SSL certificate on

Hey folks,

sorry about the negligence on my part. This is just to let everyone know that I’m aware of it.

I already sent the CSR to StartSSL, so this will hopefully be resolved later today.

// Oliver


This should be fixed now.

  • SHA256 fingerprint:
  • SHA1 fingerprint:
Posted in Announcement | Leave a comment


Only recently I learned of a fork of WinDirStat on Github named altWinDirStat. You folks may want to check it out.

I hope in mid to long term we can join forces rather than having the code bases diverge.

// Oliver

Posted in Uncategorized | 2 Comments

Please vote

Hi folks,

please vote on the Bitbucket issue tracker for issues and features. If I see a trend there, I’ll probably prioritize according to it.

// Oliver

Posted in Feedback | 4 Comments

New independent file download mirror

Triple IT from the Netherlands kindly offered to provide another download mirror at no cost.

Triple IT logo
(click to go to their website)

It’s now linked from our download page. Thanks to Triple IT for the offer and implementation.

// Oliver

Posted in Project news | 1 Comment

No PAD file … and none to come

After getting another request to create and offer a PAD file, I looked into the process again. There’s an online generator software at this address. I was using that to enter my data. When I was done filling in the stuff that was relevant to a FLOSS program like WinDirStat, I ended up getting a list of error messages.

Here’s the start of the list:

Screenshot snippet

So I need to give my postal address? No thanks. Post box? Yeah, who pays for that?

This is geared towards shareware and freeware programs, no doubt. But what took my breath away was this error message:

Invalid data formatting. According to the PAD specification, this field should have the following format: “^http://.{2,120}Z“. You can find the full PAD specification here:

I have to give a non-HTTPS site, because shareware is so 1990s and the PAD format is as well?

Conclusion: there’s no PAD file for WinDirStat and there won’t be. Sorry, folks.

// Oliver

Posted in Uncategorized | 2 Comments

Being all social now …

@windirstat πŸ˜‰

Posted in Project news | 1 Comment

For anyone who uses premake4 and needs an up-to-date binary

A code-signed binary can be found here.

The SHA1 hashes are:

  • 38bc42b59e1251e2b8b06dc6919ad556a9b5d625 *premake4.exe
  • 7ec69a3489a01d2f83d861febfe9b296939ca9fa *premake4.exe
  • f98c6cb0d55d6a3fd15c174cc48be2c5a525c8ec *premake4.exe

Hope it helps someone.

// Oliver

PS: yes, this was mainly built for use in the WDS repo and therefore is located in the windirstat/premake-stable project realm.

Posted in Uncategorized | Leave a comment

Re: WinDirStat detected as trojan … rightly so

Submitted the trojanized file to a number of AVs and they are catching up as can be witnessed on VirusTotal.

Hope not too many unsuspecting users fell for this. Whatever the source of the file may be.

// Oliver

Posted in Project news | 8 Comments

WinDirStat detected as trojan … rightly so

Well, actually it isn’t the genuine WinDirStat but a trojanized version posing as WinDirStat and it’s masquerading under the disguise of the good Unicode version of windirstat.exe which is contained in the installer. So it’s named that as well.

Now, the report I got from a WinDirStat user from Sweden (thanks again!) was that MalwareBytes had detected WDS once again. I assumed false positive and it turned out that it was at least for the particular file that the Swedish user had (SHA1: 26e14a532e1e050eb20755a0b7a5fea99dd80588)1 – which was the genuine file from the genuine version 1.1.2 installer. That is the installer with the following two cryptographic hashes2:

  • MD5: 3abf1c149873e25d4e266225fbf37cbf
  • SHA1: 6fa92dd2ca691c11dfbfc0a239e34369897a7fab

We’ve had this before, but this time it was a slightly different case.

I contacted Doug from MalwareBytes. We had been in touch some time before. So I got a contact for the malware research at MalwareBytes and was able to inquire about the file. It turned out that the file aforementioned Swedish user had inquired about wasn’t under detection, but another file with the MD5 hash a84aad50293bf5c49fc465797b5afdad. Now I didn’t have that file in my release archive so I asked for the file3 and was then able to look at the actual trojanized file. And what struck me was that all external traits shown by this file matched closely the Unicode build from the 1.1.2 installer. The size matched, the timestamp in the PE header matched, just some things like the sections and a whole lot of code or data had been changed in the middle of the file.

