Migration off of Bitbucket done

The new (temporary) home for the repositories and historical downloads is over on OSDN for now.

I’m planning on hosting the authoritative repositories myself in the future and I am contemplating mirrors (albeit without the ability to accept pull requests) on the usual Git hosting platforms1. I need to automate more and get some things in order for this to happen, the whole sunsetting of Mercurial support on Bitbucket has indeed drained a lot of resources on my part already.

Basically I want all of these other platforms to be more or less satellites to the stuff in the upstream project. And automate populating them. So from where I stand now, interaction with users and other developers will likely not happen on those platforms, but may happen on OSDN or SF.net.

Once that’s done I’ll see to it that I get a first 64-bit enabled beta or release build out of the door, ASAP.

// Oliver

  1. GitHub, GitLab, SF.net and possibly including Bitbucket also []
Posted in Announcement, Pre-release, Project news | 16 Comments

Migration in progress

As I have already hinted before, the migration off of Bitbucket is now in progress. So don’t be alarmed if you find some repositories disappearing and what not.

I have taken copies of all relevant items and I’ll be happy to provide a copy to everyone interested in one.

// Oliver

PS: yes, issues will also be migrated, but I am not sure as of yet how I’ll get those back into whatever I will be using in the future. Similarly the Wiki poses an issue as well, but I am contemplating the use of Sphinx to generate a static set of pages from those contents.

Posted in Announcement | Tagged , | 2 Comments

Project repositories will move to self-hosted

Given the bad news from Bitbucket, the WinDirStat project will move to a self-hosted solution until the end of 2019. At least that’s the plan.

We thank Bitbucket for their services.

Once the self-hosting will be available, I will let everyone know on r/WinDirStat, Twitter, and here. Furthermore I will make sure that there will be independently hosted alternatives1.

With best regards,


PS: a transition to Git will definitely not happen. This does, however, not preclude any means of interoperability.

  1. OSDN comes to mind, but also SourceForge []
Posted in Announcement, Project news | Tagged , | 10 Comments

Happy new year – new video featuring WinDirStat

Hey folks,

a happy new year to the lot of you and check out this video featuring WinDirStat.

// Oliver

Posted in Feedback | 4 Comments

This looks fishy

Check out sourceforge.net/p/windirstatfree/1. What is this? The preparations by SF.net to take over the project on their platform or some third party registering it for some unknown reason?

Either way, please do not trust downloads that may be provided there in the future.

Thanks for reading,

// Oliver

  1. intentionally not linked []
Posted in Uncategorized | 12 Comments

SSL certificate on windirstat.info

Hey folks,

sorry about the negligence on my part. This is just to let everyone know that I’m aware of it.

I already sent the CSR to StartSSL, so this will hopefully be resolved later today.

// Oliver


This should be fixed now.

  • SHA256 fingerprint:
  • SHA1 fingerprint:
Posted in Announcement | 2 Comments


Only recently I learned of a fork of WinDirStat on Github named altWinDirStat. You folks may want to check it out.

I hope in mid to long term we can join forces rather than having the code bases diverge.

// Oliver

Posted in Uncategorized | 5 Comments

Please vote

Hi folks,

please vote on the Bitbucket issue tracker for issues and features. If I see a trend there, I’ll probably prioritize according to it.

// Oliver

Posted in Feedback | 4 Comments

New independent file download mirror

Triple IT from the Netherlands kindly offered to provide another download mirror at no cost.

Triple IT logo
(click to go to their website)

It’s now linked from our download page. Thanks to Triple IT for the offer and implementation.

// Oliver

Posted in Project news | 1 Comment

No PAD file … and none to come

After getting another request to create and offer a PAD file, I looked into the process again. There’s an online generator software at this address. I was using that to enter my data. When I was done filling in the stuff that was relevant to a FLOSS program like WinDirStat, I ended up getting a list of error messages.

Here’s the start of the list:

Screenshot snippet

So I need to give my postal address? No thanks. Post box? Yeah, who pays for that?

This is geared towards shareware and freeware programs, no doubt. But what took my breath away was this error message:

Invalid data formatting. According to the PAD specification, this field should have the following format: “^http://.{2,120}Z“. You can find the full PAD specification here: www.padspec.org

I have to give a non-HTTPS site, because shareware is so 1990s and the PAD format is as well?

Conclusion: there’s no PAD file for WinDirStat and there won’t be. Sorry, folks.

// Oliver

Posted in Uncategorized | 2 Comments

Being all social now …

@windirstat 😉

Posted in Project news | 1 Comment

For anyone who uses premake4 and needs an up-to-date binary

A code-signed binary can be found here.

You can pick any of the .exe files there, they should be code-signed. If not, let me know. I also include detached PGP signatures (the .asc files) and the latest build will always be available under the name premake4.exe.

Hope it helps someone.

// Oliver

PS: yes, this was mainly built for use in the WDS repo and therefore is located in the windirstat/premake-stable project realm.
PPS: previously I had given the SHA1 hash here for the build from rev 800. Since I am updating this every now and then, please check that the file is code-signed or check that the PGP signature is valid. Thanks.

