Scott Hanselman

The Mysterious Case of the Rogue Roaming Browser History - Removing OneView Internet Login

May 16, '15 Comments [11] Posted in Tools
Sponsored By

I like a good mystery and I hope you do, too. I'll give you two versions. First, the TL;DR version so you can just fix it, and later second, the maddening technical details.

See how it flashes OneView Internet Login in the title for a moment?

TL;DR - Why does my Internet Explorer say OneView Internet Login?

If you go googling for "OneView Internet Login" google will suggest things like "...remove." You'll find Yahoo Answers where folks are thinking they have a toolbar installed or a virus because when they launch Internet Explorer they see a flash of OneView Internet Login in the title bar.

To remove it, go to the Star in Internet Explorer's toolbar and click History, then By Site. Find "One View Internet Login," right click and delete that history record.

Note here in this screenshot that the site is http://google.com but the Title is OneView Internet Login. Delete that.

NOTE: If your home page is not google, then find your IE home page by Site, and delete the entry with the wrong title. Or, go nuclear and clear all history.

Delete it from your history

CSI: My Computer - Why does OneView Internet Login show up on all my computers? What is it and why won't it go away?

A year ago or so I stayed at a Hyatt Hotel. Hotels like the Hyatt often use "Captive Portals" when getting you on their internet. A captive portal "captures" your browser's traffic so no matter what site you asked for you'll get their login screen. So you get on their wi-fi, you type googlebing and they redirect you to GlobalSuite.net or whatever to sign up. Only then does your traffic go through.

If you visit a hotel like this and hit it with IE for the first time with a fresh cache (nothing in your history or you've recently cleared your history) the Title that gets saved in the browser database will be the URL of the site you asked for but the title of the Hotel's Captive Portal. Weird? Just wait.

I noticed that my laptop would flash OneView Internet in the title (see the animated gif above) when opening my home page for the first time. Every once in a while I'd go looking for it, search the registry, do a hard-drive-wide grep or findstr but then I'd give up.

Later, though, my desktop at home started showing OneView Internet Login in the title bar on startup. To be clear, that's my desktop computer that hasn't left my house.

Roaming, my friends. All browsers roam things now. They roam passwords, history, bunches of stuff. This record, this cache, this tab, this something was getting roamed to all 5 of my machines. Now every time I open a browser on any machine I own I get a little gentle reminder of how hotel wi-fi sucks and how the GlobalSuite OneView Internet Login Captive Portal is sending a 301 or lousy headers or something dumb. Next time I stay there I'll do a Fiddler trace and prove it. Until then I wanted to find out where this was being stored on my hard drive.

Where is IE History stored? It's stored in a database using a technique called Extensible Storage Engine or ESE. In fact, Windows has shipped this database tech for over 13 years. You can even use it in your apps as a free and fast local database, but no one knows it exists. Over at NirSoft there are a host of wonderful utilities (they are saints, truly, give them money) and one of them is the ESEDatabaseView.

Run ESEDatabaseView and go File | Open IE10 Locked Database (even though you may be using IE11) and you'll be into the depths.

NirSoft's ESEDatabaseView

In a tabled called Container one I found a bunch of history entries:

The offending Entry

There's my first tab, my home page, but I didn't find "OneView Internet Login" or even the word OneView. I searched the while database, every table.

I was stuck here for a while.

Then I noticed way off to the right (like I literally had to scroll off to the right) there was  column called ResponseHeaders with a bunch of HEX.

