NirBlog

Dialupass is one of the oldest utilities in my sites (7+ years !), so I decided to completely rewrite it, instead of continuing the development of the old one. The new version contains all the current NirSoft standards, including the ability to translate to other languages.
There is also one useful new feature: You can now extract the dialup passwords from an external instance of Windows 2000/XP/2003 (In Advanced Options).

Dialupass 3 is not officially released yet, but you can download a Beta version from here.

The new version of LsaSecretsView allows you to extract the LSA secrets from an external instance of Windows operating system. This feature can be useful if you have a dead system that cannot boot anymore.
You can use this feature from the user-interface, by using the ‘Advanced Options’ in the File
menu, or from command-line, by using the /external parameter.
This feature was also added to LSASecretsDump, which is the console version of LsaSecretsView.

Be aware the currently this feature works for Windows 2000/XP/2003, but not for Windows Vista.

A new section added to nirsoft.net: Major IP Addresses Blocks By Country.
In this section, you can select your country (or any other country in the world) and view all
major IP address blocks assigned for the selected country. For countries in Europe and in the
middle-east, the company name/Internet provider that own the IP block is also displayed.
You can also sort the list by IP address, block size, assign date, or by owner name.

Many people ask me about the location in the Registry or file system that applications store the passwords. So I prepared a list of password storage locations for popular applications.
Be aware that even if you know the location of the saved password, it doesn’t mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile.

• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
  The base key of the Protected Storage is located under the following key:
  “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
  You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
  Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.

  IE PassView and Protected Storage PassView utilities allow you to recover these passwords.

• Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
  AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.

  IE PassView can be used to recover these passwords.

• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
  These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
  Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
  (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
  The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
  If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.

  Mail PassView can be used to recover lost passwords of Outlook 2002-2008.

• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]
  The account filename is an xml file with .oeaccount extension.

  Mail PassView can be used to recover lost passwords of Windows Live Mail.

• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
  You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.

  These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
  (“EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
  The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number]
  (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)
  (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
  All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].

The new version of IE PassView (v1.15) allows you to extract lost passwords stored by Internet Explorer 7.0 from an external drive. This feature can be useful if you have a dead system that cannot boot anymore, and you want to recover your passwords from there.
In order to use this feature, you must know the last log-on password that you used for the user profile that store the passwords.

The new version of Volumouse now allows you to choose any color for the the On-Screen Indicator, as well as you can choose to display a percent label.

Here’s a sample screenshot:

As promised a week ago, here’s the 5 new utilities added to NirSoft Web site:

IPInfoOffline, DNSDataView, SkypeLogView, WirelessNetConsole, and UserProfilesView.
These utilities will also be added very soon to the utilities section and to the ‘NirSoft Panel’ page.

Here’s a small summary of latest changes in NirSoft utilities:

• MozillaCacheView and OperaCacheView: New option in ‘Copy Selected Files To…’: Save the files in the directory structure of the Web site.
• USBDeview: Added new option – Open In RegEdit.
• ShellExView: New restriction – ShellExView won’t allow you to disable at once more than 15 shell extensions created by Microsoft.
• PasswordFox: Added support for specifying the master password (in the ‘Select Folders’ dialog-box or from command-line).
• SiteShoter: Added new option: ‘Take a screenshot of this Web page every…’

There are 5 new utilities that are currently cooked in the kitchen of Nirsoft, and are going to get out of the oven very soon.

So here they are, with a small description for each of them:

• IPInfoOffline: Allows you to view information about IP addresses, without connecting any external server. It uses a compressed IP addresses database that is stored inside the exe file. For each IP address, the following information is displayed: IP block range, Organization (RIPE, ARIN, APNIC, LACNIC or AFRINIC), Assigned Date, Country Name, and Country Code.
• DNSDataView: This utility is a GUI alternative to the NSLookup tool that comes with Windows operating system. It allows you to easily retrieve the DNS records (MX, NS, A, SOA) of the specified domains. You can use the default DNS server of your Internet connection, or use any other DNS server that you specify.
• SkypeLogView: This utility reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account.
• WirelessNetConsole: Console version of WirelessNetView. It dumps all current detected wireless networks information into the standard output. For each wireless network, the following information is displayed: SSID, Signal Quality in %, PHY types, RSSI, MAC Address, Channel Frequency, and more.
• UserProfilesView: This utility displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more.

These utilities will probably be ready for the first tasting in the next Saturday (November 1, 2008), and will be served first in this blog, and then later in the entire site, including the utilities and packages sections.

nirsoft.net is now hosted in a new server. The site will work much faster than before in the peak usage hours, as well as downtimes will be minimal.