IE HistoryView

The laptop I was working on powered off without warning while I was researching a problem with software I wanted to use on a web server. I had a lot of tabs open in Internet Explorer (IE) 7 to webpages with information on the software. I hadn't stored the URLs for many of those webpages elsewhere, so wanted to recover the list of those visited URLs. Often I find that, if I reopen IE after an IE or system crash, the history list doesn't show many recently viewed pages.

So I decided to try the free IE HistoryView software from NirSoft. I've used other software from the same developer, Nir Sofer, and found it useful and easy to use.

No installation process is needed for the software. Simply extract the 3 files contained within the zip file. Place them wherever you want on the system, e.g. \Program Files\IEHistoryView. The zip file contains iehv.exe, iehv.chm, and a readme.txt file. The .chm file is a help file for the software.

When started, IE History View shows a list of URLs visited using the Internet Explorer browser.

IE HistoryView main window

If you right-click on a URL, you will see a menu of options. If you select "Open Link", you can open the selected webpage in your default web browser. You can also choose "Copy URL" to copy the URL to the Windows clipboard.

IE HistoryView Open Link

If you select "Properties", you can see further informaton regarding that URL within the IE history index file.

IE HistoryView URL Properties

By default, when you start IE HistoryView, it will use the Internet Explorer history index file for the account under which you are logged in. But you can also view information within the history index file for other accounts on the system by clicking on File and then Select User Profile. You can then select other accounts on the system, if you have the proper privileges, e.g. you are logged into an account with administrator access.

If you want to view the history information of another computer on a network, connect to the desired network drive, and from the File menu, choose Select History Folder, and select the history folder in the remote drive.

There is even the option to show all recent Google searches by clicking on File and selecting Show All Google Searches.

IE HistoryView Google 
Searches

Viewing Older History Information

In some circumstances, Internet Explorer saves some older history information in subfolders located under the main history folder. You can view the history information stored in these subfolders by using the Select History Subfolder option in the File menu.

IE HistoryView History 
Subfolder

About The History Folder

The location of the history folder varies from one version of Windows to another. On Windows 98, the history folder is located under your Windows directory. For example, if Windows 98 is installed under c:\win98, the history folder is c:\win98\history. On Windows 2000/XP, the History folder is located inside the "Local Settings" folder of your user profile. For example, C:\Documents and Settings\Administrator\Local Settings\History. The "Local Settings" folder is hidden by default, so you won't see this folder unless your system is configured to display hidden files and folders (see Display Hidden Files and Folders and Operating System Files for information on how to display such folders on a Windows XP system). In most systems, IEHistoryView automatically identifies your current History folder and uses it as default. However, you can always select History folder from another location by using the Select History Folder option under the File menu.

Be aware that when you watch the History folder from within the Windows environment, it doesn't show you the real files inside this folder, but instead it displays the history shell extension that provides limited information about the sites you visited.

Command-Line Options

Syntax: iehv [/Action] ["Destination File"] {-Source Type} {"Source"}

[/Action] can be one of the following options:

/stext Saves the URLs list into a text file specified in ["Destination File"] parameter.
/stab Saves the URLs list into tab-delimited text file specified in ["Destination File"] parameter.
/shtml Saves the URLs list into HTML file specified in ["Destination File"] parameter.
/sverhtml Saves the URLs list into vertical HTML file file specified in ["Destination File"] parameter.
/stabular Saves the URLs list into tabular text file specified in ["Destination File"] parameter.
/sxml Saves the URLs list into xml file specified in ["Destination File"] parameter.

The {-Source Type} parameter is optional. If you don't specify it, the URLs will be loaded from the default History folder on your system.
This parameter may contain one of the following values:

-folder Loads the URLs list from the folder specified in {"Source"} parameter.
-user Loads the URLs list of the user specified in {"Source"} parameter.

Examples:
iehv -folder "c:\Documents and Settings\Administrator\Local Settings\History"
iehv /shtml "c:\temp\urls.html"
iehv /stext "c:\temp\urls.txt" -user admin2
iehv /stext "c:\temp\urls1.txt" -folder "c:\windows\history"

Translating to other languages

IEHistoryView allows you to easily translate all menus, dialog-boxes, and other strings to other languages.
In order to do that, follow the instructions below:
  1. Run IEHistoryView with /savelangfile parameter:
    iehv.exe /savelangfile
    A file named iehv_lng.ini will be created in the folder of IEHistoryView utility.
  2. Open the created language file in Notepad or in any other text editor.
  3. Translate all menus, dialog-boxes, and string entries to the desired language.
  4. After you finish the translation, Run IEHistoryView, and all translated strings will be loaded from the language file.
    If you want to run IEHistoryView without the translation, simply rename the language file, or move it to another folder.

