NirBlog

Notice:  The latest version of NirLauncher package is now available at http://launcher.nirsoft.net/

Many people ask me to add ‘Auto Update’ feature that will automatically update the latest version of all NirSoft utilities and the NirLauncher itself.  So I’ll eventually add this feature in one way or another, but the first step is to create an official download page of NirLauncher package that will be updated with the latest utilities every week or every 2 weeks. I hope that the official download page will be available in the incoming weeks.

For now, there is a new Beta download of NirLauncher package, with the following changes:

• Fixed the missing icons problem in Windows 7/x64.
• Added packages menu to choose a package.  A package can also be selected from accelerator keys (Ctrl+1 for the first package, Ctrl+2 for the second package, and so on…)
• Added status bar information.
• Fixed the crash problems that occurred in some utilities on Windows 7/Vista, when running  NirLauncher as administrator.  This problem occurred only because the executable of NirLauncher contains the word ‘launch’. You can read more about this problem in this post.
  Here’s a small summary of the problem and the way that I solved it:
  • When any executable contains the word ‘launch’ (in my case, NirLauncher.exe), Windows Vista/7 automatically shim the application, which means that apphelp.dll and AcLayers.DLL are loaded into the process and replace the pointers to Windows API functions inside the export table.
  • When  NirLauncher run a utility, the utility is also shimmed, probably because child applications automatically get the same treatment like the parent application. However, if the utility requires elevation (To run as admin) while NirLauncher was executed without admin rights, the launched utility is not shimmed.
  • Some of NirSoft utilities –  ‘Network  Password Recovery’, LSASecretsView, and LSASecretsDump use some code injection technique in order to extract the system data. These utilities use the API function addresses returned  by GetProcAddress function to execute the desired code in a system process. But… when an application is shimmed,  GetProcAddress function returns the addresses of the shim layer instead of the real kernel addresses. These wrong addresses caused the system process to crash immediately and restart the system after a minute.
  • The easiest solution for this problem is to change the executable name of NirLauncher to something else, but this kind of solution is really ridiculous. Also, I cannot assure that Windows won’t shim my application from any other reason.
  • I also tried to add into the executable of NirLauncher and the other utilities a manifest which contains compatibility information. This manifest is a small XML which says to Windows OS: “This application is compatible with Windows Vista and Windows 7, so don’t shim it”.
    Unfortunately, this solution simply didn’t work.
  • The problem was finally solved by making changes in the problematic utilities (NetPass,  LSASecretsView, and LSASecretsDump), so these utilities will work properly even when they are shimmed.  When these utilities detect that they are shimmed, LdrGetProcedureAddress (in ntdll.dll) function is used to get the real address of GetProcAddress function inside the Windows kernel, and in this way, my utilities  bypass the shim layer and get the real kernel addresses.

Update (December 1st, 2009):  Fixed also the Shim issue in MessenPass and WirelessKeyView.

Download the third Beta of NirLauncher package with more than 100 utilities

Zip File Information:  (to verify that the downloaded file is Ok)

MD5: c181e7e46d4acde6f6c9b12309eb85b8
SHA1: 580fcb82d057c8a3cef752124802026886956172
File Size: 6,908,394
Number of files in the Zip: 247

When I released the first Beta of NirLauncher package, I warned you to avoid from running NirLauncher as Administrator on Windows Vista/7, because if you do so, launching a few of my utilities, like Network Password Recovery and   LSASecretsView,  may cause a crash in lsass.exe and then an automatic system restart.

After running some tests and researching  this problem, I found out a workaround, but a very weird one.  This problem can be solved simply by changing the .exe name from NirLauncher.exe to another name that doesn’t contain the word “Launch”.
Yes, you probably think that I’m crazy,  but until now I tested this issue in 3 different systems (one with Windows 7 and 2 with Windows Vista), and in all 3 of them changing the .exe name really solved the crashes problem.

If you still don’t believe it, you are welcomed to test it on your own Windows Vista/7 machine and see if you get the same results, but… Be careful and be aware that this test may crash the lsass.exe process and then restart your system.

