Find broken links on web sites
Wikipedia article about Xenu's Link Sleuth
Link Sleuth (TM) checks Web sites for broken links.
Link verification is done on "normal" links, images, frames, plug-ins,
backgrounds, local image maps, style sheets, scripts and java applets.
It displays a continously updated list of URLs which you can sort by different
criteria. A report can be produced at any time.
- Simple, no-frills user-interface
- Can re-check broken links (useful for temporary network errors)
- Simple report format, can also be e-mailed
- Executable file smaller than 1MB
- Supports SSL websites ("https:// ")
- Partial testing of ftp, gopher and mail URLs
- Detects and reports redirected URLs
- Site Map
System requirements: Microsoft Windows 95/98/ME/NT/2000/XP/Vista/7, WININET.DLL
required (included with Internet Explorer). No, it won't work on Windows 3.11, not
even with Win32s. No, I won't make a Java, MacOS, Linux, Knoppix, Ubuntu, Beos, Palm,
C64, SAP, AmigaOS, Blackberry, Symbian, iPhone or Android version.
Don't even ask! (However I have been told that it runs
faultlessly under Fedora 13, Red Hat 8, Ubuntu and OS X via wine or WineBottler,
and under Crossover on a Mac :-))
To have peace of mind, I recommend that you are using an up-to-date anti-virus software on your computer (so do I!).
Ok, I have read all that, I want
to download! (current version: 1.3.8 from September 4th, 2010)
Join the Update
Announcements mailing list at Yahoo Groups! To subscribe, send an empty
e-mail to email@example.com.
Unzip it and install it wherever you want. To
check a site, click the toolbar icon on the left and enter a WWW address.
If the address finishes with a directory name, don't forget to put a /
at the end or you will possibly get the whole parent directory spidered.
You can also click the "browse" button to check
a local HTML file. If you do not already use IE for browsing and are sitting
behind a company firewall, don't forget to configure
your proxy before you start. If you are using a personal firewall
(like ZoneAlarm or Outpost) you must enable Microsoft Internet Explorer
by starting it, entering a URL and then "allowing" the application (you
may also have to enable Xenu - see example for Norton Intenet
Security). To find out what the software can do, simply try out the
menu choices, the toolbar and the right mouse key. Or read this
third-party manual, a bigger
third-party manual with many pictures,
a third-party report (How
I check over 6,000 links every seven to ten days), a blog post by a SEO guy, or
und noch eine,
guide en français,
descripción en español,
Beskrivelse på dansk,
opis w języku polskim,
opis na Srpsko-Hrvatskom jeziku.
Good luck! If you find the software useful, please
Test everything. Hold on to the
(1 Thessalonians 5:21)
You can also join the user
group by sending an e-mail to firstname.lastname@example.org.
If you like to use a button for Xenu's Link Sleuth on your web page,
link to this page with these buttons:
If you like to use a banner for Xenu's Link Sleuth on your web page,
link to this page with this banner:
The address of this web page is http://home.snafu.de/tilman/xenulink.html
Frequently Asked Questions (FAQ)
1. Who is Xenu?
2. Is Xenu's Link Sleuth (TM) better than Incontext WebAnalyzer?
Incontext WebAnalyzer is no longer available since February 2002 and hadn't been updated for years, so this is more a historical note.
The answer to the question: Yes and No. Xenu's Link Sleuth (TM) does not have
the graphic capabilities of Incontext WebAnalyzer 2.0 ("Wavefront view"). But here
are some of the advantages of Xenu's Link Sleuth (TM):
Check your website both with
this product and with another product (Linkbot, LinkScan, LinkAlarm, Web Link Validator, Screaming Frog and InSpyder offer
trial versions, LinkExaminer is free and seems to be pretty good for SEO oriented tasks),
and decide what you need and what you
are willing to pay. If you do find something better in a different tool, tell me, even if it hurts :-)
It is free
Better error reports (not just "network error")
"Save" works also while the software is busy
The "broken links view" shows only broken links; In WebAnalyzer you'd have
to press the button again and again as the window fills with crap.
While Xenu does not offer an "update" facility (which doesn't work anyway),
it has a "recheck broken links" function that works fine.
It is small, written by one person experienced in Windows software development
since 1993 and who works as a professional software developer since 1983.
This means that bugs will be corrected quickly. This is a matter of honour.
The report can be viewed easily, even when you have long URLs.