20 01 00 00 1C 01 00 00 31 53 50 53 A1 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46
11 00 00 00 17 00 00 00 00 13 00 00 00 00 00 00 00 41 00 00 00 10 00 00 00 00 1F 00
00 00 17 00 00 00 4F 00 6E 00 65 00 56 00 69 00 65 00 77 00 20 00 49 00 6E 00 74 00
65 00 72 00 6E 00 65 00 74 00 20 00 4C 00 6F 00 67 00 69 00 6E 00 00 00 00 00 15 00
00 00 18 00 00 00 00 40 00 00 00 40 E8 3E C4 96 8E D0 01 11 00 00 00 0D 00 00 00 00
13 00 00 00 00 00 00 00 11 00 00 00 09 00 00 00 00 13 00 00 00 00 00 00 00 11 00 00
00 22 00 00 00 00 13 00 00 00 00 00 00 00 11 00 00 00 06 00 00 00 00 13 00 00 00 0A
00 00 00 55 00 00 00 15 00 00 00 00 1F 00 00 00 22 00 00 00 68 00 74 00 74 00 70 00
3A 00 2F 00 2F 00 77 00 77 00 77 00 2E 00 67 00 6F 00 6F 00 67 00 6C 00 65 00 2E 00
63 00 6F 00 6D 00 2F 00 66 00 61 00 76 00 69 00 63 00 6F 00 6E 00 2E 00 69 00 63 00
6F 00 00 00 00 00 00 00 00 00 00 00 DC 00 00 00 D8 00 00 00 31 53 50 53 A1 14 02 00
00 00 00 00 C0 00 00 00 00 00 00 46 11 00 00 00 20 00 00 00 00 03 00 00 00 00 00 00
00 11 00 00 00 14 00 00 00 00 03 00 00 00 01 00 00 00 15 00 00 00 28 00 00 00 00 40
00 00 00 70 0D 51 33 D8 6C D0 01 11 00 00 00 21 00 00 00 00 13 00 00 00 00 00 00 00
3D 00 00 00 1D 00 00 00 00 42 00 00 00 1E 00 00 00 70 00 72 00 6F 00 70 00 34 00 32
00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 00 00 00 00 08 00 00 00 EB 03 00
00 00 00 00 00 15 00 00 00 1E 00 00 00 00 40 00 00 00 3C DC B8 DF 12 6D D0 01 11 00
00 00 1C 00 00 00 00 03 00 00 00 00 00 00 00 11 00 00 00 27 00 00 00 00 13 00 00 00
01 00 00 00 00 00 00 00 00 00 00 00           

First thing I noticed (I assume you do also) is all the zeros. They are mostly not used as if this is UTF16. But I really look for HEX that I know. That means CR, LF, and Space, so 0D, 0A, and 20.

See that there?

4F 00 6E 00 65 00 56 00 69 00 65 00 77 00 20 00 49 00 6E 00 74 00 65 00 72 00 6E 00
65 00 74 00 20 00 4C 00 6F 00 67 00 69 00 6E 00 00 00 00 00 15 00 00 00 18

That's One View Internet Login. I converted from Hex to ASCII/UTF16. There's lots of online Hex to String Convertors where you can just paste this into a text box. I can also put the string above into a PowerShell string and convert it like this:

$HEXDATA.Split(“ “) | FOREACH {WRITE-HOST –object ( [CHAR][BYTE]([CONVERT]::toint16($_,16))) –nonewline }

There it is, OneView Internet Login. The title of the portal was cached along with the original URL (google.com) and the location to the favicon. When IE hits the page it shows what it has and then corrects it as soon as it gets the current title.

image

What's not clear to me is why this never expired. This title sat around for a year, at least. Maybe an IE engineer will read this and answer in the comments. If they do I will update the post with their answer.

The Good News is that if you delete the history record manually as seen at the very top of this post, that delete will roam and automatically fix this issue on all your machines (to be clear, all those that are logged in with the same Microsoft Account and roaming your browser data.

Remember, Dear Reader, the Internet (and your computer and its operating system) is not a black box. Look inside.


