Notepad.exe Will Snitch On You (full coding project) 

mans took nearly a full hour to say "notepad.exe has on-disk retention of the scratch buffer" 💀

Notepad ++ had done that for literally a decade.

It's not particularly interesting or surprising that a program that auto-saves has locally cached files that can recover the contents of unsaved files. Anyone with direct access to your filesystem could simply re-open notepad.exe and see exactly the data that you extracted there. What would be a lot more interesting to explore is whether and when deleting or closing without saving one of these unsaved files leaves easily recoverable artifacts. For example, if you type something into notepad, close the tab and hit don't save, does it delete the file? Does deleting the contents delete the contents of the file? If so, when?

010 Editor and it's FOSS counterpart, ImHex both have an insanely useful feature called Patterns (or Templates) that make it a lot easier to reverse engineer binary structures by defining them in a C-like struct syntax. It also helps with visualizing or color-coding the specific byte ranges. I'd love you to make a dedicated video about pattern-based hex editors because it's genuinely one of the most useful things for figuring out the layout of a binary format.

Doing some looking I found the structure seems so far as the magic two bytes, then a delimiter, a boolean if the file is saved or not. If it IS saved then it has the length of the following path as a singular byte, proceeded with the path itself in, I'm assuming, UTF-16. Next is the length of the content in variable amount of bytes. HERE is the kicker, the next 48 bytes are a Keccak-384 hash of the content which seems to start with bytes 0x05, 0x01 then 46 bytes of the rest of hash. Next I don't know but seems to be more bytes until a 4 byte chunk at the end with the length again. Then the content ended with a null byte then four final bytes that I also can't track down. Hope this helps with that hash issue tho!

All you need to do to disable this behavior is go to notepad settings and under "When Notepad starts" --> "Open a new window" instead of the default "open content from the previous session". No more bin files this way.... :)

39:02 Tip: Its using variable length encoding, High bit cleared denotes last byte. 0xE8 0x02 is (0x80+0x68) (2) where 2 becomes 0x100 (left shift 7 bits) + 0x68 = 0x168 which is 360 in decimal which is the file length. @0x86 it's the text length, The pair @0x7e and @0x80 could be the selection/cursor pos. Selection is empty both values equal. Cursor at the end, values = text length.

Your videos always get me with this. You present something I'm familiar with and think I know about, so I assume I already know what you're going to find. You present it as a beginner level understanding further lowering my guard, and then you hit me stuff I don't know.

This feature caused my notepad to be in a corrupted state where it was trying to run a formatting operation on dozens of open unsaved files. Took a minute to get the app functional again, I had to go and delete all the cached shit windows was doing in these folders

Notepad also remembers what you highlighted. Just highlight some text, close and reopen notepad... It's still there.

Love the shoutout to 010! As a fellow Canadian I'm happy to see them get the love they deserve!

Heads up, I only watched the video up to 43:00 before deciding to try a bit of stuff myself, so if you had some revelations in the last 10 minutes I haven't seen them (as of this comment) To be honest, Reading this a second time, I don't think the info here is that helpful, but it should help someone working on this get a head start. Take everything here with a tub of salt - I'm a uni student and have 0.00 years of professional experience. Steps: 1. Create a new file and save it. 2. Load up the saved file in notepad and edit it 3. DO NOT SAVE the edits and close notepad. Reopen notepad to verify that the edits were cached (They were). Then close notepad 4. Open the file in a second editor and add some text. Save the file. 5. Reopen the file in notepad and navigate to the tab with the unsaved data. Notepad notices that the file on disks has edits newer than the cached edits in notepad. Therefore: - Notepad (probably) saves the hash of the file on disk + time of last edit as well as the hash of the cached edits and their timestamps. That could be the garbled data before and after the - I believe that the garbled data in between the delimiters and the data after the end of contents must be some form of hashes + timestamp. Perhaps the timestamp of the edits + the timestamp of the last edits and the hash + timestamp of the file on disk. I was curious about the 0.bin and .1.bin files, since they are considerably smaller but still follow the same format somewhat (see point 7), I decided to focus a bit on those. I decided to do some tests Second test: 1. Create a file 2. Open it in notepad and see the cache. One file with a UUID is made. 3. Close the file, we see .0.bin and .1.bin pop into existence. 4. We also see that .1.bin is empty (Zero bytes). 5. Reopen the file in notepad. This usually makes a second (newer) tab. Close that tab so that the original tab is in view. 6. Now close the file without making any edits in the tab. 7. .1.bin is populated! Moreover, we see the same pattern (01 00 00 00) in the .1.bin file - followed by some garbled data. 8. Now repeat steps 5 through 7. 9. We see that the end of .1.bin has changed. 10. If I repeat 5-7 a second time, we see that .1.bin doesn't change, but .0.bin does? Concluding, it seems notepad stores session data alternatively, once in .0.bin and once in .1.bin. The initial session populates .0.bin, the next populates .1.bin, and back and forth. Also, if you notice, notepad preserves cursor position between sessions, I assume that too, must be stored somewhere in those files or the main one. They're clearly a complete "Tab state" that has all the necessary info to recreate a notepad tab, including where the cursor was, etc. I got kinda fatigued at this point at it was getting late, but I hope whoever reads this gets a bit of a head start! Edit: I made some more observations and put them all in a github issue