Uses much less disk space for intermediate files, executable file much
- Loading of saved files much faster (WebAnalyzer loses time by displaying
the extra graphics)
- Supports SSL websites ("https:// ")
- Partial testing of ftp and gopher sites
- Search for local orphan files
Special handling of redirected URLs
Partial randomization of checking order, means less concurrent requests on a single
3. Is Xenu better than a web-based service?
There's a free WWW based service called "LinkTiger" which looks pretty nice, although it isn't free, except for a 100 links (As of October 2010). Their web page is very nicely designed and made me think about whether (in general, not related to LinkTiger or Xenu) such a solution is better or not.
strucr.com (as of June 2013) is also interesting (One of the founders invited me into a restaurant). Strucr.com focuses on "the big picture" with websites. Not so much just finding broken links (it does not check external links), but find URLs that could be a problem for SEO, or find certain common HTML problems. Their target are big, really big websites (several millions of urls), where the web team has lost the understanding about what is going on. They have a free subscription for not-so-big websites (see pricing).
Server solution advantages:
Server solution disadvantages:
- No need to install anything
- Independent of user OS
- No use of client bandwith
- Might be able to do more URLs, because servers will usually not keep all URLs in memory
- Features can be updated without the user having to update his own system
Client solution advantages:
- Dependent of server bandwidth
- Cannot always be free, due to costs for hosting
- Passwords must be uploaded to server
- Cannot check intranets or local sites on HDD
- Security risk if server gets hacked
- Some server solutions insist on uploading an authorization file; might be difficult for companies with long decision delays
- Legal risk if service is used to analyse competition
Client solution disadvantages:
- Can run a check at any time
- Passwords can be kept locally
- Can check intranets or local sites on http://localhost or HDD (before they get uploaded!)
- Tailored versions can be made
- Would still be usable if I suddenly get hit by a safe
- Check can be done without asking
Any more ideas pro or contra one of the two solutions?
Contact me. (If you want to report a bug, click here).
- Security risk if software developer moves over to the dark side
- Client bandwith is used
- Dependent of having a computer that can run downloaded software
- Dependent of having the correct OS (unless the client is written in Java)
- Dependent of the RAM amount
4. Can I support the author?
Don't send me your money - I still have my day job and survived the 2008 financial crisis :-)
If you feel that my work is useful to you (maybe it helped with your job, maybe you were able to impress your boss?), please donate money to causes I support, or send me gifts.
- Germans can make a tax deductible donation to the Dialog
Zentrum Berlin e.V., Konto-Nr. 1551390051, Bank für Kirche und
Diakonie BLZ 35060190.
- Visit the Xenu bookstore.
- Send me a T-Shirt of your city, university, employer in XL size. Take into consideration that I'll be wearing your T-Shirt at work. USPS "airmail letter post" is fast, reliable and unexpensive.
- You can also send me objects that are cultural icons, i.e. a product that your country is famous for.
- You can also send me packaged food (no meat or fish, this is likely forbidden by customs). If you are in Belgium, send beer. If you're not sure, ask.
- Mention the product and my name in your blog.
- Support the project of Emmy award winner Mark Bunker and fund a feature documentary on Scientology
- Send me a "thank you" letter on company paper, if you work for a well-known company. Make sure that you are authorized to send such a letter. This is my street address:
- You can donate a symbolic, microscopic amount through Flattr.com (I don't collect it, instead I use the money to flattr the blogs I like):
If you're on facebook, you can also click "like" here and here to increase the statistic near my name or near the product :-)
Other things I need help with: if you're an english native speaking person
who understands german and knows the lingo of recipes, please check the third-party
translation of this
recipe of a Xenu cake by
Ilse Hruby (you might try it, too! It tastes great!)
5. Why does Xenu's Link Sleuth (TM) report http://www.site.com/../page/index.html
The key is the "../" part. It means
you have e.g. a top level page that links to a page in a directory above,
which doesn't exist. It is true that Mozilla will not have any problems
with such a page; but I am less tolerant.
6. How can I configure a proxy?
You can configure a proxy in the control application of Windows. Double-Click
on the "internet" symbol, then click on the "card" of the dialog box that
is named "Connection". You may need a proxy if you are sitting "behind
a firewall". This is usually so in big corporate networks.
One user with Windows 2000 always had a timeout, he solved it by checking
"Use HTTP 1.1" and also "Use HTTP 1.1 through proxy connections"
in the "Advanced" tab of the Internet Options in the control panel. However,
this may not work for everyone, because some web servers do not support
7. Why does Xenu's Link Sleuth(TM) report a URL with
a space in it?
Either because you do have a space in the URL, or because you have a carriage
return / newline in it. Although Mozilla tolerates this, I do not.
8. I use Mozilla 3.0 Gold and can't get rid of file:
URLs for images. What can I do?
Re-edit the page, double-click on the picture, remove file:
from the picture location and take care to uncheck "copy image to document's
location" in the "properties" dialog box (at the bottom left) before you
save and exit the dialog box.
9. What is the maximum number of URLs that can be checked?
There is no fixed number, but it seems to be above one million. The problem is that Windows XP applications have a size of 2GB max.
