mans took nearly a full hour to say "notepad.exe has on-disk retention of the scratch buffer" 💀

Notepad ++ had done that for literally a decade.

010 Editor and it's FOSS counterpart, ImHex both have an insanely useful feature called Patterns (or Templates) that make it a lot easier to reverse engineer binary structures by defining them in a C-like struct syntax. It also helps with visualizing or color-coding the specific byte ranges. I'd love you to make a dedicated video about pattern-based hex editors because it's genuinely one of the most useful things for figuring out the layout of a binary format.

All you need to do to disable this behavior is go to notepad settings and under "When Notepad starts" --> "Open a new window" instead of the default "open content from the previous session". No more bin files this way.... :)

Doing some looking I found the structure seems so far as the magic two bytes, then a delimiter, a boolean if the file is saved or not. If it IS saved then it has the length of the following path as a singular byte, proceeded with the path itself in, I'm assuming, UTF-16. Next is the length of the content in variable amount of bytes. HERE is the kicker, the next 48 bytes are a Keccak-384 hash of the content which seems to start with bytes 0x05, 0x01 then 46 bytes of the rest of hash. Next I don't know but seems to be more bytes until a 4 byte chunk at the end with the length again. Then the content ended with a null byte then four final bytes that I also can't track down. Hope this helps with that hash issue tho!

Your videos always get me with this. You present something I'm familiar with and think I know about, so I assume I already know what you're going to find. You present it as a beginner level understanding further lowering my guard, and then you hit me stuff I don't know.

This feature caused my notepad to be in a corrupted state where it was trying to run a formatting operation on dozens of open unsaved files. Took a minute to get the app functional again, I had to go and delete all the cached shit windows was doing in these folders

This drives me insane. Programmers and security staff insist on changes that make the user experience much more difficult in the name of security, then they do something like this which is bound to cause bigger security issues than anything they resolved with their user unfriendly changes. Notepad history and cache should at least be opt in, with a warning not to type passwords into it in the clear.

reminds me of stuff I had to do with satori back in the day to parse different network packets that weren't well defined back in the day. Lots of trial and error, cutting, looking, displaying, changing! Always interseting to see what John is up to these days!

Lol that lil screen connect moment feels... Curiously timed 😊❤

Love the shoutout to 010! As a fellow Canadian I'm happy to see them get the love they deserve!

I write articles and research data for a living. I found this happy added feature out by accident when I updated to windows 11 over a year ago. This has been a feature ever since 11 release. I personally LOVE it. For the exact reason you listed. I am a coder "hobbiest" and I oftentimes work frantically and quick when diving into "rabbit holes" when doing research. This feature has saved my but more than once with its "autosave" feature when writing. My method when writing is just let thoughts roll out. I ignore misspells and proper punctuation then when I am done spilling my brain on the screen, I go back later and go through it and make sense of everything I wrote. I love just popping notepad open when doing reporting on coding. I can just spill it out with snippets of code in my head along with what I write, knowing of my computer crashes for what I am doing at the the same time on any one of my 3 other screens, it will be saved with every edit I do at any time. Super helpful. LOL

Your videos always make my day. Keep shining!

I've never commented on a video before, but I had to for this one. It's that good!

enjoyed this. love your long form stuff.

Love your new video format keep it up😊

Loved this one John!

Well, this escalated quickly to writing a bespoke parser on-the-fly. hahaha this content is S-tier dude

12:45 Thanks for warning :) I don't have Slack, but whenever I hear a Discord notification sound while watching a video I wind the video back a few seconds several times to be sure it really didn't come from Discord. Same would be with Skype, but I rarely hear Skype sounds in videos.

Did something similar. I enjoy decoding and parsing data structures without documentation.

