Notepad ++ had done that for literally a decade.

mans took nearly a full hour to say "notepad.exe has on-disk retention of the scratch buffer" 💀

010 Editor and it's FOSS counterpart, ImHex both have an insanely useful feature called Patterns (or Templates) that make it a lot easier to reverse engineer binary structures by defining them in a C-like struct syntax. It also helps with visualizing or color-coding the specific byte ranges. I'd love you to make a dedicated video about pattern-based hex editors because it's genuinely one of the most useful things for figuring out the layout of a binary format.

All you need to do to disable this behavior is go to notepad settings and under "When Notepad starts" --> "Open a new window" instead of the default "open content from the previous session". No more bin files this way.... :)

Doing some looking I found the structure seems so far as the magic two bytes, then a delimiter, a boolean if the file is saved or not. If it IS saved then it has the length of the following path as a singular byte, proceeded with the path itself in, I'm assuming, UTF-16. Next is the length of the content in variable amount of bytes. HERE is the kicker, the next 48 bytes are a Keccak-384 hash of the content which seems to start with bytes 0x05, 0x01 then 46 bytes of the rest of hash. Next I don't know but seems to be more bytes until a 4 byte chunk at the end with the length again. Then the content ended with a null byte then four final bytes that I also can't track down. Hope this helps with that hash issue tho!

Your videos always get me with this. You present something I'm familiar with and think I know about, so I assume I already know what you're going to find. You present it as a beginner level understanding further lowering my guard, and then you hit me stuff I don't know.

This feature caused my notepad to be in a corrupted state where it was trying to run a formatting operation on dozens of open unsaved files. Took a minute to get the app functional again, I had to go and delete all the cached shit windows was doing in these folders

Love the shoutout to 010! As a fellow Canadian I'm happy to see them get the love they deserve!

Lol that lil screen connect moment feels... Curiously timed 😊❤

reminds me of stuff I had to do with satori back in the day to parse different network packets that weren't well defined back in the day. Lots of trial and error, cutting, looking, displaying, changing! Always interseting to see what John is up to these days!

I've never commented on a video before, but I had to for this one. It's that good!

I write articles and research data for a living. I found this happy added feature out by accident when I updated to windows 11 over a year ago. This has been a feature ever since 11 release. I personally LOVE it. For the exact reason you listed. I am a coder "hobbiest" and I oftentimes work frantically and quick when diving into "rabbit holes" when doing research. This feature has saved my but more than once with its "autosave" feature when writing. My method when writing is just let thoughts roll out. I ignore misspells and proper punctuation then when I am done spilling my brain on the screen, I go back later and go through it and make sense of everything I wrote. I love just popping notepad open when doing reporting on coding. I can just spill it out with snippets of code in my head along with what I write, knowing of my computer crashes for what I am doing at the the same time on any one of my 3 other screens, it will be saved with every edit I do at any time. Super helpful. LOL

enjoyed this. love your long form stuff.

Your videos always make my day. Keep shining!

Loved this one John!

Love your new video format keep it up😊

This drives me insane. Programmers and security staff insist on changes that make the user experience much more difficult in the name of security, then they do something like this which is bound to cause bigger security issues than anything they resolved with their user unfriendly changes. Notepad history and cache should at least be opt in, with a warning not to type passwords into it in the clear.

Well, this escalated quickly to writing a bespoke parser on-the-fly. hahaha this content is S-tier dude

12:45 Thanks for warning :) I don't have Slack, but whenever I hear a Discord notification sound while watching a video I wind the video back a few seconds several times to be sure it really didn't come from Discord. Same would be with Skype, but I rarely hear Skype sounds in videos.

Did something similar. I enjoy decoding and parsing data structures without documentation.

Awesome & quality content

keep up the amazing work

I believe the extra data while you have notepad open is the Undo/Redo data.

I could see programming out pattern matching for certain things, as someone that enjoys red teaming I see a lot of "this is terrifying what can probably happen here" I'd be looking at other things like I can't alter code in another program or the OS will see it as misbehaving and close my program, but what I could do in theory is get pointers to the buffers, if I want to do some weird low level code stuff. I am hesitant to go full nerd with how and what I could think to try, but this could be a scary tool.

Pretty cool! Lots of places to tuck stuff 😜 Thanks a BUNCH, man! 🍷 (well, I guess those places were always there, but… meh 🤷‍♂️)

Brings back memories of when I dissected game save files trying to figure out what all the bits of data did and where all the values are stored. It's ironic that a lot of modern game files have better security than this, either because they encrypt the contents or compress it which is almost the same effect if you don't know the compression algorithm.

39:02 Tip: Its using variable length encoding, High bit cleared denotes last byte. 0xE8 0x02 is (0x80+0x68) (2) where 2 becomes 0x100 (left shift 7 bits) + 0x68 = 0x168 which is 360 in decimal which is the file length. @0x86 it's the text length, The pair @0x7e and @0x80 could be the selection/cursor pos. Selection is empty both values equal. Cursor at the end, values = text length.

thank you much for this

that nonsense text might be captured keystrokes. This is keylogging.