A 64 bit beta version is available which may or may not allow more URLs. Just unpack the ZIP file and move the XENU.EXE and ZLIBWAPI.DLL files at the place where have the XENU.EXE file currently (rename the old XENU.EXE file first to save it). The new one is based on Microsoft Visual Studio 2010. The 64 bit EXE file is about 10 times as big as the 32 bit version that is based on the good old Visual Studio 1998. Microsoft has confirmed the problem.
10. Can the software check my site locally?
Since september 1998 (1.0n), you can do so without a local web server (your
address would then be http://127.0.0.1).
Use the "Browse" button in the "New" dialog box.
The results will not always be the same as a "remote" check:
A user of IE 4.0 reported that when not online, the software checks every
"remote" URL like a local file. This is a problem of the newer version
of the WININET.DLL; the version with IE 3.0 reports "no connection" or
"no such host" instead, which is more logical.
Sometimes you'll get "error 3". It happens because the WININET.DLL is unable
to handle directories, i.e. links that end with "/". You can avoid this
by linking to the actual "main file", usually
index.html or default.html.
That your browser can handle local directories and display them nicely,
is because he does additional work, which I do not.
Mixups of higher/lower case characters in links won't be found, since Windows
does not make a difference. But UNIX does!
The main reason that you still need to make occasional "remote" checks
is because you might have forgotten to upload your files to your WWW server.
11. Does it work on Windows NT 3.51?
One user said it worked fine after he copied a version of WININET.DLL from
a Windows 95 system standing nearby, and put it into the directory where
Xenu's Link Sleuth(TM) was installed.
12. How is it so damn fast?
Because it uses a (possibly
patented, see patents here
technique known as preemptive multithreading. It means that the
link checking software retrieves several web pages at the same time; the
competition uses the same technique. The maximum count of threads is initially
set to 30, but you can configure it to any number between 1 and 100. A
number that is too high might result in failed connections or in timeouts,
which means you will have to recheck the broken links. At the time I had
a dial-up connection, I got good results with 70. Now I have a DSL connection,
and I have to set the number to 1-5. I suspect that my DSL provider has
installed a brake somewhere to prevent "commercial" customers from using
the unexpensive "private" service.
13. Can I have the source code?
14. Can I buy the source code?
Sure, make me "an offer I can't refuse".
15. Just for fun, I checked Tilman's web site, and found many broken links.
I check my own web site every week on friday. Nevertheless there are always
Links that I know to be broken: I keep them like that to remind me to find
these people some day. The web page itself has a notice that the link is
Temporary unreachable hosts: these are temporary routing errors.
Really broken links: I will usually correct the link or remove it within
the next few days.
16. How do I correct broken links?
Repairing broken links (i.e. getting the correct ones) is a difficult task
that takes time, but with experience, you'll get it done faster and faster.
if you have the e-mail address of the site owner (because you know him),
try an e-mail. Sometimes the address still works, even if the web site
find the home page of the site you link to, to see if the site has a "sorry
we moved" message. If you linked to http://www.host.com/user/page888.html
and this is broken, look at http://www.host.com/user/ to see if
there is a message, or to see if the site has been reorganized. Some sites
reorganize their user pages differently, e.g. http://www.host.com/homepages/users/page888.html.
Sometimes the web switches changes between the two methods. Other sites
are owned by the user himself, e.g. www.user.com, so the home
page is the root page. If the site exists but you cannot find your page,
send an e-mail to the owner.
use search engines to find the site or the name of the site owner (if you
know). To find where the site is, use web search engines (like Google
or the Internet Archive) and usenet
search engines (like Google Groups).
You find the site you searched for
You find a site that links to the site you searched for
You find the site in the Google Cache or the Internet Archive (simply enter
the URL in the search box!), and can use the contents to search for the
name of the owner
You find a site that links to the site you searched for, but is also broken.
E-mail the site owner, and tell him that the link is broken. Bookmark the
site and revisit it in a week, to see if the other person has found it.
If not, you have nevertheless succeeded in making the other person feel
as bad as you, which brings some relief :-)
You find the new e-mail address of the user. Either e-mail him, or try
to construct the URL yourself (email@example.com leads to http://www.host.com/user/)
post a message in a newsgroup that deals with the topic. Hopefully the
site owner or one of his friends reads the messages there.
if you are still unsuccessful, either delete your link to the site or repeat
your attempts after a month (some sites might reappear in a search engine
after some time). Sometimes it happens that a host is reorganizing its
hard disk, and all user pages get back within a few days.
17. What about ftp and gopher sites?
Starting with version 1.0k I have implemented a new ftp checking method
that is 100% reliable. Sadly, this method does
not work with proxies. The previous method I used (and still use for
gopher) was unreliable, as it did not detect certain errors.
The method for checking gopher sites is still unreliable. When an ftp
or gopher site is accessed through a proxy, this proxy builds up a web
page. Sadly, it doesn't always bring up the information whether the URL
exists or not. When you access a gopher site without a proxy, it brings
an error message, but not an error code. This seems to be a bug
of the OpenURL() function of WININET.DLL.
