15 freeware tools from the NirSoft package for endpoint or network monitoring
Friday July 21, 2023
NirSoft provides a unique collection of freeware utilities. There are many utilities present, but some of the utilities can aid at different steps of endpoint or network monitoring. In this blog post, we discuss 15 tools that only work for different versions of Windows Operating Systems. For each tool, we also list down the information we can extract using these tools and get valuable information about any endpoint or the network as a whole.
- CurrPorts:
Lists all currently opened TCP/IP and UDP ports on the computer. It runs live. For every connection, it lists the following information:
Process Name, Process ID, Protocol (TCP or UDP), Local port, Local port name (if any), Local Address (IP), Remote port, Remote port Name, Remote Address, Remote Host Name, Network status, sent bytes, Received Bytes, Sent Packets, Received Packets, Executable file Path, Product Name, Executable version, Company, Process created on, User Name, Process running time, Window Title.
- IPNetInfo:
IPNetInfo lists all available information about an IP address. For each IP address, it gives the following information:
Owner name, IP range (Start IP and end IP), Network Name, CIDR, Contact Name, Address (City, State, Country), Postal code, Email address, Abuse Email, Abuse Contact, Phone number, Fax, Source of the data, Host Name.
- WhoIsThisDomain:
This domain registration lookup utility gives information about the registered domain. It gives the following information:
Domain expiration date, Creation date, Last Update date, Registered to, Private Registration, Email Address, Phone Number, Country, Registrar URL.
- ProcessActivityView:
This tool lists all files and folders a particular process tries to access. For each accessed file, it displays the following information:
Filename (full path), extension, file, open count, close count, read count, write count, read bytes, write bytes.
- RegFromApp:
Monitors the registry changes made by a selected application. Creates a standard RegEdit registration file (.reg) that contains all the registry changes made by the application.
- CredentialFileView:
Decrypt and displays the passwords and other credential data stored inside the credentials file of Windows. In Windows, the following credentials information are stored:
- Login Passwords of remote computers on your LAN.
- A password for email accounts.
- A password for the Windows Messenger account.
- Internet Explorer passwords.
This tool helps provide the following information from the Windows credential files: File Name, File Path, File size, Create date, Modified time, Entry Name, User Name, and Password.
- DataProtectionDecryptor:
Decrypt passwords and other information encrypted by DPAPI (Data Protection API) of Windows. It decrypts the following data:
- Passwords of Outlook accounts.
- Credential files of Windows.
- Wireless Network Keys.
- Passwords of Internet Explorer, Chrome web browser.
- Encrypted cookies in Chrome Web Browser.
- FullEventLogView:
This tool displays a table of all events from the event logs of Windows. The table shows the following information: Event Time, Record ID, Event ID, Level, Channel, Provider, Event Description, Thread ID, Process ID, and Computer User. This is a great tool for administrators or users of a system to look for critical events in any endpoint. It enables an administrator to view the events of any local computer, events of a remote computer on your network, and events stored in .evtx files.
- FastResolver:
This tool resolves multiple host names into IP addresses and vice versa. For the local network, it provides the IP address, hostname, original name, MAC address and company name for each IP address or hostname. There is also scope for specifying IP address ranges that users might want to scan.
- NetResView:
Displays all the network resources (computers, disk shares and printer shares) on the Local Network. It provides Resource Name, Resource Type, Domain, IP Address, Local Path, OS version, OS Name, OS version, MAC address, and MAC address company.
- DownTester:
It tests the download speed of a file from a URL link for that file. It shows the URL, Local ISP name of that URL, Speed (Bytes), Speed (Bits), Downloaded (it does not download the whole file), Start Time, and Download Duration.
- NetworkLatencyView:
This tool works only for Windows systems and computes the latency of every new TCP connection from any particular computer system. It shows Source Address, Destination Address, Source Host Name, Destination Host Name, Average Latency, First Latency, Last Latency, Failed Count, and Destination country.
- LastActivityView:
This tool works for Windows operating systems and displays actions made by a user in the computer or events generated by a computer system. The information collected by this tool includes Running a .exe file, Opening the dialogue box, Opening a file/folder from file explorer or other software, system shutdown/start, and application or system crash. The table displays Action time, Action description, File name, Full path of the file, More Information (application company name, application name, version etc.), file extension, data source (from where the activity information was found), etc.
- MyLastSearch:
This tool scans web browsers’ cache and history files and figures out all search queries made with popular search engines (Google, Yahoo etc.) and popular social media sites (Twitter, Facebook etc.). It displays Search Text, Search Engine, Search Type, Search Time, Web browser name, and URL in a nice table.
- WebBrowserPassView:
It is a password recovery tool that reveals passwords stored by web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera) stored in that Web Browser. It Provides the website URL, Web Browser Name, User Name, Password, Password strength, User Name Field, Password Field, Create time, Modified Time, and Filename (Data Source Path).