well thiis was my 1st video I've seen of yours. So many will chime in with , of course it does this. But how you got to the end was simply fun and very well thought through. It made me stop and go full screen so I could follow along better. Simply fantastic.

For the record (for those not aware), this "snitching" issue is only about the new multi-tab UWP notepad, but all windows versions including Win 11 still come with the classic single-tab notepad.exe (C:\Windows otepad.exe) based on good old edit control, so just use this one instead and you are safe.

I love knowing somebody else’s brain works similar to mine! Great deep dive. I like knowing I’m not the only one who would spend time to figure out what it’s doing, and it’s satisfying when you figure it out, and then can extrapolate on the ramifications. I bet there is so much more that is tracked and not documented.

I've never commented on a video before, but I had to for this one. It's that good!

reminds me of stuff I had to do with satori back in the day to parse different network packets that weren't well defined back in the day. Lots of trial and error, cutting, looking, displaying, changing! Always interseting to see what John is up to these days!

Well, this escalated quickly to writing a bespoke parser on-the-fly. hahaha this content is S-tier dude

This drives me insane. Programmers and security staff insist on changes that make the user experience much more difficult in the name of security, then they do something like this which is bound to cause bigger security issues than anything they resolved with their user unfriendly changes. Notepad history and cache should at least be opt in, with a warning not to type passwords into it in the clear.

Lol that lil screen connect moment feels... Curiously timed 😊❤

I use nano in a command line interface on a linux machine. I don't sweat such infiltration.

I write articles and research data for a living. I found this happy added feature out by accident when I updated to windows 11 over a year ago. This has been a feature ever since 11 release. I personally LOVE it. For the exact reason you listed. I am a coder "hobbiest" and I oftentimes work frantically and quick when diving into "rabbit holes" when doing research. This feature has saved my but more than once with its "autosave" feature when writing. My method when writing is just let thoughts roll out. I ignore misspells and proper punctuation then when I am done spilling my brain on the screen, I go back later and go through it and make sense of everything I wrote. I love just popping notepad open when doing reporting on coding. I can just spill it out with snippets of code in my head along with what I write, knowing of my computer crashes for what I am doing at the the same time on any one of my 3 other screens, it will be saved with every edit I do at any time. Super helpful. LOL

Did something similar. I enjoy decoding and parsing data structures without documentation.

Yeah, the second I saw that update news, I dropped Notepad like it's hot. I always used to use it to just have a quick scratch place for ephemeral data, copy/paste, edit, etc. And now, it leaks that data. Gross.

im not experienced by any means in working with binary data but i feel like the starting bit after "NP" and before the file contents begins, especially the segment always present regardless if the full filepath metadata is present or not will probably help figuring most of the struggle in the video out once your capable of interpreting it correctly. after all it must be important to both scenarios if its always present.