The output lists ftp and gopher sites as links, which allows you to
make a manual check of these sites.
18. Why can't I launch URLs?
Starting with version 1.0g (Christmas 1997), URLs are launched with DDE
("dynamic data exchange", a windows method of communication between applications),
to open many browser windows but to prevent the opening of several Netscape
applications. This is done with the help of the Registry, by searching
for HKEY_CLASSES_ROOT\http\shell\open. This has the path for the
browser, the DDE application name (e.g. "Netscape", "IExplore"), the DDE
topic (usually "WWW_OpenURL"), and a template for the DDE item
(usually "%1"). If you cannot launch a URL, do not panic - export
and e-mail me the segment of your registry (start REGEDIT.EXE, and search
for "http"). Additionally, send me the file XENULOG.TXT which you will find in your %TEMP% directory.
The cause is usually that you have not installed your browser properly
(maybe you just transferred the files from another computer). Solution:
update or reinstall your browser.
Starting with version 1.1b, I have stopped displaying an error message
when the registry is incomplete, because there were too many complaints.
Instead, the browser will simply be launched with the page. This has the
disadvantage that the page won't be displayed in an extra window of the
current active browser application.
One user with Microsoft Vista 64 (UAC disabled) was unable to launch URLs
(message box: "Unable to open browser for 'URL': error 5: Access is denied").
The cause was COMODO Firewall Pro 188.8.131.528. Without the firewall, it worked fine.
Please remember that "Personal Firewalls"
are mostly snake-oil. Set up an external firewall box instead - this is
usually included in your router.
18a. Why does the browser not open a new window?
This is a problem with Microsoft Internet Explorer. Open your registry
and search for HKEY_CLASSES_ROOT\http\shell\open\ddeexec. If the
key value is "%1",,-1,0,,,, then change it to "%1",,0,0,,,,
(i.e. you change the -1 to 0).
18b. Why does Link Sleuth freeze when launching the report?
If Link Sleuth freezes when launching the report, but not when double-clicking
on a URL, the reason might be the site map. A site map can be HUGE if
the site goes very "deep" (high level, see the "level" column in the Link
Sleuth window). A very "deep" site can happen if you have a forum.
Solution: disable the site map in the options dialog, or exclude the
"deep" parts of your website (e.g. a forum) in the initial dialog box.
Version 1.3 has an abort dialog.
18c. Why does Link Sleuth freeze when launching the report or a URL?
I do not know why this happens, but I have experienced this myself with
Windows ME (but not with Windows XP), and have received similar reports
from users. The problem goes away by rebooting Windows, but comes back
later. You can also get rid of the problem by making a change in the XENU.INI
file below the line with [Options], enter this:
The only disadvantage is that it will not open a new window in the
19. What about cookies?
By default, cookies are disabled, and Xenu rejects all cookies.
If you need cookies because
then you can enable the cookies in the advanced options dialog.
you have used Internet Explorer to authenticate yourself before starting
to prevent the server from delivering URLs with a session ID
(This has been available since Version 1.2g)
You should not use this option if you have links that delete
data, e.g. a database or a shop - you are risking data loss!!!
20. Why are some links reported as "broken" by Xenu, that can be displayed
within my browser?
Some servers read the "User Agent", i.e. the name of the software that
tries to access a website. Some websites allow only browsers, some even only Microsoft Internet Explorer, and refuse everything else. Some may even specifically
refuse Xenu because of past misuse. Andi has a list
of websites that deny access to Xenu.
Tom Boutell has an extended
explanation of how wikipedia denies access.
A user-configurable "User Agent"
would be the solution, but this would make abuse possible.
21. Why can't I connect to "secure" (https) sites ?
If you have set your proxy correctly, try to connect
with IE. If this doesn't work, read
this usenet post for help. If this still doesn't work and you use Windows
NT 4.0, install the latest
NT service packs (up to SP5).
22. Any known problems with Windows 95?
Some people have reported crashes. These problems were usually solved by
installing IE 3.0 (or higher) or the following service packs:
One guy had problems with the WININET.DLL (v. 4.70.1300) installed with
OEM Windows 95 (v. 95 4.00.950 C). Changing to version 4.70.1335 solved
A simpler solution is to go to http://windowsupdate.microsoft.com
and install whatever they tell you (you need to have IE 4.0 or higher on
23. Any known problems with Windows 2000?
Although I received many reports that it runs fine, one user reported a
problem and a solution:
Windows 2000 automatically sets a configuration option to use HTTP 1.1
for connecting to web sites. Many, many web sites do not use that version
but continue to use HTTP 1.0, so the automatic setting may prevent connections.
This is the reason why Xenu would not run for me. When I disabled that
setting, Xenu performed properly.
