NirBlog

I just tested a few of my utilities on Windows 7 Beta.

The test included IE PassView, IECacheView, Network Password Recovery, SysExporter, RegScanner, Dialupass, CurrPorts, DriverView, LSASecretsView, and more.
It seems that all tested utilities work fine under Windows 7, as you can see in the following screenshot:

SiteShoter:

• Added new options: ‘Save Config’ and ‘Load Config’
• Added new command-line option: /LoadConfig – Start SiteShoter with the specified config file.
• Added new command-line option: /RunConfig – Take a screenshot according to the specified config file, without displaying any UI.

ResourcesExtract:

• Added new options: ‘Save Config’ and ‘Load Config’
• Added new command-line option: /LoadConfig – Start ResourcesExtract with the specified config file.
• Added new command-line option: /RunConfig – Extract resources according to the specified config file, without user interface.

RegDllView:

• Added new option: ‘Create .Reg File For Deleting Entries’ – Allows you to create a .reg file that will remove all entries of the selected registered files when you run it. This option can be useful if you want to clean the same registered files in multiple machines.
• Added more accelerator keys.
• Fixed the focus problem after using the unregister/delete options.

Dialupass:

• Dialupass completely rewritten, and the new version contains all the current NirSoft standards, including the ability to translate to other languages.
• Added support for recovering dialup passwords from external instance of Windows 2000/XP/2003. This feature can be useful if you have a dead operating system that cannot boot anymore.
• Added support for setting dialup user/password from command-line (/setpass)

NirCmd:

• New commands: waitprocess, setprocesspriority, qboxtop, qboxcomtop.
• New action in clipboard command: copyimage (Copy image file to the clipboard)

OpenedFilesView:

• New option: Bring process to front.
• Added more accelerator keys.

Since I started to collect general statistics about Web browser usage of nirsoft.net, 4 years ago, there was a gradual increase in usage of Firefox, while the usage of Internet Explorer gradually decreased.
According to statistics of the last month (December 2008), 29.2% of nirsoft.net visitors use Firefox as thier Web browser, while 55.8% of visitors use Internet Explorer.

For more nirsoft.net statistics, click here.

In the last few weeks, some virus distributors try to exploit the holiday season in order to spread Viruses more easily. The viruses are attached to email messages that offer coupons or special offers for Christmas.
The first 2 ‘Christmas Virus Messages’ already appeared in the beginning of december and these emails identified themselves as originating from Coca Cola and Mcdonalds.
Now there are 3 new messages which identified themselves as originating from Symantec, British Airways and Jack Daniel’s.

As my email address is pretty popular, I received dozens of these emails together with other junk, as you can see in the following screenshot:

All these emails instruct the user to open the attached file, which contain a Virus that probably continues to send these emails to more and more people.

Here’s the details of all 5 Christmas Virus Messages:

• Symantec

  Subject: Christmas Product Extention
  From: “noreply@symantec.com”
  Attachment: product-extention.zip

  Message Body:
  This holiday season Synamtec is rewarding our valued customers by extending your products protection period by six months.
  Follow the instrustions in the attachment to receive your extra protection and have a wonderful Christmas!
  Offer valid until midnight 31st January 2008.

• British Airways

  Subject: Holiday Savings
  From: “noreply@britishairways.com”
  Attachment: britishairways-coupon.zip

  Message Body:
  British Airways is offering fantastic deals this festive season. Check your attached coupon and book online today for an amazing holiday!

• Jack Daniel’s:

  Subject: Limited Edition Merchandise
  From: “noreply@jackdaniels.com”
  Attachment: jackdaniels-coupon.zip

  Message Body:
  Have yourself a Merry Christmas with Jack Daniel’s.
  Print the coupon and head for your local outlet
  for limited edition merchandise.

• Coca Cola

  Subject: Coca Cola is proud to announce our new Christmas Promotion
  From: “noreply@coca-cola.com”
  Attachment: promotion.zip

  Message Body:
  Coca Cola is proud to announce our new Christmas Promotion.

  December, 2008

  Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details.

• Mcdonalds

  Subject: Mcdonalds wishes you Merry Christmas!
  From: “giveaway@mcdonalds.com”
  Attachment: coupon.zip

  Message Body:
  McDonald’s is proud to present our latest discount menu.

  Simply print the coupon from this Email and head to your local McDonald’s for FREE giveaways and AWESOME savings.