Security Analysis

As I normally do for software that I download, I submitted the downloaded file, iehv.zip to VirusTotal for analysis. The VirusTotal report is available here. VirusTotal is a free online malware scanning site which allows you to upload files for analysis by multiple malware detection programs. VirusTotal scanned the file with 39 malware detection programs. It reported that two, eSafe and Sophos reported the file as potentially unsafe. eSafe identified the file as being associated with Win32.Banker while Sophos identified it as NirSoft.

I find eSafe reports a lot of false positives, so I generally discount any eSafe findings unless I find other antimalware products identifying files as malware. So I checked on why Sophos might be labelling the file as potentially unsafe. Sophos' webpage related to the designation is at NirSoft - Hacking Tool. Sophos labels the NirSoft software as a Potentially Unwanted Application (PUA), which it describes as "an application that is not inherently malicious, but is generally considered unsuitable for most business networks. Potentially unwanted applications include adware, dialers, remote administration tools and hacking tools." It assigns a type of Hacking Tool to the software. So in essence, Sophos is indicating that one wouldn't normally expect to find this software on a user's system, but that you shouldn't regard it as dangerous if you installed it purposefully. I.e., this should only concern you if the presence of the software on the system came as a surprise to you. One should remember that the original meaning of the word "Hacker" was a complimentary term indicating someone was knowledgeable about computer systems or was enthusiastic in the pursuit of knowledge about such systems. In this case Nir Sofer is providing a tool that gives one insight into software, specifically Internet Explorer, on the system.

I also submitted the file for analysis to Jotti's Malware Scan site. That site scanned the file with 19 antivirus programs, all of which reported that they found nothing of concern in the file (see Jotti report).

I also submitted the file for analysis to VirSCAN.org, another free multi-engine virus scanner. That site scanned the file with 37 antivirus programs. None detected any malware in the file (see VirSCAN report), even though VirSCAN.org also checks uploads with Sophos antivirus software.

File Name: iehv.zip
File Size: 44526 byte
File Type: Zip archive data, at least v2.0 to extract
MD5: 7e1297c4bc4fc8d972b65396f27e3216
SHA1: c68963f40cee9cdff48ce0d05b66ce0080c843c4
Scanner results: All Scanners reported not find malware!
Time: 2009/02/28 12:29:09 (EST)

I also submitted the executable program, iehv.exe (MD5: b2d5574738cb4e772a1b849695c19a2a), which is contained within the zip file to ThreatExpert for analysis. I didn't see anything of concern in the ThreatExpert report. That report indicates that the program creates the following registry keys when run:

HKEY_CURRENT_USER\Software\NirSoft
HKEY_CURRENT_USER\Software\NirSoft\IEHistoryView

It doesn't create any other files on the system nor does it start any other processes.

The VirusTotal report for the iehv.exe program is available here.

Sunbelt Malware Research Labs is another service that analyzes file activity when a program is run. Their CWSandbox info report for iehv.exe is available here. That report also indicates that the only registry key created by the program is HKEY_CURRENT_USER\Software\NirSoft\IEHistoryView and that the only file it observed iehv.exe opening when run was C:\Documents and Settings\Sanbox\Local Settings\History\History.IE5\index.dat, i.e. the index.dat file for Internet Explorer for the user account under which the program was run.

So I feel confident that the eSafe identification of iehv.zip as containing Win32.Banker malware is yet another false positive from eSafe. I couldn't find any information on the eSafe site about Win32.Banker. Other sites with information on Win32.Banker are as follows:

Win32.Banker
avast! - antivirus protection

Win32/Banker
Microsoft Malware Protection Center

Interestingly, 2-viruses.com, a site that provides information on how to remove fake antmalware programs, states at How to remove Trojan-Spy.Win32.Banker.aiw ? in regards to Trojan-Spy.Win32.Banker.aiw that such fake antimalware software often report Trojan-Spy.Win32.Banker.aiw.

Trojan-Spy.Win32.Banker.aiw is not a real trojan but it indicates serious problems. This threat is reported by fake security tools. Do not trust programs that supposedly detect Trojan-Spy.Win32.Banker.aiw trojan and offer removing it for a certain price. This trojan can not be deleted because it simply doesn't exist.

Though, perhaps, eSafe doesn't fall in the same category as those rogue antimalware programs, I don't give much credence to eSafe identification of files as containing malware without some corroborating evidence from other antimalware software, since whenever I submit files to VirusTotal, I find eSafe frequently identifies files as suspicious, though no other antimalware program does and I can't find any evidence that the designation is other than a false positive.

Download Sites

NirSoft
MoonPoint Support

References:

  1. IE HistoryView: Freeware Internet Explorer History Viewer
    By: Nir Sofer
    NirSoft
  2. What is a False Positive?
    CGISecurity - Website and Application News
  3. NirSoft - Hacking Tool - Sophos security analysis
    Sophos Plc
  4. Potentially unwanted application (PUA)
    Sophos Plc
  5. Hacking tool
    Sophos Plc