To disable that setting: Control Panel -> Internet Options -> Advanced
(tab) -> HTTP 1.1 settings (list heading) -> Use HTTP 1.1 (checkbox: uncheck
24. Can I configure the timeout?
Enter the number of seconds in the [Options] segment in XENU.INI,
e.g. as timeout=120. The default value is 60. Note that this isn't
"perfect". Microsoft Windows has a bug
so that the timeout can't be set the way it should. I am using a workaround
advice from Microsoft. However I have observed that it doesn't work
if the timeout "hits" while trying to find out if a host name exists.
Alternatively, try this:
Start the Registry Editor (REGEDIT.EXE)
Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion
Select New > DWORD from the Edit menu
Call it ReceiveTimeout with a value of <number of seconds> * 1000
(The "hidden" default is 300000, i.e. five minutes, which is too long)
Restart your system
Some users have complained that if one URL hits a timeout or a failed connection, all URLs from that host also do. Starting with version 1.2h, this behaviour can be disabled by unchecking "fail all URLs with same failed host" in the advanced options dialog. (The default behaviour is "checked")
web pages dynamic; they might depend on the mouse type, the screen size,
My solution, which was first announced
in the user group, requires a change in the XENU.INI file. You need
a basic understanding of regular expressions (regexp). You must put your
regexp in the INI file, like this:
In the example above, the substring within the first (....) must contain
the valid URL.
Frank Visser suggested
an improved regexp:
Frank Visser has also written a better
description on his site.
the regexp wouldn't work.
26. What about passwords entered in a FORM?
The software is not able to enter passwords in a FORM. I just don't see
a way to acomplish this easily. I assume it is possible if one combines
a set of variable names, values, and a web page that would accept them
with a http POST command. But some alternatives might work:
I came up with a new solution for this problem, please give me feedback if it works or if it doesn't. It was first presented in the user group in April 2009.
- Log in with Internet Explorer, start Xenu, then enable cookies in the advanced options dialog (read the details), then start the check
- If the server accepts authentication with GET (might work with the Tomcat server), try sending such a URL. However, you might still have to activate cookies.
Submitting a FORM was never a technical problem for me; I have tested this years ago already, but without any user interface. My mistake was to look for a general way to catch FORMs in HTML pages, instead of just
using the login FORM url as a start. I found a somewhat practicable solution at a competing site (WLV).
A test version of Xenu (this may not be the most current version) with login FORMs can be found
The initial dialogbox has a new checkbox for POST and a POST query string. Note that the query string won't be stored in the INI file.
Imagine you'd want to check the (imaginary) password protected website
https://www.host.com. Look at the HTML for the FORM:
<FORM METHOD="POST" ACTION="https://www.host.com/scripts/login.php">
<INPUT TYPE="text" NAME="User">
<INPUT TYPE="password" NAME="Password">
<INPUT TYPE="submit" NAME="Submit" VALUE="Login">
Thus, the start URL would be https://www.host.com/scripts/login.php
and if the username is "Xenu", and the password is "Secret", the POST
query string would be
(The POST query string gets tricky if there are spaces or special
characters in the parameters. It must be
- You must add https://www.host.com to the inclusion list. If you don't,
only URLs beginning with https://www.host.com/scripts/ will be checked;
- Don't let Xenu hit the logout link! To avoid this, add the logout URL to
the exclusion list:
- If your server doesn't do proper URL-rewriting when sessions are disabled, then you must enable cookies in the advanced options dialog;
- Don't let Xenu hit any URLs that delete or change something!
27. How about a WAP version?
Xenu does check .wml files since February 2001.
28. What about these error codes?
I identify only a subset of all possible error codes in the "Status" column.
If you get an unknown error code in the Xenu application window, you can
scroll to the right for an explanation text.
29. Why do I get broken links with filelist.xml, editdata.mso
Because Microsoft creates these broken links :-( Don't bother with them,
or read Knowledge Base article Q219694: Saving
Office HTML File to a FrontPage Web Results in a Broken Hyperlink.
Or try this tool: Office
2000 HTML Filter 2.0
You can also get rid of the problem by excluding them in the advanced options dialog.
Xenu will exclude URLs that end with /filelist.xml, /editdata.mso
and /oledata.mso. (This feature has been available since Version
30. Why do I get "file not found" on remote checks?
There may be several causes for this:
Your Internet Explorer isn't working properly, or is in offline mode, or
is blocked by your firewall. Enter the URL you want to check into IE and
see if it works.
One user got it working by starting Internet Explorer first, and then starting
Xenu. I believe that the cause is a broken setup of Windows, or of Internet
Your temporary directory is full: enter %TEMP% (not "c:\temp" !) into the
Windows Explorer, check if there are many TGH*.* files, and delete them.
31. Can I make a foreign language version?
No, please don't. There's no guarantee that any of the message texts will
be kept in the next version. The other problem is that I didn't write the
software in a way to be language-independent. I could have done it - but
I think most people on the web do understand english.