Here’s the instructions for testing this weird issue:

1. Download the last build of NirLauncher package from here.
2. Extract the package into any folder you like. You must extract the package with folder names, so all files under NirSoft folder will be extracted into NirSoft subfolder.
3. Right-click on NirLauncher.exe and choose ‘Run As Administrator’.
4. Go to the ‘Password Recovery utilities’  tab, and run the ‘Network Password Recovery’ or ‘LSASecretsView’ utility.
   

   NirLauncher

5. Wait a few seconds, and then you should get the following crash message: “Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now.” If you don’t get this crash message, try to run the other utility.
   

   Windows Crash

6. Wait a minute until the system restart. After the system reboot, Go to the folder of NirLauncher, and then rename NirLauncher.exe to NirBauncher.exe and NirLauncher.cfg to NirBauncher.cfg  (B instead of L)
   You can also rename it to any other name, as long as the name doesn’t contain the word ‘Launch’. Also, the name of the .exe file must be identical to the .cfg file, because NirLauncher reads the .cfg file according to the .exe name.
   

   Rename NirLauncher.exe to NirBauncher.exe

7. Now, right-click on NirBauncher.exe and choose ‘Run As Administrator’.
8. From NirLauncher interface, run the same utility that previously caused the system crash.  The utility should run properly without any crash. At least that what’s happen in the systems that I tested until now.

To ensure that this weird problem is not caused by something bad that I did inside NirLauncher, I also created a small program in c++ that only executes my ‘Netword Password Recovery’  utility (netpass.exe) with CreateProcess API and then exit. The tests with this small .exe still bring the same results: When the .exe file contains the word ‘Launch’, system crash is occurred, and when the .exe file doesn’t contain the word ‘Launch’, everything works fine.

The systems that I used to test this problem don’t have any installation of Antivirus, Firewall, or any other software that might affect the operating system behavior. So I guess that there is some code inside Windows kernel which says, “If the .exe contains the word ‘launch’, execute it in a different way than all other executable files.”

However, I can’t find any reasonable explanation for adding this .exe filename condition into Windows operating system. If you have any idea or information about this weird bug, you are welcomed to add your comment.

Update (November 28th):  Thanks for Dan about the writing the Shim comment. The problem is really the caused by Application Compatibility Engine. From some reason, when the .exe file contains the word ‘launch’, the Application Compatibility Engine consider the application as not compatible with Windows Vista/7, and thus the application is “shimmed”, which means that apphelp.dll and AcLayers.DLL are loaded and replace some API calls of Windows in order to resolve compatibility issues.  In my case, this  Compatibility Engine doesn’t solve compatibility problems… it actually creates the problem.

According to some Blog posts and documentations, embedding a Manifest inside the .exe that contains application compatibility information should disable the shimming and solve this problem, but… I tried it and unfortunately it doesn’t work.  However, because I already know which component cause the problem, I’ll eventually find a way to bypass it.

Many users of  SearchMyFiles utility complained that it’s hard to work with this utility, because after getting the search result, it doesn’t allow to do some basic operations on the search result, like deleting files, cut and paste, rename, and so on.
So the new version of SearchMyFiles now allow you to do these basic operations, similarly to the search result of Windows search. Be aware that the context menu of SearchMyFiles still doesn’t provide all options of Windows Explorer context menu, but I gradually improve it in future versions.

Here’s the list of all changes in the new version of SearchMyFiles utility:

• Added ‘Reset To Default’ button that allows you to easily reset the ‘Search Options’ dialog-box.
• Added ‘Open File On Double-Click’ option. When this option is checked, double-clicking a file will open it with the default program, like double-click in Explorer.
• Added new actions that you can make on the selected files of the search result: Explorer Cut, Delete, Move To Recycle Bin, and Rename.
• In the search option of file times, added ‘Today’ and ‘Since Last Reboot’.
• Added most-recently-used (MRU) list in combo-boxes of the search dialog-box. SearchMyFiles automatically remembers the last 10 strings that you used for every field, and allows you to easily select them from the Combo-Box. If you don’t want that your last search strings will be saved in the .cfg file (from privacy reasons), you can select the “Don’t Save MRU Lists” option in the Options menu.
• Fixed the ‘Subfolders Wildcard’ issue according to users request. Just for example: In previous version, if you tried to search in c:\ with abc*.* as subfolders wildcard, and you had a folder in c:\hello\bbbbb\abc123, SearchMyFiles utility didn’t search in this folder even when abc123 folder matched the folder name, and that’s because the folder below, bbbbb, wasn’t match the subfolders wildcard. Starting from this version, SearchMyFiles scan all subfolders, even if they don’t match the wildcard, but the actual file search is only made for subfolders that match the subfolders wildcard.

The new version of SearchMyFiles is available to download from here.

• ShellExView:
  • On x64 systems, ShellExView now always shows the shell extensions for x64 applications, even on the 32-bit version of ShellExView. If you want to get the shell extensions list for 32-bit applications, use ShellExView with /wow64 command-line option.
  • Added /remote command-line option, which allows you to view/enable/disable shell extensions in a remote computer on your network.
• MozillaCacheView and ChromeCacheView:
  • Fixed a bug that caused these programs to fail with copy of files from the cache when the filename contained invalid file characters (?, :, *, |, and others).
• WirelessKeyView:
  • Added ‘Use code injection method’ option in the Advanced Options window, as a workaround for using this utility on Windows 7.
• USBDeview:
  • Fixed bug: USBDeview displayed wrong drive letters when the serial number or ParentId Prefix contained only one character.
  • Added a separated version for x64 systems, in order to allow you to disable/enable items on x64 systems.
• MyUninstaller:
  • Added support for x64 installations.
• OpenedFilesView:
  • /filefilter command-line option now allows you to specify a filename without a path. For example, if you run OpenedFilesView with ‘/filefilter index.dat’, all opened index.dat filenames will be displayed.
• HashMyFiles:
  • Added ‘Delete Selected Files’ option, which allows you to easily delete duplicated files.
• FileTypesMan:
  • Fixed issue: When UserChoice is selected, FileTypesMan now displays the right file type properties loaded from the UserChoice application key.
  • Fixed issue: When UserChoice is selected, the ‘Open File Type In RegEdit’ option now opens the right UserChoice application key.

Notice:  The latest version of NirLauncher package is now available at http://launcher.nirsoft.net/

4 weeks after the first Beta release of NirLauncher utilities package, a new release is now available to download. If it’s the first time that you read about this package, it’s recommended that you also read the release notes of the first NirLauncher release, here.

The following changes were made in this release:

• Fixed bug: NirLauncher failed to execute console application when the path contained spaces.
• NirLauncher.exe is now on the root folder, while the NirSoft utilities are under NirSoft folder. Be aware that you must extract the package with the same folder names in the zip file. Otherwise, it won’t work.
• Added autorun.inf in the root folder that allows you to automatically open NirLauncher when you plug the USB flash drive. (Doesn’t work on Windows 7, because Microsoft removed this feature)
• Added ‘All Utilities’ tab that show all utilities in one list.
• sysinternals2.nlp is now available with full URLs, thanks to the great work of Yair from the comment in the first Beta post. Also, added ‘All Sysinternals Tools’ tab.
• Add Next/Previous Package buttons.
• Added option to add a tray Icon (Disabled by default).
• The new utility, DevManView, added to the package.

Download the second Beta of NirLauncher package with more than 100 utilities

Zip File Information:  (to verify that the downloaded file is Ok)

MD5: a617cfa78c138c340ec99de6f5d63903
SHA1: fa0a8fab272289edeede32d190b4c0862216b0cb
File Size: 6,812,717
Number of files in the Zip: 246

DevManView is a new utility that displays the list of all devices in your system, and allows you to disable/uninstall an obsolete device that is not needed anymore.
As opposed to the Device Manager module of Windows, which displays the devices list in a tree and requires you to open the properties window in order to get more information about the device,  DevManView displays the devices list in a flat table with all major device properties.

