Updated 2014-09-20 15:37:11 by APN

News edit

APN 2014/09/20: V3.2.2 released.

See [1] for details, downloads and source.

See [2] for a detailed list of changes since previous releases.

What is WiTS? edit

Windows Inspection Tool Set slices a running Windows system multiple ways, providing cross-linked, filtered views of Windows components.

  • View properties of processes, network connections, users, services and more in customizable tables
  • Navigate between objects via richly cross-linked views
  • Filter displayed items with flexible user defined filters
  • Focus on changing data with enhanced change display modes
  • Customize displayed information and layouts to focus on areas of interest.
  • Track and monitor resources and system activity such as process startup, network connections, logins and more with optional recording to disk
  • Filter and search for Windows events through an integrated view of Windows event logs
  • Quickly access functions via the taskbar and hotkeys

Currently supported object types include:

  • Operating system and hardware
  • Processes
  • Services
  • Users
  • Groups
  • Logon sessions
  • Drives and volumes
  • Local and remote shares
  • Network interfaces
  • Network connections
  • Loaded modules
  • Kernel drivers
  • Windows event log

WiTS is built using (amongst other packages) Tcl/Tk 8.6, tktreectrl, TWAPI, Snit, and tklib.

Project links edit

Home page - http://windowstoolset.sourceforge.net

Project page - http://sourceforge.net/projects/windowstoolset

Mercurial repository - http://sourceforge.net/p/windowstoolset/code

Screen shot edit

General discussion edit

escargo 27 Feb 2007 - I put the wits.exe (along with the directories it came in) in my SanDisk Cruzer Micro 4.GB USB Flash memory device. I double-clicked on wits.exe and it errored out. Then I selected it again, but right clicked on it and picked "Run as Administrator." Then it worked. I haven't tested everything, but what I have tried has worked. It looks just like a native Windows Aero application.

HE 27 Feb 2007 - Why is wits distributed as msi-installer file (1.1.1) or as setup.exe(2.0 beta)? The version 1.1.1 contains an Starpack. This can used without any other installation (Works for me on XP, w2000, w2k-server). APN Both versions contain a wits.exe that can be used standalone. As to why an installer is used, it's because I want it to be as close to a conventional Windows app as possible - create shortcuts in the Start menu, show up in the Add/Remove programs, leave nothing behind on disk or in the registry when uninstalled etc. In the longer run, I also hope to add other utilities so it will not be a single executable. HE Perhaps it is possible additional to provide the starkit/starpack? MHo I see absolutely no reason for using windows installer (msi) technology in this case. To understand the misterious msi, one have to study thousands of documents over three months. In old MSDOS days, copy *.* was the prefered way, perhaps editing a little clear-text config here and there afterwords. What about an alternative installation archive (.ZIP or so) with .exe and .kit inside? APN Sorry I don't plan on doing this. I guess I just don't see it as that big a deal to install. Eventually I want this to be on the standard freeware sites (non-Tcl) so I would like it to follow the standard practice most packages use. Those who want just wits.exe to carry around can just copy it and uninstall. If one of you does take the trouble of creating a zip or whatever, please remember to include the full nuvola.zip image archive as well since it is under LGPL. For a future release, I plan on U3-enabled distribution - that I'll probably make just a simple exe.

LV It might be useful if HE would discuss why they care about how the code is distributed? I've not tried this tool, because in general, on my xp system, I cannot get permission to run the various normal MSDOS installers. I can, however, make use of starpack applications. So for me, in general, I prefer starpacks. As I said, I've not tried the installers for this app, so I don't know whether or not it would work. I don't care to raise the security alerts. I do note, however, that the Vista report above talks about not being able to run the application except as administrator. That definitely means I won't be able to use it...

2007-12-27 Ro: Great work, Ashok. Been using it this morning and enjoy it. Will keep it in my toolbox, especially useful to me is the netstat-like functionality and the process information. Overall a nice use of twapi. Another feature I like is the network shares list.