Heads up, I only watched the video up to 43:00 before deciding to try a bit of stuff myself, so if you had some revelations in the last 10 minutes I haven't seen them (as of this comment) To be honest, Reading this a second time, I don't think the info here is that helpful, but it should help someone working on this get a head start. Take everything here with a tub of salt - I'm a uni student and have 0.00 years of professional experience. Steps: 1. Create a new file and save it. 2. Load up the saved file in notepad and edit it 3. DO NOT SAVE the edits and close notepad. Reopen notepad to verify that the edits were cached (They were). Then close notepad 4. Open the file in a second editor and add some text. Save the file. 5. Reopen the file in notepad and navigate to the tab with the unsaved data. Notepad notices that the file on disks has edits newer than the cached edits in notepad. Therefore: - Notepad (probably) saves the hash of the file on disk + time of last edit as well as the hash of the cached edits and their timestamps. That could be the garbled data before and after the - I believe that the garbled data in between the delimiters and the data after the end of contents must be some form of hashes + timestamp. Perhaps the timestamp of the edits + the timestamp of the last edits and the hash + timestamp of the file on disk. I was curious about the 0.bin and .1.bin files, since they are considerably smaller but still follow the same format somewhat (see point 7), I decided to focus a bit on those. I decided to do some tests Second test: 1. Create a file 2. Open it in notepad and see the cache. One file with a UUID is made. 3. Close the file, we see .0.bin and .1.bin pop into existence. 4. We also see that .1.bin is empty (Zero bytes). 5. Reopen the file in notepad. This usually makes a second (newer) tab. Close that tab so that the original tab is in view. 6. Now close the file without making any edits in the tab. 7. .1.bin is populated! Moreover, we see the same pattern (01 00 00 00) in the .1.bin file - followed by some garbled data. 8. Now repeat steps 5 through 7. 9. We see that the end of .1.bin has changed. 10. If I repeat 5-7 a second time, we see that .1.bin doesn't change, but .0.bin does? Concluding, it seems notepad stores session data alternatively, once in .0.bin and once in .1.bin. The initial session populates .0.bin, the next populates .1.bin, and back and forth. Also, if you notice, notepad preserves cursor position between sessions, I assume that too, must be stored somewhere in those files or the main one. They're clearly a complete "Tab state" that has all the necessary info to recreate a notepad tab, including where the cursor was, etc. I got kinda fatigued at this point at it was getting late, but I hope whoever reads this gets a bit of a head start! Edit: I made some more observations and put them all in a github issue

I could see programming out pattern matching for certain things, as someone that enjoys red teaming I see a lot of "this is terrifying what can probably happen here" I'd be looking at other things like I can't alter code in another program or the OS will see it as misbehaving and close my program, but what I could do in theory is get pointers to the buffers, if I want to do some weird low level code stuff. I am hesitant to go full nerd with how and what I could think to try, but this could be a scary tool.

39:02 Tip: Its using variable length encoding, High bit cleared denotes last byte. 0xE8 0x02 is (0x80+0x68) (2) where 2 becomes 0x100 (left shift 7 bits) + 0x68 = 0x168 which is 360 in decimal which is the file length. @0x86 it's the text length, The pair @0x7e and @0x80 could be the selection/cursor pos. Selection is empty both values equal. Cursor at the end, values = text length.

Brings back memories of when I dissected game save files trying to figure out what all the bits of data did and where all the values are stored. It's ironic that a lot of modern game files have better security than this, either because they encrypt the contents or compress it which is almost the same effect if you don't know the compression algorithm.

I believe the extra data while you have notepad open is the Undo/Redo data.

keep up the amazing work

Hey man great vid! I've literally been searching for over a week to see if unsaved notepad data is stored anywhere as I have some valuable info i lost after a crash. Tried data recovery tools and none of my files are present but I had initially created them in my notepad. For a non coder, how does one run the git code locally to try decipher these bin files cos I just get gibberish when opening in the hex editor, no legible data is shown and if it does its a word or two.

thank you much for this

I find this video profoundly heartwarming and authentic. Notably, the gradual dishevelment of the hair as the video progresses is a genuine reflection of the immersive experience often encountered during programming. I truly appreciate the content presented.

Awesome & quality content

Notepad is a tool essential, i work and save with it for fun. i am curious about this even more. thank you john..

Pretty cool! Lots of places to tuck stuff 😜 Thanks a BUNCH, man! 🍷 (well, I guess those places were always there, but… meh 🤷‍♂️)

Thank you so much!!

Yeah, the second I saw that update news, I dropped Notepad like it's hot. I always used to use it to just have a quick scratch place for ephemeral data, copy/paste, edit, etc. And now, it leaks that data. Gross.

I think you should try VSCode with Jupyter Notebook extension for such videos. Sublime Text may be nice for recording but working with individual code blocks that can be run separately feels much more nice for developing that kind of small programs. Like you wouldn't need to open separate python shell to check path bytes instead all that inside separate Jupyter code block and you wouldn't be slowed by thinking about whole program logic but rather work on individual small problem at a time.

There is a closing event for programs in windows, when the x is pressed or the program is exited through normal means, that probably triggers writing whatever is in the textbox window to a file..

i have learned so much from your videos

that nonsense text might be captured keystrokes. This is keylogging.

Don't sell yourself short John, we all just watched a mastermind at work here! Fantastic video.

