NirBlog

There are many users that already have a computer with processor that supports the  x64 architecture and some of them probably consider to move into the new world of 64-bit and install the x64 version of Windows.
if you’re one of these users, you should read the following tips before doing any step:

1. First, let’s start with the good part:  The x64 version of Windows have an emulation known as “WOW64” which allows you to install, run and use almost every existing 32-bit application that you currently use in your 32-bit version of Windows.  I said the word ‘almost’ because there are some exceptions that will be explained in the next clauses.
2. Device Drivers:  As opposed to applications, 32-bit drivers cannot be used under x64 version of Windows. This means that must have the appropriate 64-bit driver for every hardware product that you want to use.  For standard hardware products like simple mouse and keyboard, you don’t have to worry,  because Windows x64 already packed with the right drivers.  But if you use some uncommon hardware devices, you should check if the manufacturer of these devices provide x64 drivers for these devices.
3. There are some applications that load and use one or more drivers that are needed for their functionality.  Just for example: Process Explorer and some other tools of SysInternals load their own driver that is used to extract information from Windows Kernel.
   These kind of tools won’t work under x64 system, unless the software developer  provide the software with the appropriate 64-bit driver. In the case of  SysInternals tools, there is no problem, because these tools are shipped with both 32-bit and x64 drivers, and the right driver is loaded according to the version of Windows.
   However, there are some software developers that only provide a driver for 32-bit, and thus their software won’t work under x64.
4. Starting from x64 version of Windows Vista, Microsoft added a security feature that many people don’t know about:  Every driver that is loaded into Windows Kernel must be digitally signed. Signing a driver can only be done by a commercial entity and requires also to pay hundred of $ per year for the Commercial Software Publisher Certificate.
   Microsoft added this feature in order to prevent from malware/Viruses/Trojans creators from loading and running malicious code inside the Windows kernel. Unfortunately, they also blocked many legitimate small developers from porting their driver based application into 64-bit.
   One example is my own OpenedFilesView utility. This utility uses a small device driver for extracting information about the opened file handles stored in the Windows kernel. (There is no any other way to get this information)
   Due to above Kernel changes in Vista x64, I cannot port this utility into Windows x64.  I already had some users that moved  from 32-bit to x64 system and disappointed after they found out that they would not  be able to use my  OpenedFilesView utility in their new x64 system.
   In theory, I can open a real company with office, phone, and address, purchase a Commercial Software Publisher Certificate, do the entire process of signing my driver, and then sell the x64 version of OpenedFilesView for $10-$15. However, I don’t think that the sells of this software will cover the costs of maintaining a company and Certificate payments.
5. There are  some applications that inject a dll file into other programs  (Windows Hooks) in order to interact with their user interface or to grab some information from them. For example, My Volumouse utility change the mouse wheel behavior when the focus is on other applications, and thus it inject a special dll for every application that interact with the mouse wheel.
   When you run this kind of application on x64 system, it’ll probably work well with other 32-bit application, but it won’t be able to interact with other x64 applications, unless the software developer added a support for x64 systems.
6. Windows Registry on x64 version of Windows is a little confusing: Some of the Registry keys are common for both 32-bit and x64 applications, while some Registry keys have 2 separated instances – one for  32-bit applications and one of 64-bit applications. The separated keys for 32-bit applications are stored under HKEY_LOCAL_MACHINE\Software\Wow6432Node and HKEY_CURRENT_USER\Software\Wow6432Node.
7. On x64 system, every memory address,  file handle, window handle, and other kernel objects, consume 8 bytes in memory (64-bit = 8 bytes), while on 32-bit systems, only 4 bytes are used. This means doing the same work on x64 might consume much more memory than on 32-bit system, even when in many cases, the usage of 8 bytes is not really necessary.
8. Many applications vendors still don’t provide a separated 64-bit version of their application, and instruct their x64 users to use their 32-bit application. Even if the 32-bit application works perfectly on x64 system, it’s still running on WOW64 emulation, and this means that the application might  be a little slower than on a real 32-bit system.
   However, if the application vendor provide a separated version for x64, running the x64 version of x64 system might give you better performances than using the 32-bit application on 32-bit system.

