EncryptedRegView is a new tool for Windows that scans the Registry of your current running system or the Registry of external hard drive you choose and searches for data encrypted with DPAPI (Data Protection API). When it finds encrypted data in the Registry, it tries to decrypt it and displays the decrypted data in the main window of EncryptedRegView. With this tool, you may find passwords and other secret data stored in the Registry by Microsoft products as well as by 3-party products.

EncryptedRegView

EncryptedRegView

You can download this new tool from this Web page.

CredentialsFileView is a new utility for Windows that decrypts and displays the passwords and other data stored inside Credentials files of Windows. You can use it to decrypt the Credentials data of your currently running system, as well as the Credentials data stored on external hard drive. Inside the Credentials files of Windows you may find the following information: Login passwords of remote computers on your LAN, Passwords of mail accounts on exchange server (stored by Microsoft Outlook), Remote Desktop 6 user\password information,  Windows Live session information, and more…

CredentialsFileView

CredentialsFileView

 

You can download the CredentialsFileView utility from this Web page.

 

VaultPasswordView is a new tool for Windows 10/8/7 that decrypts and displays the passwords and other data stored inside ‘Windows Vault’. You can use it to decrypt the Windows Vault data of your currently running system, as well as the Windows Vault data stored on external hard drive.  This tool is useful especially for Windows 8 and Windows 10, because the passwords and other security information of Windows Mail , Internet Explorer 10.0/11.0, and Microsoft Edge Web browser are stored inside Windows vault.

Be aware that in order to decrypt the Windows Vault data you have to know the login password and type it in the ‘Vault Decryption Options’ window.

VaultPasswordView

VaultPasswordView

You can download the VaultPasswordView from this Web page.

 

FullEventLogView is a new utility for Windows 10/8/7/Vista that displays in a table the details of all events from the event logs of Windows, including the event description. It allows you to view the events of your local computer, events of a remote computer on your network, and events stored in .evtx files. It also allows you to export the events list to text/csv/tab-delimited/html/xml file from the GUI and from command-line. FullEventLogView is a replacement for the old MyEventViewer utility which uses old programming interface and thus it doesn’t show all new event log added starting from Windows Vista.

FullEventLogView

FullEventLogView

You can download the new FullEventLogView from this Web page.

 

EventLogChannelsView is a new utility for Windows 10/8/7/Vista that shows the list of all event log channels on your system, including the channel name, event log filename, enabled/disabled status, current number of events in the channel, size of the event log file, and more…  It also allows you to easily make some actions on multiple channels at once: enable/disable channels, set their maximum file size, and clear all events stored in the channels.

EventLogChannelsView

EventLogChannelsView

You can download the new EventLogChannelsView from this Web page.

In the last few weeks, I added support for recovering passwords from external hard drive contains the most recent versions of Windows (Windows 10, Windows 8, Windows 7) for some of the NirSoft Password-Recovery tools, including IE PassView, ChromePass, Network Password Recovery, and WirelessKeyView.
Until now there was only support for reading external drive passwords of Windows XP or Windows Vista and I had to do a very intensive reverse engineering in order to upgrade my DPAPI decryption code to work with Windows 7 and newer systems.
In addition to the upgrade of existing tools, there are also a few new utilities in development process that are specifically designed to extract passwords from external hard drive.

The combination of external drive support and the shadow copies of Windows also allows you to recover old passwords from a few weeks ago instead of the current passwords stored on your system.

Here’s an example for using the external drive support to recover previous passwords stored in your system:

First… You have to run the  ShadowCopyView utility to check the current shadow copies you have on your system.
If the main window of ShadowCopyView is empty, it means that there are no shadow copies and thus you cannot recover old passwords stored in your system.

In the following sample screenshot, you can see that there is a single shadow copy and its path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

 

 

Now… Lets say that you accidentally deleted the passwords stored by Internet Explorer and now you want to recover them, so in IE PassView tool you should go to the ‘Advanced Options’ window (F8) and , choose the ‘Load the passwords from the following user profile’ option,  and then type the shadow copy path of your user profile.

For example, if your user profile is stored in c:\users\nirsoft64 and the shadow copy path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 then the correct path that you have to type is  \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\users\nirsoft64 :

 

 

You also have to type the logon password of this user profile, because the logon password is needed to decrypt the passwords.
Assuming that you type the correct user profile path and logon password, IE PassView will decrypt the passwords stored by IE in the date that the shadow copy was created.
You can also use the same technique with the other tools that have external drive support (ChromePass, Network Password Recovery, WirelessKeyView, Dialpass )

Be aware that like any password-recovery tool, these tools trigger warnings and alerts in many Antivirus programs and your Antivirus software, firewall, or even your Web browser may block you from downloading them.

 

 

PreviousFilesRecovery is a new tool for Windows 10/8/7/Vista that allows you to scan the shadow copies of your local hard drive and find deleted files as well as older versions of existing files. For every file found in a shadow copy, PreviousFilesRecovery displays the following information: filename, folder, the current modified time and size of the file comparing to the modified time and file size inside the shadow copy,  shadow copy name, and the date/time that the shadow copy was created.

If the file you need is found in the shadow copies of Windows, you can easily recover it by copying it into existing folder on your drive.

PreviousFilesRecovery

PreviousFilesRecovery

You can download this new tool from this Web page.

ShadowCopyView is new tool for Windows 10/8/7/Vista that lists the snapshots of your hard drive created by the ‘Volume Shadow Copy’ service of Windows. Every snapshot contains an older versions of your files and folders from the date that the snapshot was created, you can browse the older version of your files and folders, and optionally copy them into a folder on your disk.
In addition to ShadowCopyView, another tool that searches old and deleted files inside shadow copies will be released soon.

ShadowCopyView

ShadowCopyView

You can download this new tool from this Web page.

HostedNetworkStarter is a new utility for Windows 7 and later that allows you to easily create a wifi hotspot with your wireless network adapter, using the Wifi hosted network feature of Windows operating system. With the wifi hotspot created by this tool, you can allow any device with wifi support to access the network and the Internet connection available in your computer.

HostedNetworkStarter

HostedNetworkStarter

 

You can download this new utility from this Web page.

 

 

BrowserAddonsView is a new tool for Windows that displays the details of all Web browser addons/plugins installed in your system. BrowserAddonsView can scan and detect the addons of most popular Web browsers: Chrome, Firefox, and Internet Explorer. For Chrome and Firefox, BrowserAddonsView detects and scans all Web browser profiles if there are multiple profiles.

BrowserAddonsView

BrowserAddonsView

You can download this new tool from this Web page.

 

NetworkOpenedFiles is a new tool for Windows that displays the list of all files that are currently opened by other computers on your network. For every opened filename, the following information is displayed: Filename, user name, computer name (On Windows 7/2008 or later), Permissions information (Read/Write/Create), locks count, file owner, file size, file attributes, and more…

NetworkOpenedFiles

NetworkOpenedFiles

 

You can download this new tool from this Web page.