The best thing about Windows is that hard drives can be erased in preparation for installing Linux.

I run Linuxmint and I use an app called notes that does this same thing I never thought of it as a security vulnerability though thanks for pointing this out I will take a long hard think about this issue. .

Basically, the people who now owns microsoft don't have people's best interests at heart. Let's go reactOS

another KZfaqr who has made some interesting videos about figuring out the format for binary formats is MattKC and the videos he has made on Lego Island, and the video he made on recovering a corrupted save file for a game he was playing.

do 0.bin or 1.bin have data in ADS (Alternate Data Streams)?

here is the better solution for me to display the text with line breaks: original_file_contents = original_file_contents.decode('utf-16') # use splitlines methode for correct format of Carriage Return (CR) and Line Feed (LF) # characters (often abbreviated as " ") are used for line endings, while Unix-based # systems only use the Line Feed (LF) character (" "). lines = original_file_contents.splitlines() for line in lines: print(line) otherwise part of the text will be missing after conversion to utf-16

Notepad also remembers what you highlighted. Just highlight some text, close and reopen notepad... It's still there.

I wonder how this will work if I were to open a file from removable media. Like I close the notepad after file is opened and then remove that device.

so thats why all my skyrim mod ini's were still open in tabs after i saved and closed the notepad

I suspect your magic numbers before the text value are likely Character count, rows, columns

Well geez! I guess I need to reconsider my Notepad password list!

It's easy to see how this could be a very bad "feature" for security. It's common for support people managing machines to open config files and such in Notepad. At any point in the future, someone could open Notepad and see what was written there.

Is it keeping track of the change tree for undo and redo resulting in scenarios where deleting data does not notably change things until the editor is closed?

You mean, just like you can recover old notepad unsaved notes!? Oh my!

Honestly, I think a cool thing about it would be able to pull data from it without using notepad. Sorta like saving the tabs to their own file on a system close or signout, or even pull it from a non bootable user space. Frankly, I can't tell you how many times a forced reboot just screwed me over with my notepad scribbles of the moment. I think this is an awesome feature.

I found that _feature_ when I edited a batch file. I wondered why was it that the batch file didn't run my new commands, and instead running the old version of it. And when I open the batch file, there it is, the old version of it. After several times opening, editing, saving, and closing it, I become aware that notepad has tabs and within those tabs are several versions of that batch file, courtesy of me opening and closing it several times. I closed them all and searched in notepad setting to turn off that feature before edit the batch file once again. Very troublesome feature.

Notepad++ has the same behaviour, any files open when you close the editor will persist somewhere and be restored on opening the app again.

John!! Please!! Can you explain what the "some nonsense" is you mention in your vid?? I'm literally dying to know because it shows up in my parsing of my own homebrew janky code I play with. But its there for a reason so it has to represent something, right??? (Extra question mark for effect)

I use nano in a command line interface on a linux machine. I don't sweat such infiltration.

Vim can do this too, and Neovim does it by default. I think VSCode does it too, and Sublime probably too. I believe browsers also cache entered form data and only delete it once you submit it or navigate away. I bet the photo app creates a low-res thumbnail file for every picture you open.

I almost wonder if that random mess of garbled bytes when notepad is open is notepad tracking the keystrokes in a buffer as you type, and then the main window close function parses that into text.

Ya I used to like a lot of stuff before Microsoft changed it. WIll have to get a diff simple editor.

I've loved Notepad for decades... just simple text, no formatting, no "functionality", no "intelligence", no nothing. There are so many situations where that's incredibly useful. So of course Microsoft decided it was time to go F it up. When I switch to Windows 11 (unless I go Linux... debating at the moment), I'll need to find a new Notepad to be what Notepad used to be.

Mate, what are doing with Connectwise ScreenConnect?

People probably complained that the old notepad lost everything if there was a power outage or some other fault causing the computer to shut down so they added the ability for it to 'remember' what you were doing. Should be optional though.

I finally switched to Windows 11 and was wondering what the hell was going on with that.

I was like bro who is slacking me on the weekend

Congrats. Notepad has a feature, Notepad++ had for ages. Only problematic if Windows shares this files with others.

I hate Notepad right now given that closing notepad tabs is not something that fits in my workflow. I mainly use Notepad++ but given it has that same feature, it wasn't always the right choice (I probably have about 40 different unsaved text files open in N++. So I used to use both and now Im just annoyed whenever the default notepad pops up. Mainly because even if I open a txt file in it, it won't display that txt I just clicked on, it will just show the last thing it had open meaning I then have to tab over to the thing I just opened

It probably should be noted this is the notepad app and not the native notepad everyone is familiar with. Windows apps work differently then the traditional software that most are accustomed with windows and they are not the same.