I could see programming out pattern matching for certain things, as someone that enjoys red teaming I see a lot of "this is terrifying what can probably happen here" I'd be looking at other things like I can't alter code in another program or the OS will see it as misbehaving and close my program, but what I could do in theory is get pointers to the buffers, if I want to do some weird low level code stuff. I am hesitant to go full nerd with how and what I could think to try, but this could be a scary tool.

Your videos always make my day. Keep shining!

12:45 Thanks for warning :) I don't have Slack, but whenever I hear a Discord notification sound while watching a video I wind the video back a few seconds several times to be sure it really didn't come from Discord. Same would be with Skype, but I rarely hear Skype sounds in videos.

38:03 We might see a 10 there because of the Windows formatting of new lines. Windows uses two characters to signal a new line "CRLF" (Carriage Return and Line Feed), and Windows safes that into the File, that's also why windows .txt files with line feeds might appear different on other OSs, bc that WIndows is the only OS (as far as I am aware) that uses CLRF for a new line, other OSs usually just use LF (line feed) for new lines. All that is probably encoded somewhere in the data you've skipped, even when it changes every single save.

I believe the extra data while you have notepad open is the Undo/Redo data.

Me personally, I use Notepad++, a text editor with several features including the one discussed here. I like the save without saving feature because I don't always want to permanently save things, just jot it down and have it accessible without having to look up some filename. Such as taking notes when I'm on a call, a story idea, some bits of code or project ideas.

Basically, the people who now owns microsoft don't have people's best interests at heart. Let's go reactOS

I think you should try VSCode with Jupyter Notebook extension for such videos. Sublime Text may be nice for recording but working with individual code blocks that can be run separately feels much more nice for developing that kind of small programs. Like you wouldn't need to open separate python shell to check path bytes instead all that inside separate Jupyter code block and you wouldn't be slowed by thinking about whole program logic but rather work on individual small problem at a time.

It looks like it's the unsaved editor state. Maybe even the undo buffer. When you changed the file, but did not save it, the cache contained "binary garbage". When you save it, it became 'rendered' text. It's possible the garbage is just a C type struct or union off editor actions, within which you might find the ketstroke or input character streams.

Brings back memories of when I dissected game save files trying to figure out what all the bits of data did and where all the values are stored. It's ironic that a lot of modern game files have better security than this, either because they encrypt the contents or compress it which is almost the same effect if you don't know the compression algorithm.

I think that before closing notepad, the weird garbled data of the edits you made are just that: edits. It probably has some sort of encoding to track edits (adding characters, deleting characters, etc), for undo purposes. Closing the editor probably triggers a flush that only prints out the result of the edits and removes the edit log itself.

so thats why all my skyrim mod ini's were still open in tabs after i saved and closed the notepad

It's the most basic implementation possible of a persisted tab. I bet they store as binary just so the windows search will not look at the contents

I actually disabled this, I hate it so much, I love tabs but having it open two hundred tabs each launch even if I wanted to just open a single file is so annoying.

another RU-vidr who has made some interesting videos about figuring out the format for binary formats is MattKC and the videos he has made on Lego Island, and the video he made on recovering a corrupted save file for a game he was playing.

I hate Notepad right now given that closing notepad tabs is not something that fits in my workflow. I mainly use Notepad++ but given it has that same feature, it wasn't always the right choice (I probably have about 40 different unsaved text files open in N++. So I used to use both and now Im just annoyed whenever the default notepad pops up. Mainly because even if I open a txt file in it, it won't display that txt I just clicked on, it will just show the last thing it had open meaning I then have to tab over to the thing I just opened

I ditched win 11 and went back to Linix over things like this, and then onedrive taking over my pc and re-installing itself after I finally got rid of it.

How is this any more of a security risk than the fact almost all modern OSes support swapping VM to disk and I don't think windows encrypts it by default. And even if it does encrypt it anyone who has admin or physical access should be able to recover it anyway.

Don't sell yourself short John, we all just watched a mastermind at work here! Fantastic video.