In addition to retrieving the devices list of your local computer, DevManView also allows you to get the devices list of remote computer on your network and from the Registry file of external instance of Windows.

DevManView

For more information about DevManView utility, click here.

Some of NirSoft utilities like ServiWin, ProduKey, USBDeview, MyEventViewer, RegScanner,  NirCmd, and DevManView (a new device manager utility that will be released soon) allows you to connect a remote computer on your network and get the same result as you use it in the local computer.  In order to use this remote computer feature, you must have full administrator access to the remote computer.

Even if you have the admin user name and password of the remote machine that you wish to connect, you still have to configure it properly in order to get full  administrator access.
If you have a network with a domain controller, and you are the administrator of this domain, your life is a little easier, because some of configuration changes required to get admin access remotely are made by Windows automatically when the computer joins the domain.

Here’s a list of security configuration changes that you have to do in the remote machine, in order to get the administrator access remotely:

1.  Configure your Firewall. Depending on  the firewall that you use on the remote computer, you may need to change the firewall configuration in order to be able to connect the computer.
If you use the Windows firewall,you should go to ‘Allow Programs’/Exceptions section and verify that the ‘File And Printer Sharing’ option is checked.’

Enable 'File And Printer Sharing' in Windows Firewall

If you have another Firewall that filter the traffic by port numbers, you should configure it to accept incoming TCP/UDP packets with ports 135-139.
Warning: On your router that connect you to the Internet, you must verify that it’s not configure to forward ports 135-139 from the Internet into your machine. If the router is configured this way, your computer is in high risk of being penetrated by hackers and Trojans.

2. Change network security and sharing mode to classic:  On Windows XP, the default network sharing mode is ‘Guest Only’, which means that even if you log-on remotely as admin user, you’ll only get the access rights of regular user. In order to change this mode, go to the ‘Local Security Settings’ in Administrative Tools of Control Panel, and under Local Policies->Security Options, find the option of ‘Network and security model for local accounts’ and change it to classic mode.

Sharing and security model

Alternatively, you can change the following Registry value to get the same effect:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
“forceguest”=dword:00000000

3.  Turn off the Remote User Account Control in Windows Vista and Windows 7:
By default, the User Account Control component of Windows 7/Vista doesn’t allow to get administrator access on a remote machine. In order to turn off this restriction, you should set the following Registry value:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
“LocalAccountTokenFilterPolicy”=dword:00000001

For more information about this Registry value, read here.

4. Starting the ‘Remote Registry’ service. Some of NirSoft utilities, like ProduKey and USBDeview, get the data from the remote machine by reading it from the Registry database.  On Windows 7/Vista, the ‘Remote Registry’ service is not started automatically by default,  so you have to start it in order allow these utilities to work on the remote machine.
You can start this service by using the Services module in Administrative Tools of Windows or by using the ServiWin utility of NirSoft.

Remote Registry Service

5. Connecting the remote machine. After making the above changes, you should be able to connect the remote machine and get full admin rights.
You can connect the remote machine by typing a path of admin share in the ‘Run’ text-box of Windows, for example:
\\192.168.0.11\c$
\\192.168.0.12\admin$
\\MyComp01\admin$

After a few seconds, Windows will ask you to type the user name and password for connecting the remote machine.

Connect the admin share of remote computer

You can also connect the machine by using the ‘Net Use’ command, for example:
net use \\192.168.0.15 “MyPassword” /user:”MyPC\admin”

After connecting the remote machine, you’ll also be able to connect it with all NirSoft utilities that have the remote computer feature.

Due to severe network issue on the data center that my server is located, all NirSoft Web sites were down for more than an hour.  NirSoft is now back online again and everything is Ok.

