Ode to Nirsoft
Nirsoft.net houses a collection of free, portable utilities that I have found indispensable over time. Much like the SysInternals Suite, I fall back on them when I come across a good problem—chances are one of the small but powerful utilities can help me find answers. They are also really useful in forensics-type work.
Two great features of most of the apps is that they can be run via command line and export results into csv/txt. Below is a list of the ones I have found most beneficial:
PingInfoView is a small utility that allows you to easily ping multiple host names and IP addresses, and watch the result in one table. It automatically ping to all hosts every number of seconds that you specify, and displays the number of succeed and failed pings, as well as the average ping time. You can also save the ping result into text/html/xml file, or copy it to the clipboard.
Elevates one of the simplest commands—ping—into a tool I’m hard-pressed to criticize in any way. You can run multiple ping commands against multiple hosts with a user-defined interval, then have statistics and logging to review for later if needed. I have this program (along with many other Nirsoft goodies) loaded into our RMM toolbox via self-extracting .zip so it can be deployed on any endpoint I’m connected to.
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more…
LAV shows you at a granular level actions that are being taken on a computer. While not on the same playing field as an EDR program, all shown events are useful for making a timeline to show what is happening while a user is on a computer.
BrowsingHistoryView is a utility that reads the history data of different Web browsers (Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera) and displays the browsing history of all these Web browsers in one table. The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive.
You can also export the browsing history into csv/tab-delimited/html/xml file from the user interface, or from command-line, without displaying any user interface.
As an admin, I honestly, truly, do not care what a user is doing on the web. It is a waste of time and resources to monitor browser usage as long as the job is getting done and the business is not affected. What some might call a management problem vs. an IT problem. That being said, when it does impact the business or security, there are times where I need to know. Paired with a GPO to disable deletion of history, this tool has been very helpful in multiple situations.
CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file , XML file, or to tab-delimited text file. CurrPorts also automatically mark with pink color suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons).
Think of netstat on steroids, and this is what you’d get. Shows you in a clean UI with who is talking to what, how. An oft-used feature is the export to log function—it can provide a timeline of the ports status on a PC over time, with a range of refresh intervals starting at just 1 second. Here is my custom log line which gives me a file I can easily manipulate in Excel:
%Process_ID.8%, %Process_Name.20%, %Protocol.5%, %Local_Address.25%, %Local_Port.5%, %Remote_Address.35%, %Remote_Port.5%, %State.10%, %User_Name.15%, %Remote_Host_Name.30%
WifiInfoView scans the wireless networks in your area and displays extensive information about them, including: Network Name (SSID), MAC Address, PHY Type (802.11g or 802.11n), RSSI, Signal Quality, Frequency, Channel Number, Maximum Speed, Company Name, Router Model and Router Name (Only for routers that provides this information), and more…
A much-improved interface compared to what you get with Windows. Shows you every single AP your machine can see, along with tons of data. In my admin duties, very handy when playing “Find that particular AP” or troubleshooting someone’s home network—it is quite surprising how much is in the air, especially in condos/apartments.
FullEventLogView is a simple tool for Windows 11/10/8/7/Vista that displays in a table the details of all events from the event logs of Windows, including the event description. It allows you to view the events of your local computer, events of a remote computer on your network, and events stored in .evtx files. It also allows you to export the events list to text/csv/tab-delimited/html/xml file from the GUI and from command-line.
Combines all event log entries/providers into one list. It helps you see exactly what was happening on a machine for a specific period—a full timeline without having to switch between sources. You also have the ability to filter and drill down to show a specific subset of events.