32. Why isn't Xenu detecting missing URLs?
A web server should return HTTP error 404 for non-existant URLs. Some servers
are poorly configured: some redirect to an existing URL with an error message
(bad!), others do show an error page, but the server doesn't return the
404 error (very bad!).
One user had the problem that his Microsoft IIS server didn't return
the 404 error. He found help on this
page, and then sent me his solution, which only works in .ASP under
<% Response.Status = "404 Not Found"
On Error Resume Next 'important in an error page to prevent another error
strTarget = Request.ServerVariables("QUERY_STRING")
strReferer = Request.ServerVariables("HTTP_REFERER") %>
<HTML><BODY>The page doesn't exist, sorry dude!<BR></BODY></HTML>
The Apache web server has a different (and better) method of doing the
same thing using native HTML code for the webpage. You simply set the correct
config items in the http.conf file on your box.
Another user with Apache attributed the unwanted redirection to this line in the .htaccess file:
ErrorDocument 404 http://www.host.com/404.html
and he solved it by making this change:
ErrorDocument 404 /404.html
Now he gets a correct 404 error code which includes a tailored error page and no redirection. He read about it here.
33. Running Xenu with Norton Internet Security
A user had trouble to use Xenu with Norton Internet Security 7, and got
error 12007 (no such host). After he added Xenu, it worked. This is what
added Xenu by opening Norton Internet Security by double clicking the Norton
In right side panel, "Personal Firewall", Click CONFIGURE
In the Personal Firewall pop-up, Click PROGRAMS
In PROGRAM CONTROLS MENU
Settings for - "Home (Active)"
click "Turn on Automatic Program Control" box
Under "Manual Program Controls"
Scroll to "Xenu.exe"
Click Xenu once to Highlight it
in the pop-up:
Click Ok again
34. Why timeouts?
This is difficult to answer. The cause might be network overload; it might help to set a lower amount of threads, or to fine-tune the DoS detection of your firewall.
Check your firewall logs to see whether it detected a "SYN flood" DoS attack by you. SYN is the first data packet that is sent to a host when starting a connection. Theoretically, Xenu might send up to 100 SYN packets that are not immediately answered, so a firewall (that counts "unanswered" SYN packets) might think something "evil" is going on. My firewall box once claimed to have detected a SYN flood when I opened many newspaper articles in background browser windows.
35. Any Spyware, Adware, Malware?
This software exists since 1997 and never had any type of malware. It does not "phone home" or return any statistics to me. There are random "ads" in the HTML report for causes I support; however I don't get paid for this. Any passwords that you enter in the software (e.g. for orphan search) are not "remembered" after you close Xenu, nor are they passed to me.
Some debug output is stored in the file XENULOG.TXT which you will find in your %TEMP% directory. That file does not contain any passwords and it is used for support (I will sometimes ask you to attach it to an e-mail to me), primarly for problems with the launch of URLs in your browser (especially the report). The file is human-readable, so feel free to have a look. The file is not sent to me by Xenu, it just remains there and you can delete it if you wish.
Here's a green review by McAfee Siteadvisor about Xenu's Link Sleuth. Note that until before July 11 2008, Yahoo Search (which uses input from McAfee SiteAdvisor) was redflagging every URL of the whole snafu.de domain, including my user site (this seems to have been corrected now). McAfee SiteAdvisor has redflagged the snafu.de domain, but not the user pages. This was related to three downloads (CuteFTP, GoZilla and Nok2Phone) on the customer support ftp site of snafu.de, who has been my ISP for over a decade. These downloads have been removed since then and both Yahoo and McAfee have been notified. On July 30 2008, I noticed that the snafu.de domain has been greenflagged.
As of 22.8.2009, I was told by a user that Trend Micro Internet Security was redflagging this web page as "Dangerous", because Xenu is a "generic trojan". Such false positives are not an isolated problem, other people have had the same complaint. On August 27 I talked on the phone with a very friendly human from Trend Micro. He explained to me that his software wrongly considers mine to be "another antivirus software" because "it searches" (sure it does!), and that he installed the software on a test machine and understand it is harmless. He promised to "contact the lab". But after that, I was asked to make another support message on another web page, and nothing happened after that, but I haven't had complaints from any more Trend Micro users since then.
As of 30.10.2009, a McAfee Antivirus product claimed that my product is a "Trojan - Artemis". (McAfee describes this problem: "Artemis" & Other Possibly False Detections) After several complaints, it seemed that the problem had been solved with version 5836 (tested 18.12.2009).
As of 21.6.2010, McAfee did it again with the new version 1.3.7, and later with 1.3.8. Despite contacting them, there was no reaction. After finding a different contact page for false alarms, McAfee contacted me the next day (on 14.10.2010) and told me that the false Artemis detection had been removed.