Just a week ago, I released the first Beta of NirLauncher package to download from this Blog.  For the beginning, I deliberately released this package quietly only in my Blog, and added some download restrictions, because this package is relatively large, and I wanted to make sure that my server won’t be overloaded by large amount of users that download this package in the same time.  even with this “quiet” release and these download restrictions, I still got a large peak of users that downloaded the Beta release of NirLauncher.

A day after I released this package, it was published in lifehacker and other well-known Web sites, which caused a large visitors peak that I had never seen before. At some point, my server load was pretty high, due to large amount of users that downloaded this package concurrently.

The users pick that I got after the NirLauncher release can be easily seen in the site statistics of Google Analitics.  On October 5th, the number of unique visitors reached to nearly 50,000,  which is around 40% more than a usual day.

NirLauncher release in Google Analitics.

On alexa Web site, you can also see the visitors peak after NirLauncher release, but the visitors peak is not sharp as in Google Analitics, because there are other peaks appeared during september, from unknown reason. Obviously, Google Analitics is more accurate than Alexa, because Alexa only counts the visitors with Alexa toolbar, while Google Analitics counts all visitors with JavaScript enabled Web browser.

NirLauncher release in Alexa

Another impressive result from NirLauncher release is the number of remarks in the release post (currently 55), which is quite nice relatively to my inactive Blog.  Be aware that I haven’t had time yet to read all yours remarks deeply, but I’ll certainly consider them in further NirLauncher releases.

Notice:  The latest version of NirLauncher package is now available at http://launcher.nirsoft.net/

As I promised a few weeks ago, the Beta version of NirLauncher, with a package of more than 100 utilities of NirSoft, is available to download.

NirLauncher Screenshot

Before you go to the download link, it’s important that you read the following guidelines:

• For now, the download link of this utilities package is a little restrictive. I only allow to download it 5 times per day for each IP address. So please don’t download this package with any ‘download accelerator’ software that open multiple connections. If you do so, the download might be failed and your IP address will be blocked from downloading this file for a few hours.
  Also, the download link won’t work if you put it on  other Web sites.
  I’ll try to gradually reduce these restrictions as long as it won’t eat my server resources.
• Antivirus False Positives – This package contains more than 100 utilities, and if you have any Antivirus on your computer, there is a very high chance that it’ll falsely detect one or more of these utilities as Virus/Trojan/Spyware/Malware or anything else.
  It’s also possible that your Antivirus will simply delete some of the utilities or prevent you from running them without displaying any alert.
  In any case, please don’t flood my email address with messages like “You have virus in your utilities package”   or “After I extract your files, some of them are deleted” or “I double-click xyz utility and nothing happens”.  All complaints about false virus alerts, utilities that cannot be executed, and disappearing files should be sent to the Antivirus companies that cause these troubles.
  You are also welcomed to read my Blog post from a few months ago: Antivirus companies cause a big headache to small developers.
• You might find out that some of my utilities in this package are missing. For now, to avoid from including very old utilities, my scripts that build the NirLauncher package automatically take only utilities that have been updated in the last 1000 days.  Some of my very old utilities might still save the settings into the Registry, and I don’t want to include them in NirLauncher package, because this package should be fully portable.
  Later, I’ll gradually check my old utilities and some of them will be possibly upgraded to be included in future releases of NirLauncher package.
• Currently, the software groups (categories) in NirLauncher are not the best choice, I simply took them with automatic scripts from my main utilities page. I hope that I’ll create better software groups in future versions.
• Start using NirLauncher:  In order to start using NirLauncher, simply create a new folder in your USB flash drive or in any other drive, and then extract all files of the package into the new folder.
  You should not extract the files into the root directory of your USB flash drive, because the package contains too much files.
  After you extracted the package, simply run the NirLauncher.exe executable.
• After running NirLauncher, here’s some tips for using it:
  • You can use F7 and F8 keys to move to the next and previous software group.
  • When you select a single item, the ‘Description’ and ‘Web Page URL’  become a link that you can click. Clicking the ‘Description’ opens the help file,  and clicking the ‘Web Page URL’ opens the right utility Web page. If you are not pleased from this feature, you can disable it from Options->Advanced Options (set all click options to none)
  • If you want to view a longer description of each utility that you select, check the ‘Show Description Text’ under the options menu. However, be aware that these description texts were taken from the pad files of my utilities, and they are not always updated to the latest features of each utility.
  • If you want to run a utility with command-line parameters, change the current directory, and so on, the ‘Advanced Run’ is the right option that you need.
  • There is also a generic ‘Advanced Run’ window that affects all utilities that you execute with the standard ‘run’ option: Options -> Default Run Settings. For example, if you open the ‘Default Run Settings’ window and select the ‘Run in full screen mode’ option, all console application that you run will be opened in full screen.
  • If you use the x64 version of Windows, and you click on a utility that have a separated x64 version, NirLauncher automatically run the x64 executable of the utility. The x64 executable filenames  in the package are in UtilityName-x64.exe format.
• Warning for Windows 7/Vista users: For now, do not run NirLauncher.exe with ‘Run As Administrator’ option.  It seems that using this option cause my ‘Network Password Recovery’ utility and a few others to crash lsass.exe process if you run them from NirLauncher that was executed with ‘Run As Administrator’ option. The reason for this problem is still unknown, and more research is required to fix it.
  If you want to force a specific utility to run with admin permissions, simply use the ‘Run As Administrator’ option (Ctrl+M) inside NirLauncher.

