Sunday, January 21, 2007

NirSoft's been Cooking!

Last night while I was working on my magnum-post on rootkit detectors, I decided to multi-task and run all four of my favorite anti-malware scanners (sequentially) in the background with full system scans.

  1. Spybot Search & Destroy - took about 15 minutes and found a handful of cookies. Removed.

  2. LavaSoft Ad-Aware SE Personal - took about 30 minutes and found some more cookies. Removed.

  3. AVG Anti-Spyware 7.5 - took about an hour and found quite a few cookies under the multiple profiles on our desktop system. Along with a potentially risky app. (It was safe and I think it was related to a Windows system key locater application). Removed cookies and ignored file.

  4. A-Squared Free - took significantly over an hour's time and found a few remaining cookies under the multiple profiles on our desktop system. It also identified quite a large number of potentially risky applications. (These were related to the TVNC remote control software I have, my Nokia cell-phone dialing application, and like AVG-AS, the pspv.exe file). Removed cookies and ignored files.

The identification of some of my tools as "Riskware" was to be expected, since any of those files could potentially have been put on my system to used by a hacker to take control or steal critical information. I'm glad they alerted me.

So besides being highly impressed with the scanning abilities of AVG Anti-Spyware and A-Squared Free, what does this have to do with NirSoft? Everything!

See I thought I remembered what that pspv.exe file was (Protected Storage PassView) but I just wanted to be sure and did a quick Google search. That landed me back over on NirSoft's webpage.

And I found quite a bundle of interesting new applications!

Internet Explorer Stored Passwords Viewer

NirSoft is showcase of developer Nir Sofer. He releases very light and tiny, but dead-useful (to a system administrator) utilities as freeware. Lots of amazing stuff here!

The pspv.exe file in question on my system is Protected Storage PassView. It is used to display all the passwords and AutoComplete strings stored in your Window's system Protected Storage. I like to use it occasionally to see what potentially vulnerable information is present in Internet Explorer, Outlook Express, and MSN Explorer.

But I was surprised to learn that Internet Explorer 7 isn't supported. Turns out IE7 doesn't use Protected Storage to save passwords any longer. (More information on IE7 password storage methods and locations here.)

Bummer? Nope!

NirSoft now has IE7 covered as well: IE PassView. Just run it and see what it finds if you are running IE7!

Product Key Finder

ProduKey - "...a small utility that displays the ProductID and the CD-Key of MS-Office, Windows, Exchange Server, and SQL Server installed on your computer. You can view this information for your current running operating system, or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office, and you want to reinstall it on your computer." I find this one invaluable for confirming product key information before reinstalling a system...just in case the user (or me!) mis copied or lost their key before I nuke and rebuild it.

Outlook PST Password utility

PstPassword - Outlook PST Password Recovery - "This utility can recover the PST passwords of Outlook 97, Outlook 2000, Outlook XP, and Outlook 2003. You don't have to install MS-Outlook in order to use this utility. You only need the original PST file that you locked with a password." Often I encounter a user who has cleverly locked their PST file down...then forgets it! Normally we would just

Nir Sofer also has an interesting article explaining just how a bug in Outlook allows him to use an "alternate" password for the PST file, even when it doesn't match the user's original one.

Additional NirSoft Utilities I find Useful

  • CurrPorts: TCP/IP Connections Viewer - Lists currently opened TCP and UDP ports on system.

  • AdapterWatch - Reports a range of useful information about the system's network adapter.

  • IPNetInfo - Get the dirt on the owner of a IP address.

  • IECookiesView - Independently manage the cookies of IE6 and earlier version on your pc.

  • WinUpdatesList - List and export information on the Windows Updates installed on a system.

  • ShellExView - Shows and manages shell extensions installed on the computer.

  • SysExporter - Copy data from standard list-views, list boxes, and combo boxes and export it.

  • RegScanner (Registry Scanner) - Fast registry search/find scanner tool.

  • Access PassView v1.12 - Recover the password of a mdb file created with Microsoft Access 95/97/2000/XP.

  • WinLister v1.12 - Find detailed information on every window open on your system. Great for tracking down the source of malware generated windows.

  • ShortcutsMan v1.01 - List details about all shortcuts that you have on your desktop and under your start menu. Find broken links and deal with them.

  • WinMessControl v1.00 - Disable/enable 'Windows Messenger' application under Windows XP.

  • OpenedFilesView v1.02 - Want to list of all opened files on your system? This will do it.

  • USBDeview v1.02 - Tiny utility that lists all USB devices now and were connected to your pc.

  • CurrProcess v1.11 - Find out what processes are running on your system. Lots of options and exporting of information found.

  • ServiWin v1.30 - List and generate a report on installed drivers and services running with your pc.

  • FileDate Changer v1.1 - Change the dates associated with a file. Bulk processing supported.

  • ExeInfo v1.01 - Get info from within EXE, DLL, OCX and other files.

Related Non-NirSoft utilities for License Key auditing and Password Recovery

Happy Tooling!
--Claus

Posted by Claus at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)