Sponsor: Big thanks to the folks over at Grape City for sponsoring the feed this week. GrapeCity provides amazing development tools to enhance and extend application functionality. Whether it is .NET, HTML5/JavaScript, Reporting or Spreadsheets, they’ve got you covered. Download your free trial of ComponentOne Studio, ActiveReports, Spread and Wijmo.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Saturday, 16 May 2015 10:44:45 UTC
well, that's why my current MVC solution always starts (F5 from VS) with the header of the error page, although the initial page is displayed shortly after. And this page even appears on my tablet as one of my "most visited" pages.

I should avoid programming bugs, though.
Marc
Saturday, 16 May 2015 14:03:42 UTC
The real http://google.com returns a redirect to https://google.com -- the cached rogue title for http://google.com never gets updated.

If you use Google as your home page, use the HTTPS one. However, hotel wi-fi won't be able to intercept your initial access to a protected page to show you their login portal.
pitz
Saturday, 16 May 2015 16:43:36 UTC
Love these Mark Russinovich style mystery-solving posts! Thanks for sharing, Scott!

I did one myself a while back about why Start > Run > pbrush runs Paint, even though pbrush.exe doesn't actually exist anywhere: http://blog.jonschneider.com/2007/06/mystery-of-phantom-pbrushexe-file.html
Saturday, 16 May 2015 21:53:14 UTC
Google Desktop is a discontinued computer program with desktop search capabilities, created by Google for Linux, Apple Mac OS X, and Microsoft Windows systems. It allowed text searches of a user's email messages, computer files, music, photos, chats, Web pages viewed, and the ability to display "Google Gadgets" on the user's desktop in a Sidebar.
But to day google have chorme webbrowser with apps and gmail with talk and camera.
Monday, 18 May 2015 00:21:39 UTC
Hi Scott I started 'looking inside' when I had to get a new computer to ostensibly replace my old 478 pin which was so slow, and I was told it was to old to upgrade. Well I did it anyway 12 months later; it's still slow but it has some games I like to play which will not run on later OS's. With the intention of giving it to a friend, I did a clean install of XP and then found the manual. It opened the door to a brave new world, or perhaps a Pandora's box. I now have 4 Pcs, a laptop, a new notebook and a tablet (used as an eReader). There is a wealth of great info if you look deep enough.
You know what I notice, the lack of female participation in these discussions. Why is that. I'm 74, if I can do it, what is wrong with them. Next I want to learn coding, when I get the time. I am at present upgrading 5 hdds to win 10 and love it.
Love your website. I use Firefox because it so easy to save web pages, access my history and delete it immediately when using banking sites.
Keep up the good work and I shall check regularly now I have your site bookmarked.
Monday, 18 May 2015 08:21:17 UTC
It's not just browser data that get's roamed: At home I have a win8 tablet that's of course connected to my wifi.
Then I installed a new work laptop at the office and brought it home. It automaticaly connected to my (password protected) wifi, I didn't have to enter any credentials.
Hans Kesting
Monday, 18 May 2015 16:03:22 UTC
I used to have a somewhat similar issue at work.

Our intranet is on contoso.net and a GPO sets our IE homepage there. Our public facing contoso.net has a 301 Moved Permanently pointing to contoso.com. IE9+ is the only browser that follows the allowed behavior of "I never need to ever look at this again, cause it moved permanently."

So any time I worked from home, I couldn't access the intranet home page without clearing the Content.IE5 folder in temp internet files.
Neyah
Monday, 18 May 2015 16:52:00 UTC
Hans - If you press Windows + W and type "roaming" you can control what's roamed/synced.
Monday, 18 May 2015 17:22:42 UTC
I suspect Scott intended to type [ Windows + R and type "roaming" ] in the previous comment...
Chris
Tuesday, 19 May 2015 11:56:55 UTC
@Chris, I think Scott really did mean Windows + W. It brings up a search sidebar (on Windows 8 at least) for settings. Searching there for "roaming" brings up the various roaming settings. Here's a screenshot.
Tuesday, 02 June 2015 18:21:20 UTC
Hi, Scott its a great article.Threre are lot of mysteries in the web but need to find it day by day.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.