NirBlog

The amount traffic received by nirsoft.net was gradually increased, and that caused the http server to crash due to large amount of requests.
The hosting company removed my site for several hours because the server also hosts a few other sites. I’m now in a process of moving nirsoft.net site to a new server, and that will minimize the site downtime to almost 0%.

If you already worked with my password recovery tools, you probably know that most of them can only recover the passwords of the current logged-on user, but they cannot recover the passwords from another user profile or from an external drive.
The reason for this limitation is that most of these tools use some Windows API calls to decrypt the passwords, and these API calls only works for the current logged-on user.

In order to allow my tools to recover the passwords from an external drive,
I used my reverse engineering skills to find out exactly how Windows password decryption works, and wrote the code that do the same thing, but without the restriction of the current logged-on user.

So here’s the first tool that uses my new decryption code: Network Password Recovery.
This means that you can now recover the passwords stored inside the Credentials file of Windows XP/Vista/2003/2008 even if you have a dead system that cannot boot anymore.

There is only one restriction: you must know the last log-on password of the user that owned the Credentials file you wish to recover. The SHA hash of the log-on password is used in the process of Credentials file encryption, and without knowing that log-on password, the content of the Credentials file cannot be recovered instantly.

Sometimes people ask me “How do I print the data appeared in your tool ?”.
Although there is no printing support in my tools, you can easily send the data to a printer by using one of the following options:

1. Copy & Paste – You can select the data that you wish to print and copy it to the clipboard with Ctrl+C. After that, you can paste it to another application that support printing, like Excel, OpenOffice Spreadsheet, Notepad, and so on.
2. Print in your Web browser – You can select the data that you wish to print and then save it to html file. After that, you can open the saved html in your Web browser, and then print it.
3. Save to tab-delimited/comma-delimited file – You can select the data that you wish to print and then save it into a tab-delimited file or comma-delimited file.
   After that, you can open the saved file with any software that can import from tab-delimited/comma-delimited files, and then use that software to print the data.

There is a new feature in IECacheView utility that allows you to extract files from the cache of Internet Explorer into the same directory structure of the original Web site.
Just for example, in the following screenshot of IECacheView, you can see the list of cache files downloaded from NirSoft Blog:

If you select all these files, go to “Copy Selected Files To”, and then choose the “Save the files in the directory structure of the Web site” option, the folders structure after saving the files from the cache will look like this one:

If you work on Windows XP, you probably already familiar with the animated search puppy that show its unessential tricks while you make a search. However, this puppy has a small “feature” that many people don’t know about.
If you make a search, and then leave the search window opened without touching it for a long time, the search puppy get tired and goes to sleep….

Good Night !

While looking into the cache folder of Google Chrome Web browser, I found out that the file structure inside this folder looks a little familiar.
Similar to the cache of Mozilla/Firefox browsers, it has 3 data files, numbered from 1 to 3, when file number 1 is the smallest file, and the largest file is file number 3. It also has a cache map file, which numbered as ‘0’, and other files with hexadecimal numbers which contains the binary content of some cached files.

Here’s an example for the file structure in the cache folder of Chrome:

And here’s the cache folder of Firefox:

After looking more deeply into the cache folder of Chrome, I found out that the internal structures of the cache files are a little different from the structures of Firefox, but it still was very easy to figure out how to read these files, and you can see the result in my new ChromeCacheView utility.

It seems that there is a weird bug in beta 2 release of Internet Explorer 8.
When browsing into the main page of NirSoft Web site, the transition effect stops in the middle of the transition process, and the user may think that the Web browser just hang. However, after resizing the window a little, everything returns back to normal.

Here’s an example of how my site may look when browsing it with IE8:

Messages like “You have a Virus in your software” are received into my Inbox on daily basis, and a lots of them comes from AVG Antivirus. So I decided to check the current status of AVG false positives, by scanning the utilities folder of my site.
First, I copied the utils folder of my site into a new place (I don’t really want that AVG will touch my original site folder…), and then I allowed AVG Antivirus to scan the folder.
After AVG finished the scan, it splited the scan result into 2 categories: Infections and Spyware.
Most of the alerts on my utilities folder appeared under the ‘Spyware’ section.
I really would want to understand what is going in the minds of AVG guys when they decided to detect my software as Spyware.

Anyway, I used my own SysExporter utility to grab the scan result from AVG and display it as HTML. Luckily, SysExporter is not detected as infection by AVG, otherwise, it wouldn’t allow me to run and use it.
So here’s the AVG “False Positive” list, the Spyware section:

And this one is the Infections section:

And finally, here’s another issue with AVG and other Antivirus software:
When you exit from the Antivirus software, it won’t display any Virus/Trojan/Spyware warning, but the service of the Antivirus is still running in the background, and prohibits you from running any file that is detected as infected.
This mean that if you try to run one of my tools that are detected as Spyware/Virus while AVG application is not running, you’ll get the following error message:
“Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item”.

Most people that get this kind of error, think that there is a bug in my software, and don’t know that the Antivirus is the one that cause the problem.

I added 2 new options to OpenedFilesView that allows you to hide system files when you don’t really want to watch them:

• Hide System Process Files: Hide all files opened by ‘System’ process.
• Hide Svchost Files: Hide all files opened by svchost process.

Choosing the above 2 option can decrease the size of opened files list by dozens of items, and allow you to only watch the opened files of non-system applications. These options are available starting from version 1.25 of OpenedFilesView.

While watching a video in Microsoft Web site, I accidently discovered that my WebVideoCap tool cannot capture the video.
I don’t remember that I received any complaint about this problem, but this is somewhat make sense – because Microsoft is probably one of very few Web sites that uses Silverlight to play a video.
After looking into it with a sniffer, I found out that Silverlight streams are very similar to MMS that WebVideoCap already supports, so with a very small change in the code, I managed to make it work.
In the bottom line, starting from version 1.33, WebVideoCap can also capture the Silverlight videos in Microsoft Web site.