeyView is a completely legitimate software to get the wireless keys stored on your own system and to move your wireless keys from one compueter to another. As opposed to many other “Freeware” distributers, my software doesn’t send any personal information, doesn’t install any unwanted toolbar/spyware/malware, and doesn’t make any change in the Registry, so there is no any good reason to warn and scare the user who downloads my software.

If the 32-bit version of WirelessKeyView triggers 16 Virus alerts, you may expect that the 64-bit of WirelessKeyView , which is compiled from exactly the same code will also trigger exactly the same 16 Virus alerts.
So here’s the surprise… The number of Virus alerts of WirelessKeyView 64-bit is zero !! Yes, there  is no even a single Virus alert !

VirusTotal WirelessKeyView 64-bit

So what is the explanation for the difference between the alerts of 32-bit and 64-bit  versions ?
Well… This question should be sent to the Antivirus companies… But I have a theory:
Looking in the downloads statistics from the last month (September 2012), the 32-bit version of WirelessKeyView (wirelesskeyview.zip) has been downloaded 313,458 times,
while the 64-bit version (wirelesskeyview-x64.zip) has been downloaded only 50,799 times.
So maybe the 32-bit version of WirelessKeyView get false alerts simply because it’s much more popular than the 64-bit version ?

When a download is more popular, there is an higher chance the somebody will use for bad purpose and the Antivirus company will get a report about that, for example: A person allows his good friend to access his computer, but his friend uses it to run WitelessKeyView 32-bit and get access to some wireless networks that it shouldn’t have access to. When this person discovers that his wireless keys have been stolen by his “friend”, he send a complaint to the Antivirus company with a sample of WitelessKeyView. In the next day, the people of the Antivirus company decide to set an alert for WitelessKeyView in order to prevent future wireless key stealing.  But now many people who want to download WirelessKeyView 32-bit for good purpose, like recovering their own wireless key or moving it to another computer, get a warning from their Antivirus software or from VirusTotal Web site, without understanding the reason of getting this alert.
On the other hand… if somebody tries to use WitelessKeyView 64-bit for bad purpose, the Antivirus won’t show any alert, simply because the 64-bit version is less popular and nobody complained that it has been used to steal wireless keys.

Just a guess…

Recently I purchased a digital signature and both 32-bit and 64-bit builds of WirelessKeyView are signed with it. Some people told me that signing the .exe files will decrease the false positive alerts. So is it really help ?   Maybe a little. I checked an older version of WirelessKeyView (32-bit), and VirusTotal shows 23 alerts:
https://www.virustotal.com/file/bb9bb534858fb79cb58b4a5411edd59c1b8b3390eb11635294f606f9950c595c/analysis/1349885723/

So 16 alerts is a little better than 23 alerts, but it’s still too much.

Finally, here’s 2 small articles related to false positive issues posted on other Web sites:

False Positives by some random antivirus vendor

The Funny World of Virus Scanners

WinsockServicesView is a new  utility that displays the details of all Winsock service providers installed on your system. For every Winsock service, the following information is displayed: Display Name, Status (Enabled/Disabled), DLL Type (32-bit or 64-bit), DLL Filename, DLL Description/Version, and Created/Modified Time.
WinsockServicesView also allows you to easily disable/enable a Winsock service provider.

WinsockServicesView

For more information about this new utility, click here.

WifiInfoView is a new utility for Windows 7/Vista/2008/8 that scans the wireless networks in your area and displays extensive information about them, including: Network Name (SSID), MAC Address, PHY Type (802.11g or 802.11n), RSSI, Signal Quality, Frequency, Channel Number, Maximum Speed, Company Name, Router Model and Router Name (Only for routers that provides this information), and more…

When you select a wireless network in the upper pane of this tool, the lower pane displays the Wi-Fi information elements received from this device, in hexadecimal format.

WifiInfoView

WifiInfoView also has a summary mode, which displays a summary of all detected wireless networks, grouped by channel number, company that manufactured the router, PHY type, or the maximum speed.
For example, in the screenshot below, you can see that there are 25 wireless networks that use channel 6, 10 wireless networks that use channel 10, and so on….

Wi-Fi Channels Summary

You can download this new tool from the bottom of this Web page.

BrowsingHistoryView is a new utility that reads the history data of 4 different Web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, and Safari) and displays the browsing history of all these Web browsers in one table.
The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive.
You can also export the browsing history into csv/tab-delimited/html/xml file from the user interface, or from command-line, without displaying any user interface.

You can download this new utility from this Web page.

BrowsingHistoryView

MultiMonitorTool is a new tool that allows you to do some actions related to working with multiple monitors. With MultiMonitorTool, you can disable/enable monitors, set the primary monitor, save and load the configuration of all monitors, and move windows from one monitor to another. You can do these actions from the user interface or from command-line, without displaying user interface. MultiMonitorTool also provides a preview window, which allows you to watch a preview of every monitor on your system.

MultiMonitorTool

You can download this new tool from this Web page.

FolderChangesView is a new tool that monitors the folder or disk drive that you choose and lists every filename that is being modified, created, or deleted while the folder is being monitored.
You can use FolderChangesView with any local disk drive or with a remote network share, as long as you have read permission to the selected folder.

FolderChangesView works on any version of Windows, starting from Windows 2000 and up to Windows 8, and both 32-bit and 64-bit systems are supported.

FolderChangesView

You can download this new utility from this Web page.

RTMPDump toolkit is a quite impressive open source project that allows you to download RTMP video/audio streams. However, using this tool under Windows operating system is not very easy.

My new utility, RTMPDumpHelper, is exactly what need in order to easily download  RTMP streams with RTMPDump toolkit under Windows operating system.  By combining this utility and the proxy server of RTMPDump toolkit, you can simply open a Web page containing RTMP video stream in your favorite Web browser, and while watching the video, it’ll be saved to your disk automatically as .flv or .mp4 file.

RTMPDumpHelper and RTMPDump toolkit

You can download my new RTMPDumpHelper utility from this Web page.

The RTMPDump toolkit is available to download from this Web page.