So I loaded the genuine file into IDA Pro and the entry point looked like this:

.text:004471B4 _wWinMain@16    proc near
.text:004471B4 hInstance       = dword ptr  4
.text:004471B4 hPrevInstance   = dword ptr  8
.text:004471B4 lpCmdLine       = dword ptr  0Ch
.text:004471B4 nShowCmd        = dword ptr  10h
.text:004471B4                 jmp     _wWinMain@16_0
.text:004471B4 _wWinMain@16    endp

and when I did the same on the trojanized file it looked like this:

.text:004471B4 _wWinMain@16    proc far
.text:004471B4                 enter   0FFFFA5D1h, 7Fh
.text:004471B8                 xchg    eax, ebp
.text:004471B9 loc_4471B9:
.text:004471B9                 or      al, 19h
.text:004471BB                 inc     ecx
.text:004471BC                 retf    0BECAh
.text:004471BC _wWinMain@16    endp ; sp-analysis failed

Holy moly, Batman! Someone actually trojanized WinDirStat and it looks like EPO4 just from a brief look.

Again, this file is named windirstat.exe and to the naked eye it looks like the Unicode build from the 1.1.2 installer, but in actuality this is a trojanized version of the genuine file. Now I don’t have the time to investigate into what exactly this thing is doing, but it bears all the hallmarks of malware and therefore from my perspective that file isn’t a false positive.


If you download files. check that their hashes match what is expected. Future releases of WDS will be signed with an Authenticode certificate, so it will also make it harder to trojanize WinDirStat.

I checked last night and at least the downloads from and DownloadBestSoft were genuine. No danger there. Still: you are encouraged to double or triple check! And keep in mind that MD5 is broken, so never ever rely on MD5 alone.

// Oliver

Recap: the clean files are:


  • 3abf1c149873e25d4e266225fbf37cbf *windirstat1_1_2_setup.exe
  • 3f3dd4476249ae664e3365e5bb651601 *release/windirstat.exe
  • 24cd9a82fcfc658dd3ae7ba25c958ffb *urelease/windirstat.exe


  • 6fa92dd2ca691c11dfbfc0a239e34369897a7fab *windirstat1_1_2_setup.exe
  • 752e1687d58de3bef927d9ad24c0ed3da3754e17 *release/windirstat.exe
  • 26e14a532e1e050eb20755a0b7a5fea99dd80588 *urelease/windirstat.exe
  1. that false positive has been fixed meanwhile. []
  2. keep in mind that MD5 has been broken, so you should never rely on it alone anyway. It is possible to forge binaries that match the MD5 hash of another binary as recent government-sanctioned malware has shown. []
  3. Usually you won’t get a file that is deemed malicious from any anti-malware company, but since I work in the AV industry as well and had contact with Doug before, I had the credentials. []
  4. Entry Point Obfuscation []
Posted in Project news | 1 Comment

Youtube channel for WinDirStat

I created a Youtube user and channel for WinDirStat. If you want to contribute a video clip, let me know. If you have a channel yourself that is dedicated to WinDirStat, let me know as well.

// Oliver

Posted in Project news | Leave a comment

Reddit: /r/WinDirStat

Find it here. The link is also in the link list in the sidebar.

// Oliver

Posted in Feedback | Leave a comment

Would you like a forum and/or a Wiki?

Hey folks,

being users of WinDirStat and perhaps having contacted me through the contact form or other means, would you like to see a Wiki and or forum for WinDirStat instead of merely the trackers and the mailing list (which is virtually dead, except for the very frequent spammers, which you wouldn’t get to see because the whole list is moderated).

A forum may offer a more lively discussion among users and may be a little more exposed than the mailing list is. This way I’d also spend less time supporting users because you folks could – by merit – become “community” moderators and help newbies or in general help other users. Last but not least this might be one way to share cleanup (and soon other scripted) actions. For the latter a Wiki may be more suitable or even just in addition. The forum AFAIK isn’t tied to the accounts if we run it on, but the Wiki would, I think. I only remember faintly from Enchanted Keyfinder.

Whatcha think? Let me know in the comments. Thanks and get well into the year 2013.

// Oliver

Posted in Feedback | 6 Comments

Began signing the commits I make to the source repo

I have started to sign the commits to the source repository using GnuPG and will expect the same from future contributors to the project (although OpenSSL with X509 certificates will also be accepted, of course).

It provides a level of trust and the possibility of additional integrity-checking for the source code. Starting with revision 300 on the master repository (on this takes effect.

The extension will be used for the purpose. It can be cloned from here.

Additionally I am keeping a clone on Bitbucket, for “backup purposes” πŸ˜‰

// Oliver

Posted in Project news | Tagged , | 13 Comments now also via SSL

The website is now also available via SSL. This also means that you will be able to use the contact page via SSL.