When you run operating system inside a Virtual PC, the current date/time is automatically taken from the host operating system.
This feature is useful for most cases, but sometimes you may want to run the guest operating system with specific date and time, instead of the current date/time.
You can do that simply by changing the date/time of your computer, but this change will also affect the other programs running in the same machine.

To change only the date/time of the guest operating system, you can use one of the following methods:

1. Manually change the .vmc file:

   The .vmc files contain the configuration of each virtual machine and are usually located under [User Profile]\My Documents\My Virtual Machines\[Virtual Machine Name]

   You have to make 2 changes in the right .vmc file:

   A. Disable the time synchronization:

   Under the following mouse configuration:
   <mouse>
   <allow type=”boolean”>true</allow>
   </mouse>

   Add this:
   <components>
   <host_time_sync>
   <enabled type=”boolean”>false</enabled>
   </host_time_sync>
   </components>

   B. Set the desired date/time:

   You have to find the time_bytes value inside the .vmc file, which looks like this one:

   <time_bytes type=”bytes”>27003200110001201008</time_bytes>

   After finding it, set the desired date/time value according to the following specification:
   Digits 1 – 2 contain the seconds value.
   Digits 5 – 6 contain the minutes value.
   Digits 9 – 10 contain the hours value.
   Digits 15 – 16 contain the day value.
   Digits 17 – 18 contain the month value.
   Digits 19 – 20 contain the year value.

   In the above example, the date/time value is 11:32:27, 20/10/2008

   After making the above 2 changes, save the .vmc file, and the guest operating system will start in the same date/time that you set in the time_bytes value.

2. By using RunAsDate utility:

   In order to use this method, download and run the RunAsDate utility, choose the desired date/time, and select the path of the Virtual PC application, (It should be something like C:\Program Files\Microsoft Virtual PC\Virtual PC.exe) and then click the ‘Run’ button to start running the Virtual PC application. If Virtual PC is already running in your computer, you should close it before starting the new one.

   

   When you run the Virtual PC application within RunAsDate utility, all the guest operating systems that you run from it will automatically use the date/time that you set with RunAsDate utility, instead of the real date/time of your computer.

If you successfully used one of the above methods, you should have a running guest operating system with the date/time that you chose, while the computer’s date/time continues to run normally:

The new version of WirelessKeyView now allows you to recover your wireless network keys from external instance of Windows XP operating system (Vista is not supported yet). This feature can be useful if you have a dead system that cannot boot anymore.
You can use this feature from the user-interface, by using the ‘Advanced Options’ in the File
menu, or from command-line, by using the /external parameter.

Dialupass is one of the oldest utilities in my sites (7+ years !), so I decided to completely rewrite it, instead of continuing the development of the old one. The new version contains all the current NirSoft standards, including the ability to translate to other languages.
There is also one useful new feature: You can now extract the dialup passwords from an external instance of Windows 2000/XP/2003 (In Advanced Options).

Dialupass 3 is not officially released yet, but you can download a Beta version from here.

The new version of LsaSecretsView allows you to extract the LSA secrets from an external instance of Windows operating system. This feature can be useful if you have a dead system that cannot boot anymore.
You can use this feature from the user-interface, by using the ‘Advanced Options’ in the File
menu, or from command-line, by using the /external parameter.
This feature was also added to LSASecretsDump, which is the console version of LsaSecretsView.

Be aware the currently this feature works for Windows 2000/XP/2003, but not for Windows Vista.

A new section added to nirsoft.net: Major IP Addresses Blocks By Country.
In this section, you can select your country (or any other country in the world) and view all
major IP address blocks assigned for the selected country. For countries in Europe and in the
middle-east, the company name/Internet provider that own the IP block is also displayed.
You can also sort the list by IP address, block size, assign date, or by owner name.

Many people ask me about the location in the Registry or file system that applications store the passwords. So I prepared a list of password storage locations for popular applications.
Be aware that even if you know the location of the saved password, it doesn’t mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile.

• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
  The base key of the Protected Storage is located under the following key:
  “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
  You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
  Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.

  IE PassView and Protected Storage PassView utilities allow you to recover these passwords.

• Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
  AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.

  IE PassView can be used to recover these passwords.

• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
  These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
  Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
  (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
  The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
  If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.

  Mail PassView can be used to recover lost passwords of Outlook 2002-2008.

• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]
  The account filename is an xml file with .oeaccount extension.

  Mail PassView can be used to recover lost passwords of Windows Live Mail.

• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
  You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.

  These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
  (“EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
  The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number]
  (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)
  (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
  All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].