In some circumstances, you may want to extract the original system files (.dll files, .exe files, and others) that are shipped with the DVD of Windows 7 and Windows Vista.
Whether you need these files because they are missing in your system, or whether these file were replaced by other versions that caused problems, and you want to get back the original Windows files, here’s a simple method to extract these system files from Windows 7/Vista DVD:

1. Download and install the latest version of  7-Zip File Manager.
2. Browse into the sources folder of the Windows DVD. For example, if your DVD drive is d:, you should type in the folder path of 7-Zip utility ‘d:\sources’
   

   Sources Folder in Windows DVD

3. Locate a file named ‘install.wim’ and double-click it. You can easily find it by clicking the size column header to sort the files list by size, because it’s the largest file on this folder.
   Alternatively, you can simply type ‘d:\sources\install.wim\’ in the path text-box, and jump directly to the content of install.wim.
4. Wait 5 – 10 seconds (or a little more) until 7-Zip utility read the content of install.wim
   
5. After 7-Zip utility opens the file, you’ll get a few numbered folders. Each numeric subfolder represents a different version of Windows (Starter, Home Basic, and so on).
   In most cases, you can simply browser into any of these folders, because most of system files are identical for all versions.
   However, if you want to be more strict, and extract the files from the folder that represent your current Windows version, you can first extract and read the ‘1.xml’ file, which contains the list of versions stored in these folders.
   To make your life easier, here’s the folder versions list in the DVD of Windows 7 RC:
   1 – Windows 7 Starter
   2 – Windows 7 Home Basic
   3 – Windows 7 Home Premium
   4 – Windows 7 Professional
   5 – Windows 7 Ultimate

   This means that if you want, for example, to browse into the files list of

   Windows 7 Professional, you should double-click the ‘4’ folder.
   

   

   install.wim in 7-zip

6. After entering into the one of the numeric folders, you’ll get a list of base system folders like ‘Program Files’ and Windows. You should now go to the right system folder which contains the files you need. For example, if the files that you’re looking for are usually stored c:\windows\system32, you should browse into Windows\System32 subfolder
   

   System32 folder inside install.wim

7. Select the files that you want to extract, and then click the ‘extract’ button. 7-Zip utility will ask you to type the destination folder to copy the files. After you choose or type the desired destination folder, click the ‘Ok’ button, and the files you need will be extracted to the selected folder.
   

Finally, if you are an expert user that want to do the same thing from command-line, here’s a small example that shows you how to do it:

“C:\Program Files\7-Zip\7z.exe” e d:\sources\install.wim -oc:\temp 2\windows\system32\shell32.dll

In the above example, shell32.dll is extracted from the installation files of Windows 7 Home Basic (Folder 2) into c:\temp folder, assuming that d:\ contains the Windows 7 DVD and 7-Zip utility is installed on C:\Program Files\7-Zip.

If you constantly work with NirSoft utilities, you probably already know that most of these utilities allows you to save the data into text, csv, html, or xml file from command-line, without displaying any user interface.

However, until now there was one drawback in this feature: The data was always saved in the original order, without any sorting.
So I finally started to add the command-line sorting feature into my utilities. I already added this sorting feature to the following 7 utilities, and I’ll gradually add it also to the others:  IECacheView, MozillaCacheView, CurrPorts, LiveContactsView, MyLastSearch, SearchMyFiles, and OpenedFilesView.

Here’s a few points about using this sorting feature:

• For every utility that this feature is added, the data that you save from command-line will be sorted according to the last sorting that you chose from the user interface, by clicking the column header. If from some reason you still want to save the data without any sorting, like in the previous versions, you can still do that by using /nosort option, for example:
  IECacheView.exe /shtml c:\temp\iec.html /nosort
• If you want to sort the saved data by another column, you can use the /sort command-line option. This option can accept a number as column index (0 for the first column, 1 for the second one, and so on) or the field name as appeared in the column header.
• For example, if you want to sort by the first column (in the current columns order):
  IECacheView.exe /shtml c:\temp\iec.html /sort 0
• If you want to sort in descending order, you should add ‘~’ character as prefix.  For example, to sort the third column in descending order:
  IECacheView.exe /shtml c:\temp\iec.html /sort ~2
• You can also sort by more than one column, simply by specifying multiple /sort parameters. For example: to sort by the second column, and then by the first column in descending order:
  IECacheView.exe /shtml c:\temp\iec.html /sort 1 /sort ~0
• If you choose the specify the sorting column by its name, you must put it in quotes if the caption contains one or more space characters. For example, to sort by Content Type in IECacheView:
  IECacheView.exe /shtml c:\temp\iec.html /sort “Content Type”
• If you want to sort in descending order, the ‘~’ prefix must be inside the quotes, for example:
  IECacheView.exe /shtml c:\temp\iec.html /sort “~Content Type”
• You don’t have the type the exact column name. Even if you write a partial name of the column, my utilities will locate the right column. For example, if you want to sort by the ‘Last Modified’ column, you can specify only ‘Modified’ as column name:
  IECacheView.exe /shtml c:\temp\iec.html /sort “Modified”