Don't sell yourself short John, we all just watched a mastermind at work here! Fantastic video.

Well geez! I guess I need to reconsider my Notepad password list!

i have learned so much from your videos

Hey man great vid! I've literally been searching for over a week to see if unsaved notepad data is stored anywhere as I have some valuable info i lost after a crash. Tried data recovery tools and none of my files are present but I had initially created them in my notepad. For a non coder, how does one run the git code locally to try decipher these bin files cos I just get gibberish when opening in the hex editor, no legible data is shown and if it does its a word or two.

The best thing about Windows is that hard drives can be erased in preparation for installing Linux.

Notepad also remembers what you highlighted. Just highlight some text, close and reopen notepad... It's still there.

Thank you so much!!

Notepad is a tool essential, i work and save with it for fun. i am curious about this even more. thank you john..

so thats why all my skyrim mod ini's were still open in tabs after i saved and closed the notepad

Heads up, I only watched the video up to 43:00 before deciding to try a bit of stuff myself, so if you had some revelations in the last 10 minutes I haven't seen them (as of this comment) To be honest, Reading this a second time, I don't think the info here is that helpful, but it should help someone working on this get a head start. Take everything here with a tub of salt - I'm a uni student and have 0.00 years of professional experience. Steps: 1. Create a new file and save it. 2. Load up the saved file in notepad and edit it 3. DO NOT SAVE the edits and close notepad. Reopen notepad to verify that the edits were cached (They were). Then close notepad 4. Open the file in a second editor and add some text. Save the file. 5. Reopen the file in notepad and navigate to the tab with the unsaved data. Notepad notices that the file on disks has edits newer than the cached edits in notepad. Therefore: - Notepad (probably) saves the hash of the file on disk + time of last edit as well as the hash of the cached edits and their timestamps. That could be the garbled data before and after the - I believe that the garbled data in between the delimiters and the data after the end of contents must be some form of hashes + timestamp. Perhaps the timestamp of the edits + the timestamp of the last edits and the hash + timestamp of the file on disk. I was curious about the 0.bin and .1.bin files, since they are considerably smaller but still follow the same format somewhat (see point 7), I decided to focus a bit on those. I decided to do some tests Second test: 1. Create a file 2. Open it in notepad and see the cache. One file with a UUID is made. 3. Close the file, we see .0.bin and .1.bin pop into existence. 4. We also see that .1.bin is empty (Zero bytes). 5. Reopen the file in notepad. This usually makes a second (newer) tab. Close that tab so that the original tab is in view. 6. Now close the file without making any edits in the tab. 7. .1.bin is populated! Moreover, we see the same pattern (01 00 00 00) in the .1.bin file - followed by some garbled data. 8. Now repeat steps 5 through 7. 9. We see that the end of .1.bin has changed. 10. If I repeat 5-7 a second time, we see that .1.bin doesn't change, but .0.bin does? Concluding, it seems notepad stores session data alternatively, once in .0.bin and once in .1.bin. The initial session populates .0.bin, the next populates .1.bin, and back and forth. Also, if you notice, notepad preserves cursor position between sessions, I assume that too, must be stored somewhere in those files or the main one. They're clearly a complete "Tab state" that has all the necessary info to recreate a notepad tab, including where the cursor was, etc. I got kinda fatigued at this point at it was getting late, but I hope whoever reads this gets a bit of a head start! Edit: I made some more observations and put them all in a github issue

I find this video profoundly heartwarming and authentic. Notably, the gradual dishevelment of the hair as the video progresses is a genuine reflection of the immersive experience often encountered during programming. I truly appreciate the content presented.

do 0.bin or 1.bin have data in ADS (Alternate Data Streams)?

There is a closing event for programs in windows, when the x is pressed or the program is exited through normal means, that probably triggers writing whatever is in the textbox window to a file..

Basically, the people who now owns microsoft don't have people's best interests at heart. Let's go reactOS

You mean, just like you can recover old notepad unsaved notes!? Oh my!

I run Linuxmint and I use an app called notes that does this same thing I never thought of it as a security vulnerability though thanks for pointing this out I will take a long hard think about this issue. .

I was like bro who is slacking me on the weekend

Yeah, the second I saw that update news, I dropped Notepad like it's hot. I always used to use it to just have a quick scratch place for ephemeral data, copy/paste, edit, etc. And now, it leaks that data. Gross.

I think you should try VSCode with Jupyter Notebook extension for such videos. Sublime Text may be nice for recording but working with individual code blocks that can be run separately feels much more nice for developing that kind of small programs. Like you wouldn't need to open separate python shell to check path bytes instead all that inside separate Jupyter code block and you wouldn't be slowed by thinking about whole program logic but rather work on individual small problem at a time.