On 21.11.2010, a user of Avira Webguard told me that my download URL was blocked. I found out that it was not blocked by the free antivurus product. After a complaint, it was unblocked two days later.
To put any such "alerts" into the correct perspective, upload any Xenu.exe file to www.virustotal.com, which will check the file against 30 antivirus products.
I'm not the only one "suffering" from this type of libel. Read this blog post by nirsoft.net Antivirus companies cause a big headache to small developers, or this blog by Bill Pytlovany McAfee Continues to Harm WinPatrol Users. This SARVAM blog entry shows that many AV products consider windows system files to be malware when packed.
If you have any more questions about security, don't hesitate to contact me. If you want to report a bug, click here.
36. How about wildcards in the inclusion and exclusion lists?
This is available but not in the general version. Download it here, however, this may not always be the latest version. Just enter something with a "*" instead of an URL, e.g. "*print*" to exclude an "easy print" version of a web page. Note that only "*" is supported; "?" is not, nor are "regular expressions" (because an average user won't understand the concept). Also, don't forget the "*" at the beginning and the end of the URL, unless you want the expression to be a prefix or a suffix.
37. What about CSS?
Styles and CSS files has been supported since version 1.3.8.
Attention: Similar to HTML URLs, the CSS URLs must be "internal" to the root URL, or be added to the inclusion list in the initial dialogbox. For example, if your root URL is http://www.host.com/stuff/ and your CSS URL is http://www.host.com/css/standard.css, then it won't work - you should then add http://www.host.com/css to the inclusion list.
38. Running Xenu with Norton Security Scan
One user complained that the software was using up all windows handles (32000) on Windows 7 32 bit,
and after that he kept getting "no connection". The same happened with browser access.
The user told me that it was a new PC. I warned him that new PCs often have some stuff pre-installed.
The cause was Norton Security Scan. After deinstalling it, Xenu ran smoothly with 300-600 handles. Apparently,
this product isn't just a scanner, but also a "live watcher", and the product doesn't free its resources properly.
39. Why are there changing Session-IDs?
Xenu has cookies disabled by default. Thus, if the web server tracks sessions, this would have to be done through the URL. If the session ID constantly changes, then it means your application or your server software is buggy. A properly programmed server does URL rewriting automatically when needed.
To prevent having a new session generated for each new URL, all internal links must be generated dynamically.
In Java servlets, this is done with HttpServletResponse.encodeURL(), which will either change the URL or leave it as it is, depending on wether cookies are enabled or not.
In JSP, you should use the JSP Standard Tag Library (JSTL):
<a href="<c:url value='fun.jsp'/>">Click here for fun</a>
of course you can still do it the hard way, with a scriptlet:
<a href="<%=response.encodeURL("fun.jsp")%>">Click here for fun</a>
In JSF, you should use the HTML tag library:
<h:outputLink title="fun title" value="fun.jsf">Click here for fun</h:outputLink>
<h:link value="Click here for fun" title="fun title" outcome="fun.jsf" />
If you use .php, you should use the SID constant. The manual explains how.
40. Problems in Israel
There is a problem with hebrew websites that happens only on computers with hebrew windows, if the character ת (tav - looks somewhat like PI) is used in URLs. This should be converted to %D7%AA, but is converted into %D7%D7 instead, and only in Israel and not "here" (in Germany).
A fix will be in version 1.3.9. If you can't wait, use the current beta. Thanks, Yosi!
41. Using an external authentication server
If you are using an external authentication server (e.g. "Sun Access Manager"), make sure that when successful, it doesn't redirect to an URL that has already been checked by Xenu (and is the one that redirected to the authentication server URL in the first place!).
Alternatively, use the authentication URL (e.g. http://auth.host.com/blah/blahRedirect_WL.jsp?goto=http%3A%2F%2Fwww.host.com%2F.wlforward) as the root URL, and include the "real" root URL (here: http://www.host.com) in the initial dialog box.
42. Running Xenu against the Tomcat server can cause it to hang
I experienced this myself - the cause was a deadlock in log4j. Log4j is usually great, but deadlocks can happen "by design", see this long running ticket and this blog post. The proof that log4j was the cause is that it didn't happen when logging was set to OFF.
One cause were two JSF Beans that were not serializable. Another was an error message by tomcat about an aborted GET access on /Context/faces/javax.faces.resource/jsf.js?ln=javax.faces". The later cause has been removed in 1.3.9.
43. Why does my page not have any outgoing links?
The following reasons have been observed:
- The URL is considered external. Note that http://www.host.com is external to http://host.com and vice-versa.
- A page is delivered to Xenu differently than to a browser. That, too, can be investigated with Fiddler.