Here’s a few optional tips for more advanced users. If you don’t need them, you can skip to the download link in the bottom of the post.

• The package contains a file named ‘nirsoft.nlp’ (NLP = NirLauncher Package) . This file contains the list of all software groups and utilities that are displayed in NirLauncher.  It’s a very simple text file, like .ini file of Windows, that you can easily view and edit with any text editor. So, although the current version of  NirLauncher doesn’t support editing, you can change the software groups and utilities list displayed in NirLauncher by editing this file.
• When editing the .nlp file, it’s recommended that any file that you specify will be in relative path. For example: if you want to add an executable file located in a subfolder named ‘MyPackage’ under the main launcher folder, you should specify it as ‘MyPackage\myfile.exe’ instead of ‘i:\nirsoft\MyPackage\myfile.exe’.
• The ‘help’ value in .nlp file specifies that help file (.hlp or .chm). However, if the help filename has the same name of the executable (like cports.exe and cports.chm), NirLauncher will detect it automatically.
• The ‘AppName’  value specifies the application name, while the ‘ShortDesc’ value specifies a short description.  If you don’t specify these values, NirLauncher will take them from the version resource of the .exe file.
• The ‘LongDesc’ value is the text that appeared in the yellow description box of ‘Show Description Text’ option.
• NirLauncher also allows you to add additional software packages. Just for example, here’s how to add Sysinternals Suite into NirLauncher:
  1. Go to Sysinternals Suite Web page, and download the latest zip file.
  2. Extract the zip package of Sysinternals into a new folder located in the same drive of NirLauncher.
  3. Download the sysinternals.nlp that I created for Sysinternals Suite, and save it into the same folder with all Sysinternals files.
  4. Drag this sysinternals.nlp into the main window of NirLauncher. You can also use the “Add Software Package” from the Launcher menu.
  5. If you did it right, you should now see the Sysinternals package in the main window of NirLauncher. You can switch between the packages by using F3 and F4 keys.
  6. You may notice that full description text and Web Page URL are empty. This is because they are not filled in the sysinternals.nlp that I created.
     However, the ‘Open Web Page’  option (Ctrl+W) will still work properly for most of the SysInternals utilities even without the URL information, thanks to the “I’m feeling lucky” feature of Google. When there is no URL, I simply send the utility name to Google, and the first page in the search result is automatically opened.

Finally, here’s the download link:

Download NirLauncher package with more than 100 utilities

Zip File Information:  (to verify that the downloaded file is Ok)
MD5: b18f2706b2737128a9f7fd01648f5e38
SHA1: 353bd70b747dc73f58daec120df25a23330d0545
Size: 6,685,806 bytes
Number of files in the Zip: 241