// Oliver

Posted in Project news | Tagged | 3 Comments

Cleanup actions, who uses them right now?

Hi folks,

who of you uses the cleanup actions or even created their own? How complex are they? How difficult would it be for you if they got replaced? I suppose I would provide some rather trivial migration path, but I’m curious. Surprise me … :mrgreen:

// Oliver

Posted in Feedback | 30 Comments

To build WDS from the repo …

… you’ll have to have a 7.x SDK registered for any Visual Studio version before 2010. Currently I build with Visual Studio 2005, but solutions exist also for 2008 and 2010.

The reason for this new limitation is that I implemented the progress inside the Windows 7 taskbar buttons.

Side-note: preliminary elevation support exists and I will try to finish that up over the weekend. Thanks to Chris. Once that stands, the next step is to work on limiting the memory use.

More to follow soon,

// Oliver πŸ˜‰

PS: I used the 2D-icon set for now. It looks quite good also and since it’s not a release version it doesn’t matter too much. Oh, and the icon is partially responsible for why there were issues with VS 2005, too. If you have problems with the icon set in VS 2005, try copying the rc.exe and rcdll.dll from the SDK bin folder into C:\Program Files\Microsoft Visual Studio 8\VC\bin (or wherever you installed your VS 2005).

Posted in Alpha, Pre-release, Project news | 9 Comments

WinDirStat icons

Hi folks,

tuqueque sent me the logo project just recently. So tonight I sat down to play a bit with what we got. Since I’m not quite so brilliant with graphics, I had to rely on a little help from IconWorkshop to get this done. The (3D) result, to me, looks pretty convincing for Vista/7 style … however, even the 2D version looks quite nice.

Behold (oh, and click for full resolution) :mrgreen:
2D icons
3D icons

Which version(s) would you prefer? Should I go for another color instead (see previous post)? Do you think that the 3D-effect should not be shown at some of the resolutions where it now exists or be shown at resolutions that are now flat?

For those who want to test it on their desktop or in some folder, please download the 2D-version and/or the 3D-version by right-clicking the links in this sentence and then using the “Save As” functionality of your web browser. Yes, just opening it in the browser may not yield the desired result πŸ˜‰

Thanks for your input,

// Oliver

PS: Please note that I went for the gray one intentionally at 16 colors. It simply looks better than any dithered and scaled down version of the colored logo …
PPS: The stuff is all in the repository.


Changed as requested by Lozzy
3D icons
Download version
More variants
icon variant 0101
icon variant 0202
icon variant 0303
icon variant 0404
icon variant 0505
icon variant 0606
icon variant 0707
icon variant 0808
icon variant 0909
icon variant 1010
icon variant 1111
Posted in Feedback | 27 Comments

Another logo proposal

Hi folks,

here is another logo proposal from Venezuela. Frankly, I find it more original than the logo suggested by Storm!. In a strange way it condenses the meaning of what WinDirStat does into a symbol. However, I found there were some demeaning comments about Storm! who also put his time and work into creating his logo. Perhaps you folks could consider that all of this is done in our spare time and in all these years there was only one patch sent to us from outside the team. So please: keep it real πŸ˜‰

Anyhow, here are the logos and icons as suggested by tuqueque (click for full resolution):

Black and white, plus icons - first proposal

About box as image, plus icons - second proposal

The logos scale neatly as they are in a vector-format.

Please comment. It seems it was put under Creative Commons Attribution, but since there exist variants of that license, I’m going to check back. Until then, for your consideration.

Logo design by Robin “tuqueque” MarΓ­n

// Oliver

PS: Given that the MFT parser I’ve been working on requires admin privileges, I was considering to use the different icon colors as indicator as to what mode it is running in (e.g. with admin privileges or not). I’ll have to test it in Vista and 7 to check the feasibility, though.
PPS: Yes, I heard you. I am working on an alpha release that will have some of the new functionality (and a x64 version) so people who have been yearning for updates will have something to check out and provide us with feedbacks. Sorry for the long silence.

Posted in Feedback, Project news | 13 Comments

Splash screen and logo

Hi everyone,

Storm! has joined the team and provided us with a new logo and splash screen. Have a look. And please comment:

Splash screen and logo

// Oliver

Posted in Feedback | 14 Comments

New project member

Please welcome our new project member Juan (aka neglox) πŸ˜‰

// Oliver

Posted in Project news, Uncategorized | 2 Comments