Win10 notepad recently got this cache feature as well but doesn't have tabs. I had windows update reboot and windows reopened unsaved notepads I had open. With previous reboots, notepad lost all that info in the open unsaved files. I guess it must be pulling from windows state but i haven't looked...

You can use a hex editor. It will show you the hexadecimal numbers on the left side and the text equivalent on the right. Incidentally, this isn't new since Windows tends to cache out memory to disk and if have a good disk editor and a kernel debugger, you can pull that information from the disk cache. That's why if someone gets a hold of your machine, it's generally game over unless you encrypt at the boot level the entire disk.

The buffer might just contain the info for undo/redo when you don't close it. But as soon as you close it, it discards the undo redo history? Or is that handled outside of the file.

Something similar with some modern day phones which no longer have removable batteries? Whether turned off or restarted...closed apps re-open where they left off b4 closed when device powered on again. Really annoying & yucky. No like it at all...phooey! Thx for vid! Possibly similar activity as notepad, possibly? Logo double shows on power down(longer on, more likely it will double play logo on shutdown...instead of just once when no quirky anomalies). Same mobile update w/same date from last year keeps getting pushed as needed download despite already updating a few times. Camera app opens at boot & randomly opens..screen blacks out for 1sec randomly, often opening camera app. Something seems...not right 🤔 Factory reset or default restore doesn't change observed behaviour for almost 2yrs now.

Watching your coding artwork unfold onscreen is... depressingly good... That said, Notepad++

I used to use notepad to store private things temporarily this ruined the only usecase I had for it.

there is a feature in neovim that basically does the same as this

I don’t own a pc anymore but would be interesting to see the tabstate on a password protected file?

is this similar to notepad++ ? files open as tabs in notepad++ persist when it is closed and then re-opened..

Think note pad have some issues for my use. Like I can't get it to view in dark mode only in bright mode... thinking about finding a alternative

Great. Another thing that'll be added to infostealer malware

This behavior is also in Notepad++, for years…and BBEdit

subl will reopen with the contents of a deleted file if subl is open when the file was deleted, then subl is closed and reopened.

im just confused if they have access to your computers why wouldn't they just load the files directly. OR is the issue just the fact the files are in the appdata folder? The saved version seems easier just to say hey what's the file name, read contents of the file. done if the original file is deleted does the bin get deleted?

I think in general the average person is way too concerned about security and not concerned enough about their internet browsing habits. Remove your anti-virus software and install an adblocker on all the browsers you use instead.

It's not particularly interesting or surprising that a program that auto-saves has locally cached files that can recover the contents of unsaved files. Anyone with direct access to your filesystem could simply re-open notepad.exe and see exactly the data that you extracted there. What would be a lot more interesting to explore is whether and when deleting or closing without saving one of these unsaved files leaves easily recoverable artifacts. For example, if you type something into notepad, close the tab and hit don't save, does it delete the file? Does deleting the contents delete the contents of the file? If so, when?

You should be the voice actor for Michael Bay film trailers.

Make sure to update to the latest Bleeding Edge first..

This is like our Internet browsers remembering our tabs. Nothing new here.

Can you post your python code somewhere please? Would love to play with it.

Can this be useful for accidentally closed notepad files? (obviously failing to save them / I mean closing the tab which notifies you that if you dont save itll be lost). I didn't know... I followed and did your AD signup... *By submitting this form, you acknowledge and agree that you are an active security professional currently affiliated with an organization. Note: I am not really unless you consider my hobby as an organization...*

My server logs are full of what I see at 22 minutes and 10 seconds on this video.

does NPP do this differently?

Python is so fun to screw around with ngl

my immediate thought on seeing the data that changes every save even when you dont make changes was "timestamp" but that does not appear to be the case. Decoding it as a string doesn't give anything resembling a date and decoding it as a number doesn't either. It's either wildly to low or to high to be a unix timestamp, and doesn't work as a straight date either. Hmmmm.

Admins: Hey MS this is not okay ;( also ... Notepad++ or VSC is installed on every laptop within the corperation

I saw if length of path to original file is greater than 128 (hex 80) it needs to decode with utf-16-be (big endian)

Now do this for Apple Notes or Goggle Keep!

Wow, this takes me way back to msdos hexdump scripts!

I uninstalled the new notepad. Old notepad is still there but I dont know how to make it available for Open With.

I've installed Win11Pro 23H2 and that option looks like it's gone from NotePad.exe.