When I worked selling cell phones we had to run credit checks so we handled SSNs, dob, etc. We used Microsoft's Sticky Notes program to handle it sometimes, and it caches data in the same way. We once accidentally deleted a sticky note that would lead to us losing a sale, so I went in and extracted the strings in this way. It never occurred to me that it was an attack surface because a key logger was more of a threat.

recursively about the 420 ism, but tbh for those of us who are just getting into this kinda thing, this really puts in perspective and insight a lot about certain qualities of binary and hex and how it relates to registry keys and how it all works together, and so im more intrigued because i still am kinda noob but this way of attack made me understand the fundamental underlyings of things a lot differently and probably easier to digest for my braincells....

The problem is you're using Windows 11

Short answer - you can turn this off. Click on the little gear icon in notepad, click on "when notepad starts".

8:42 wtf is it with Windows posts always being like "C:\users\[your user name]\..." What if you don't even have your user profiles on C? Why does almost nobody use environmental varialbes for this stuff?! %userprofile% or %appdata% or %locappadata% makes way more sense.

do 0.bin or 1.bin have data in ADS (Alternate Data Streams)?

There is a closing event for programs in windows, when the x is pressed or the program is exited through normal means, that probably triggers writing whatever is in the textbox window to a file..

This is like our Internet browsers remembering our tabs. Nothing new here.

I've loved Notepad for decades... just simple text, no formatting, no "functionality", no "intelligence", no nothing. There are so many situations where that's incredibly useful. So of course Microsoft decided it was time to go F it up. When I switch to Windows 11 (unless I go Linux... debating at the moment), I'll need to find a new Notepad to be what Notepad used to be.

Awesome & quality content

Any time THEY try to "help the user", yikes!! Thanks for the explanation John. Also, loving the fact that you "Nerd-sniped" yourself live!! (Better than accidentally Rick-rolling yourself :)

I wonder how this will work if I were to open a file from removable media. Like I close the notepad after file is opened and then remove that device.

I suspect your magic numbers before the text value are likely Character count, rows, columns

Is it clickbait? It doesn't really send the data you type to Microsoft, does it?

Why are there so many features in Win11 that are just incredible data leak risks?

People probably complained that the old notepad lost everything if there was a power outage or some other fault causing the computer to shut down so they added the ability for it to 'remember' what you were doing. Should be optional though.

This is one of those videos you could watch 50 times and learn from it everytime.

enjoyed this. love your long form stuff.

This changed notepad behavior cause me to lose an important note. It kept opening extra tabs with the same name, i though it was a bug and was trying to get it back to normal and i accidentally deleted my note. So annoying... grr

This just in! Autosaved files are saved to disk!

Love your new video format keep it up😊

I was like bro who is slacking me on the weekend

It probably should be noted this is the notepad app and not the native notepad everyone is familiar with. Windows apps work differently then the traditional software that most are accustomed with windows and they are not the same.

That's why it's better to use the older version of Notepad (it's still there).

Loved this one John!

here is the better solution for me to display the text with line breaks: original_file_contents = original_file_contents.decode('utf-16') # use splitlines methode for correct format of Carriage Return (CR) and Line Feed (LF) # characters (often abbreviated as " ") are used for line endings, while Unix-based # systems only use the Line Feed (LF) character (" "). lines = original_file_contents.splitlines() for line in lines: print(line) otherwise part of the text will be missing after conversion to utf-16

Notepad++ has the same behaviour, any files open when you close the editor will persist somewhere and be restored on opening the app again.

@beneater did an amazing job talking through some of their projects that included a hash

I found that _feature_ when I edited a batch file. I wondered why was it that the batch file didn't run my new commands, and instead running the old version of it. And when I open the batch file, there it is, the old version of it. After several times opening, editing, saving, and closing it, I become aware that notepad has tabs and within those tabs are several versions of that batch file, courtesy of me opening and closing it several times. I closed them all and searched in notepad setting to turn off that feature before edit the batch file once again. Very troublesome feature.

Misleading. Microsoft doesn't actually get notepad to phone home with all your data, therefore it's not "snitching" on you. It's just on disk data retention. notepad++ also does this. Unlike Microsoft Windows 11 Notepad I'm sure Notepad++ lets you toggle an option for this though.