Posted in Uncategorized | Leave a comment

Re: WinDirStat detected as trojan ? rightly so

Submitted the trojanized file to a number of AVs and they are catching up as can be witnessed on VirusTotal.

Hope not too many unsuspecting users fell for this. Whatever the source of the file may be.

// Oliver

Posted in Project news | 8 Comments

WinDirStat detected as trojan … rightly so

Well, actually it isn’t the genuine WinDirStat but a trojanized version posing as WinDirStat and it’s masquerading under the disguise of the good Unicode version of windirstat.exe which is contained in the installer. So it’s named that as well.

Now, the report I got from a WinDirStat user from Sweden (thanks again!) was that MalwareBytes had detected WDS once again. I assumed false positive and it turned out that it was at least for the particular file that the Swedish user had (SHA1: 26e14a532e1e050eb20755a0b7a5fea99dd80588)1 – which was the genuine file from the genuine version 1.1.2 installer. That is the installer with the following two cryptographic hashes2:

  • MD5: 3abf1c149873e25d4e266225fbf37cbf
  • SHA1: 6fa92dd2ca691c11dfbfc0a239e34369897a7fab

We’ve had this before, but this time it was a slightly different case.

I contacted Doug from MalwareBytes. We had been in touch some time before. So I got a contact for the malware research at MalwareBytes and was able to inquire about the file. It turned out that the file aforementioned Swedish user had inquired about wasn’t under detection, but another file with the MD5 hash a84aad50293bf5c49fc465797b5afdad. Now I didn’t have that file in my release archive so I asked for the file3 and was then able to look at the actual trojanized file. And what struck me was that all external traits shown by this file matched closely the Unicode build from the 1.1.2 installer. The size matched, the timestamp in the PE header matched, just some things like the sections and a whole lot of code or data had been changed in the middle of the file.

So I loaded the genuine file into IDA Pro and the entry point looked like this:

.text:004471B4 _wWinMain@16    proc near
.text:004471B4 hInstance       = dword ptr  4
.text:004471B4 hPrevInstance   = dword ptr  8
.text:004471B4 lpCmdLine       = dword ptr  0Ch
.text:004471B4 nShowCmd        = dword ptr  10h
.text:004471B4                 jmp     _wWinMain@16_0
.text:004471B4 _wWinMain@16    endp

and when I did the same on the trojanized file it looked like this:

.text:004471B4 _wWinMain@16    proc far
.text:004471B4                 enter   0FFFFA5D1h, 7Fh
.text:004471B8                 xchg    eax, ebp
.text:004471B9 loc_4471B9:
.text:004471B9                 or      al, 19h
.text:004471BB                 inc     ecx
.text:004471BC                 retf    0BECAh
.text:004471BC _wWinMain@16    endp ; sp-analysis failed

Holy moly, Batman! Someone actually trojanized WinDirStat and it looks like EPO4 just from a brief look.

Again, this file is named windirstat.exe and to the naked eye it looks like the Unicode build from the 1.1.2 installer, but in actuality this is a trojanized version of the genuine file. Now I don’t have the time to investigate into what exactly this thing is doing, but it bears all the hallmarks of malware and therefore from my perspective that file isn’t a false positive.


If you download files. check that their hashes match what is expected. Future releases of WDS will be signed with an Authenticode certificate, so it will also make it harder to trojanize WinDirStat.

I checked last night and at least the downloads from SourceForge.net and DownloadBestSoft were genuine. No danger there. Still: you are encouraged to double or triple check! And keep in mind that MD5 is broken, so never ever rely on MD5 alone.

// Oliver

Recap: the clean files are:


  • 3abf1c149873e25d4e266225fbf37cbf *windirstat1_1_2_setup.exe
  • 3f3dd4476249ae664e3365e5bb651601 *release/windirstat.exe
  • 24cd9a82fcfc658dd3ae7ba25c958ffb *urelease/windirstat.exe


  • 6fa92dd2ca691c11dfbfc0a239e34369897a7fab *windirstat1_1_2_setup.exe
  • 752e1687d58de3bef927d9ad24c0ed3da3754e17 *release/windirstat.exe
  • 26e14a532e1e050eb20755a0b7a5fea99dd80588 *urelease/windirstat.exe
  1. that false positive has been fixed meanwhile. []
  2. keep in mind that MD5 has been broken, so you should never rely on it alone anyway. It is possible to forge binaries that match the MD5 hash of another binary as recent government-sanctioned malware has shown. []
  3. Usually you won’t get a file that is deemed malicious from any anti-malware company, but since I work in the AV industry as well and had contact with Doug before, I had the credentials. []
  4. Entry Point Obfuscation []
Posted in Project news | 1 Comment

Reddit: /r/WinDirStat

Find it here. The link is also in the link list in the sidebar.

// Oliver

Posted in Feedback | 2 Comments