Notice: In all examples  specified above, I used IECacheView utility to demonstrate the command-line sorting feature.  However, you can use this feature in the same manner for all utilities that I add the sorting option.

The new version of BlueScreenView (v1.10)  provides a few command-line options that allows you to choose the desired MiniDump folder and to save the MiniDump crashes list into  text/html/xml/csv file, without displaying any user interface.

Here’s the list of all changes in version 1.10:

• Added accelerator keys for allowing you to toggle between modes more easily.
• Added command-line options for saving the crash dumps list to text/csv/html/xml file.
• Added command-line option for opening BlueScreenView with the desired MiniDump folder.
• Fixed focus problems when opening the ‘Advanced Options’ window.
• Added ‘default’ button to the ‘Advanced Options’ window.

• Added ‘processor’ column – 32-bit or x64.

This new version of BlueScreenView is available in this page.

I created a new Web site which provides general information about file extensions and which software can open or use them: http://extension.nirsoft.net.
Currently, this Web site is based on extension information sent from my FileTypesMan utility by me and by some other users. It’s possible that in the future, I’ll also  enable the visitors  of extension.nirsoft.net Web site to add their own extension description and remarks.

extension.nirsoft.net Web site

I also added a new option for both FileTypesMan utility and ShellMenuView utilities that allows you to easily open your Web browser in the right file extension page.

If you want to help this extension database to grow, you are welcomed to  add extension information stored in your own computer into http://extension.nirsoft.net Web site, by using the ‘Send Report To extension.nirsoft.net’ option.  Full instructions about how to do it are available in the main page of extension.nirsoft.net Web site.

Also, be aware that this ‘Send Report’ option only send general information about the extension and which program opens it on your computer. It doesn’t send any personal or private information that might reveal your identity.

In the last 2 months, I reported about a nasty phishing scam known as ‘msn-blocked.com’ that ask the users to type their MSN user name/password and then use their log-in details to connect the server of MSN/Live Messenger and send a fake invite messages to all the contacts of the user.
This Web site also send the users to msnpass.info Web site, which is used to sell my freeware MessenPass utility by using the payment system of Allopass. You can read more about this scam, in the previous posts of my Internet Scams section.

MsnPass.Info Scam In English

Until now, msn-blocked Web site was in french language, and targeted only  users that speaks french.
But now the owner of this nasty scam decided to go international and created new versions of msn-blocked and msnpass.info Web sites in multiple languages, including English. The user that browse into these Web sites automatically get the right language according to the  language settings of the Web browser and there is also a flags toolbar to select the right language.
This means that Internet users of many countries that were not affected by this scam until now, including all Live Messenger users in United State, are now vulnerable to this scam.

Msn-Blocked.com in English

Since I discovered this scam, around 2 months ago,  I tried to contact any company/ organization that can help to stop this scam right away, including well- known companies like Microsoft and GoDaddy.  Unfortunately, it seems that these companies don’t care that their services are used for Messenger spamming and phishing scams.

Here’s a partial list of companies that received my complaint about msn-blocked scam and didn’t do anything to stop it:

1. GoDaddy:  GoDaddy is the domain registrar of all domains used for this scam, including msnpass.info, msn-blocked.com, msn-block.info,  msnblocks.com, msnapps.net, and possibly a few others.The Web site of GoDaddy says that “We do not allow our customers to send mass unsolicited e-mails, or spam” and they even provide a special spam report form to report about spammers. They also have an option in their form to report about IM Spam, which is exactly what msn-blocked Web site does.
   So I sent my entire report about msn-blocked.com to GoDaddy, even twice, but so far, there is no any response from them.
2. Domains by Proxy:  This company provide a ‘privacy protection’ service that hides the real details of the user that Registers  a domain. It’s a very good and useful service, as long as it’s used by legitimated Web site owners, but unfortunately, this service is also used by scam owners like msn-blocked.com that want to hide their identity.
   Like GoDaddy, this company also says that they don’t allow to their customers to send spam and they also provide a form to fill a complaint about a spammer.
   I also send them my full report about msn-blocked.com scam, and exactly like GoDaddy, they simply don’t answer.
3. Microsoft Live Messenger Team:  The entire scam of msn-blocked.com Web site is based on connecting the MSN/Live Messenger servers and flooding the contacts of the user with fake messages.  The team of Live Messenger servers can easily block the IP addresses of msn-blocked Web site and bring down this scam right away.
   I reported about this scam to the team of Live Messenger, by using their feedback form and as a comment in their Blog. I also know that I’m not the only one that reported them about the msn-blocked scam.Unfortunately, like the other companies, the team of Live Messenger don’t bother themselves to do anything with this issue, even when they can easily shut down the scam by making a few changes in their Firewall.

   Maybe now, when this scam also targets English speakers, and will probably start to spread in United States very quickly, Microsoft will understand that they have to do something about it.

4. Allopass: As I already reported in my previous posts, the owner of this scam sell my MessenPass software in msnpass.info Web site, by using the SMS payment system of Allopass.
   As opposed to other companies, Allopass answered the messages I sent them about this scam, but unfortunately, they refused to stop working with the scam owner, saying that they cannot legally close the account and other excuses. Allopass also enjoys their part in the scam, because for each SMS code used by msnpass.info Web site, the revenue is shared between the scam owner, Allopass, and the phone company.
5. EURO-WEB Servers renting: EURO-WEB is the hosting company that currently hosts the servers of msn-blocked scam. I sent a full report about the scam to the abuse email of this company, but their is no any response from them.

I hope that one of the above companies will finally decide to take action against msn-blocked Web site before it start spreading in United States and many other countries that were not affected by this scam until now.

There is only one good side  in this story:  Both Firefox and Internet Explorer blocks some of the Web addresses of msn-blocked Web site thanks to the phishing reports made by users. However,  this Web site blocking only slows down the spreading of scam, but it doesn’t really prevent it. The scam owner also constantly replace the domain name and host name to avoid the blocking by the Web browser.

WirelessNetView, a utility that show all wireless networks currently detected by your wireless adapter, now provide a ‘Very High’ update rate.

This feature can be useful if you move with your laptop from one location to another (by foot or with a vehicle) and you want to locate any wireless network in your path.  It can also be useful if you have a wireless adapter plugged to a USB cable and you want to put it in a location with the best signal quality.

WirelessNetView now also allows you to save the current detected networks list into text/html/xml/csv file, by using the right command-line options, and without displaying any user interface.

The new version of WirelessNetView is available here.

The new version of BlueScreenView, version 1.05, now also support the MiniDump Files created by x64 version of Windows.
The executable file of BlueScreenView is still created as 32-bit application, but it can read and analyze the crash MiniDump Files of both both 32-bit and x64 systems.

Many people ask me if there is any package with all NirSoft utilities and a launcher application to easily find and run the desired utility.
So now there is something in development:
NirLauncher (The name might be changed later) is a utility that will be packed with dozens of NirSoft utilities and will display them in the main window, separated by different categories, like ‘Password Recovery Tools’, ‘Network Tools’, ‘Web Browser Tools’, and so on.

It’ll allow you to easy run a utility, run the utility with command-line parameters, open the help file, browser into the Web page of the utility, and so on.
It’s also possible that NirLauncher will allow other developers to provide their utilities as additional package for NirLauncher.

I hope that the first Beta of NirSoft Launcher will be available to download in the incoming weeks.
For now, you can enjoy the first screenshots of NirLauncher:

WinFontsView is a new utility that enumerates all fonts installed on your system, and displays them in one simple table.
For each font, WinFontsView draws 5 samples of the font in different sizes, in order to allow you to easily find and choose the desired font that you need. WinFontsView also allows you to view the fonts as Bold, as Italic or with underline, as well as it allows you to export the fonts list into html file.

For more infromation about WinFontsView, click here.

WinFontsView Screenshot