Hold on, let me check my slack really quick... oh wait...

Honestly, I think a cool thing about it would be able to pull data from it without using notepad. Sorta like saving the tabs to their own file on a system close or signout, or even pull it from a non bootable user space. Frankly, I can't tell you how many times a forced reboot just screwed me over with my notepad scribbles of the moment. I think this is an awesome feature.

Well geez! I guess I need to reconsider my Notepad password list!

I have a gazillion tabs open with notes or pastes. Basically I don't want to close anyone down cos it is a hassle now lol

A quick windows key+R and the word notepad would at least save the word every time you go back to run it. Watching you type it in search every time is painful

He has autism maybe. the repeatitive play, the lining things up, the speech issues with big words, and the way he cant connect with other kids his age, and the way he is being held and squeeze to help his senses. My parents did the same with me as a kid. Except my mom read and had routine and had teach me skills and communication with me by teaching the skills I need to interact with others. The thing is my parents did that to me. And my dad was agressive like this and not patient with me or mom. But the issue is my language and developmental delays. This is the issue. my dad and mom huged me and held me with spending time with me and my brother. Screaming can make his ears hurt causes him behavior issues like i went through. This is another thing he has autism. I need help with understanding what to expect and when. That way I don't go doing that if it is clear to me. I also need help with redirect me to doing something else to skip the task and idea. This makes me repeating things and ask and ask for what I was thinking and the tasks. I had learning disabilities and had issues with changes an tics and stim and hygiene and diapers and social skills and not understanding what i see around me and hear what is around me too hard for me to pan and organizing my response to what is happening. I didn't talk to age 5.

What's the benefit of rewriting this in rust?

Can't you decompile notepad with ghidra or something and see how it works from there?

Watching your coding artwork unfold onscreen is... depressingly good... That said, Notepad++

The buffer might just contain the info for undo/redo when you don't close it. But as soon as you close it, it discards the undo redo history? Or is that handled outside of the file.

The more I find out about MS and what they are doing the more I am enjoying my transition into Linux.

there is a feature in neovim that basically does the same as this

Maybe just reverse engineer notepad.exe

I've installed Win11Pro 23H2 and that option looks like it's gone from NotePad.exe.

You mean, just like you can recover old notepad unsaved notes!? Oh my!

Another MS product, VSCode can replace notepad completely, it’s too bad that it takes third party plugins to do so, and it’s slower. Branching and merging text documents using DevOps techniques is too powerful to ignore, even for casual notes

clipboard deletes anything within the hr but notepad saves everything without saves>? yeah fk Microsoft and their governmental mindset!

Pretty cool! Lots of places to tuck stuff 😜 Thanks a BUNCH, man! 🍷 (well, I guess those places were always there, but… meh 🤷‍♂️)

i hate notepad because one time i wonderd what would happen if i ran gta 5 in notepad and it saved so everytime i open notepad it crashes and now i use visual studio code for my text editer

If you close a tab in NotePad.exe it will remove the .bin file from that folder. If you delete all those .bin files in that folder and open NotePad.exe, it opens with just one blank new tab. I'm going to have that folders contents deleted periodically!

Congrats. Notepad has a feature, Notepad++ had for ages. Only problematic if Windows shares this files with others.

Yeah Microsoft has some kinda love affair with inventing new binary storage medium for basic data for "reasons". They could have simply just stored the temp data as simple text data but instead packed it all into a damn binary file. They did this same silly shit when they update notes.

Is it keeping track of the change tree for undo and redo resulting in scenarios where deleting data does not notably change things until the editor is closed?

Vim can do this too, and Neovim does it by default. I think VSCode does it too, and Sublime probably too. I believe browsers also cache entered form data and only delete it once you submit it or navigate away. I bet the photo app creates a low-res thumbnail file for every picture you open.

It's easy to see how this could be a very bad "feature" for security. It's common for support people managing machines to open config files and such in Notepad. At any point in the future, someone could open Notepad and see what was written there.

Is there a way to completely kick Microsoft out of your computer to take full ownership of every update or any change and to stop any spying?