I second the request to get rid of MSI; you should distribute it as a single .exe. I know a lot of the freeware guys like that too. Lean and mean and all that jazz.

You can copy other utility exe's you want to bundle to a temp folder from the starpack if you wanted a single exe.

The Network Connections window could be less cpu intensive. I've got a lot of connections listed there; it could stand to be faster. APN In 3.0, displays of large number of objects should be MUCH faster as WiTS now uses tktreectrl instead of tablelist.

Thanks for a useful tool. Also, the look is very native; I can tell you spent a lot of time on that, and it shows.

MHo 2014-06-20: Unfortunally, the wits installer is blamed by Symantec protection software as containing some trojan horse. I'm not able to download and install it anymore on my win7 pc. Just for your information. Symantec info as follows:
 Risikoname: Trojan.ADH.SMH
Dateiname : setup-wits-3.1.12(64 bit).exe

Discovered:  September 4, 2013Updated:  September 5, 2013 3:39:44 PMType:  TrojanSystems Affected:  Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Trojan.ADH.SFC is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

Antivirus Protection Dates
Initial Rapid Release version September 4, 2013 revision 025
Latest Rapid Release version September 4, 2013 revision 025
Initial Daily Certified version September 5, 2013 revision 002
Latest Daily Certified version September 5, 2013 revision 002
Initial Weekly Certified release date September 11, 2013

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage Level: Low

Distribution Level: Low

Discovered:  September 4, 2013Updated:  September 5, 2013 3:39:44 PMType:  TrojanSystems Affected:  Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Symantec¿s antivirus products contain an highly sensitive detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. 

If one or more files on your computer have been classified as having a Trojan.ADH.SFC threat, this indicates that the files have suspicious characteristics and therefore might contain a new or unknown threat. However, given the sensitive nature of this detection technology, it may occasionally identify non-malicious, legitimate software programs that also share these behavioral characteristics. Therefore, it is recommended that users manually check all files detected as Trojan.ADH.SFC by Symantec antivirus products for potential misidentification, and submit any suspect files to Symantec Security Response for further analysis. For instructions on how to do this, read Submit Virus Samples. 

In rare cases where a legitimate file has been misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product. From here, you may review the list of all files detected as Trojan.ADH.SFC and, if you identify a potential misidentification, restore the file from quarantine and allow it to run normally.

As I'm always in a hurry and the program is not life-essential for us, I don't know if (and how) I could manage it to send the program for further analyses to Symantec, and I event don't know if I'm allowed to do this...

APNThanks for the report. I tried contacting Symantec through https://submit.symantec.com/false_positive/ but they need to know whether the detection occurred during download, installation, using the app or a scan. Could you please let me know ?

MHo: Symantec says the source is "real time scan" - it happened immediately when trying to save the file from browser to disk, as symantec intercepts the disk IO.

APN: Surprisingly fast response from Symantec:
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

        1A9DC667957F1D881C2754AF5850B03A - setup_wits_3.1.1264_bit.exe

The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html

MHo Great! I will test it in a while and report further.

MHo 2014/09/18: Again, Symantec isolated the 64bit-Installer (latest version)...:
S y m a n t e c  E n d p o i n t   P r o t e c t i o n 
Auf Ihrem Rechner ist ein Sicherheitsproblem.
Bitte wenden Sie sich an Ihren Benutzerservice mit dieser Meldung.
Scan-Typ: Auto-Protect Scan
Ereignis: Risiko gefunden!
Sicherheitsrisiko erkannt: Trojan.ADH.SMH
Datei: D:\home\Hoffmann\Downloads\setup-wits-3.1.17(64 bit).exe
Speicherort: ....
Computer: ....
Benutzer: ....
Durchgeführte Aktion: Analyse der Nebeneffekte ausstehend : Zugriff verweigert
Gefunden am: Donnerstag, 18. September 2014  15:32:19

APN Submitted to Symantec again, and got the same response as above that they have fixed the issue. Hope I don't have to do this every time I release!