- A page is in 16 bit Unicode (utf-16, which has 2 bytes per character). Xenu does not support this. It is highly unusual, but not illegal. In firefox, you can click on a page with the right mouse key and choose "view page info". If it mentions utf-16, use NOTEPAD to save your page to a different charset (ansi or utf-8). Your page will also have about half the size than before.
The software works pretty well, but here the list of things that shouldn't
If you find another bug, e-mail
me a description, please include the URL you are checking, and if
possible try to save your work in a .XEN file and attach it. Also check
to make sure that your system has all the updates. If you want to e-mail
a suggestion, click here. You can also join the user
group by sending an e-mail to firstname.lastname@example.org.
the thread count is sometimes incorrect if the maximum is changed while
the thread count is sometimes incorrect at the end of the session
The </A> closing tag must not have spaces or newlines inside
leftover TGH*.* files in the %TEMP% directory
weird effects when INI file >64K (happens on Windows XP, but works fine on Windows 7 64 bit)
Future feature List
Things I will do in the future (maybe when hell freezes over!):
loading of images (geocities
Solution for leftover TGH*.* files in temp directory
Command-line parameters (actually, this has already been done, for a client
who agreed to pay my development time to two people I support. If you need
something similar, e-mail me, the price is a $300 donation to be sent to
a person I support)
Names of last checked URLs in also file menu
Automatic saving every minute
A correctly working "Update" feature that rechecks changed sites (tricky,
so I will never do it)
Ideas from Chris:
What about identifying how many steps it takes to reach a particular page
from the home page and how much kb had to be downloaded before one could
[TH: useful e.g. to which steps a user must take to reach the page
of a particular product]
suggestions: e-mail me also if there is something of the above you'd
like to have, and persuade me to do it. If you want to report a bug,
The Story of Xenu's Link Sleuth(TM)
(for fellow software developers)
In April and May 1997 my employer assigned me on an out-of-town job, because
another department needed a guy with MFC experience. So from monday to
friday I was away, and on the evenings I was bored to death. Every week-end
I was back home, and I usually checked my web site for broken links with
Sadly the software had a lot of bugs, and their support was ignoring my
e-mails, and I was mad as hell, as I had spent quite a lot of money on
a product that wasn't worth it. My job was also the first contact with
VC++ 4.2 (previously I had only worked with VC++ 1.5, because our customers
have a lot of 16bit systems), which had some easy-to-use Internet access
classes. I had already experience with WINSOCK programming, but these classes
would spare me a lot of time evaluating HTTP result headers and other annoying
stuff. On an evening after an excellent italian food with a good chianti
I took some hotel letter paper and wrote down a concept for checking links.
A month later I took some time to install the development software on my
computer and started working, with the help of that hotel-room concept.
The work was done on some evenings, but mostly on week-ends, when I had
My philosophy on software development has always been "smaller,
simpler, cheaper", long before the NASA realized this (in May 2002 I was
told that the actual NASA philosophy was Faster, Better, Cheaper
- oops!) Because of that, I need no fancy (but totally useless) graphics
like in WebAnalyzer. Just results. And they'd better be 100% correct or
I'd have to kill myself :-)
application is written in Visual C++, and uses the MFC classes as much
as possible: CDocument, CView, CListView, CObArray, CMapStringToOb, CArchive,
CInternetSession, CHttpFile, etc, etc. That saved me a lot of time!
Original icons in EXE file: Martin Hunt and Paul Campbell; Icon on web page: Erik
Plummer; Idea to use banners in report: Marc Cross; Xenu logo button: Fred
C.; second Xenu logo button: Charles A.
Upsdell; Volcano animated cursor: Juan C. Pradas-Bergnes; Idea & help with SMTP integration: Mark Findlay;
class: P.J. Naughter; Xenu artwork: William C. Chenoweth; WinHelp version of documentation: Andrew Schoenhofer; Regular Expressions:
Spencer and Guy Gascoigne; Install and deinstall:
Setup NSIS with help from Andrey Aleksanyants; help with Xenu banner: Bruno
Zacke; wildcards: Jack Handy; sort icons for list columns: Thomas Holte; new Xenu icon in May 2008: Dominic Raths of Hitflip.de;
Idea and code for GraphViz: Kevin Niehage; Current HTML Help (CHM) version of documentation: Andrey Aleksanyants;
.jar listing: Arcangelo Bruna;
Resize Dialog: Torben B. Haagh; Help with "the Hebrew problem": Yosi; Internationalising Domain Name conversion: Gisle Vanem and Adam M. Costello;
duplicate content detection: RSA Data Security, Inc. MD5 Message-Digest Algorithm;
gzip content decompression: zlib
Links for further reading
Xenu, Xenu's Link Sleuth and Link Sleuth are trademarks used
by Tilman Hausherr for software products and services. These products are
not associated in any way with services licensed by RTC, CoST, BPI, CSI,
Home | $cientology
| Magic | Mozilla
| Tilman | Deutsch
tilman at snafu dot de