I found that _feature_ when I edited a batch file. I wondered why was it that the batch file didn't run my new commands, and instead running the old version of it. And when I open the batch file, there it is, the old version of it. After several times opening, editing, saving, and closing it, I become aware that notepad has tabs and within those tabs are several versions of that batch file, courtesy of me opening and closing it several times. I closed them all and searched in notepad setting to turn off that feature before edit the batch file once again. Very troublesome feature.

I wonder how this will work if I were to open a file from removable media. Like I close the notepad after file is opened and then remove that device.

I haven’t watched the full video just yet but I am curious what happens if you make the file hidden if saved is it still holding tabs? Is it easily found still?

another KZbinr who has made some interesting videos about figuring out the format for binary formats is MattKC and the videos he has made on Lego Island, and the video he made on recovering a corrupted save file for a game he was playing.

Watching your coding artwork unfold onscreen is... depressingly good... That said, Notepad++

I suspect your magic numbers before the text value are likely Character count, rows, columns

For the record (for those not aware), this "snitching" issue is only about the new multi-tab UWP notepad, but all windows versions including Win 11 still come with the classic single-tab notepad.exe (C:\Windows otepad.exe) based on good old edit control, so just use this one instead and you are safe.

Is it keeping track of the change tree for undo and redo resulting in scenarios where deleting data does not notably change things until the editor is closed?

The more I find out about MS and what they are doing the more I am enjoying my transition into Linux.

You should be the voice actor for Michael Bay film trailers.

John!! Please!! Can you explain what the "some nonsense" is you mention in your vid?? I'm literally dying to know because it shows up in my parsing of my own homebrew janky code I play with. But its there for a reason so it has to represent something, right??? (Extra question mark for effect)

Great. Another thing that'll be added to infostealer malware

Think note pad have some issues for my use. Like I can't get it to view in dark mode only in bright mode... thinking about finding a alternative

Notepad++ has the same behaviour, any files open when you close the editor will persist somewhere and be restored on opening the app again.

I use nano in a command line interface on a linux machine. I don't sweat such infiltration.

Mate, what are doing with Connectwise ScreenConnect?

Win10 notepad recently got this cache feature as well but doesn't have tabs. I had windows update reboot and windows reopened unsaved notepads I had open. With previous reboots, notepad lost all that info in the open unsaved files. I guess it must be pulling from windows state but i haven't looked...

I finally switched to Windows 11 and was wondering what the hell was going on with that.

This behavior is also in Notepad++, for years…and BBEdit

here is the better solution for me to display the text with line breaks: original_file_contents = original_file_contents.decode('utf-16') # use splitlines methode for correct format of Carriage Return (CR) and Line Feed (LF) # characters (often abbreviated as " ") are used for line endings, while Unix-based # systems only use the Line Feed (LF) character (" "). lines = original_file_contents.splitlines() for line in lines: print(line) otherwise part of the text will be missing after conversion to utf-16

Any time THEY try to "help the user", yikes!! Thanks for the explanation John. Also, loving the fact that you "Nerd-sniped" yourself live!! (Better than accidentally Rick-rolling yourself :)

Ya I used to like a lot of stuff before Microsoft changed it. WIll have to get a diff simple editor.

I almost wonder if that random mess of garbled bytes when notepad is open is notepad tracking the keystrokes in a buffer as you type, and then the main window close function parses that into text.

Hold on, let me check my slack really quick... oh wait...

there is a feature in neovim that basically does the same as this

I don’t own a pc anymore but would be interesting to see the tabstate on a password protected file?

I hate Notepad right now given that closing notepad tabs is not something that fits in my workflow. I mainly use Notepad++ but given it has that same feature, it wasn't always the right choice (I probably have about 40 different unsaved text files open in N++. So I used to use both and now Im just annoyed whenever the default notepad pops up. Mainly because even if I open a txt file in it, it won't display that txt I just clicked on, it will just show the last thing it had open meaning I then have to tab over to the thing I just opened

im just confused if they have access to your computers why wouldn't they just load the files directly. OR is the issue just the fact the files are in the appdata folder? The saved version seems easier just to say hey what's the file name, read contents of the file. done if the original file is deleted does the bin get deleted?

is this similar to notepad++ ? files open as tabs in notepad++ persist when it is closed and then re-opened..

"It's a feature not a bug dammit" - William Henry Gates III

The buffer might just contain the info for undo/redo when you don't close it. But as soon as you close it, it discards the undo redo history? Or is that handled outside of the file.

Wow, this takes me way back to msdos hexdump scripts!

I uninstalled the new notepad. Old notepad is still there but I dont know how to make it available for Open With.

Now do this for Apple Notes or Goggle Keep!

It's easy to see how this could be a very bad "feature" for security. It's common for support people managing machines to open config files and such in Notepad. At any point in the future, someone could open Notepad and see what was written there.

People probably complained that the old notepad lost everything if there was a power outage or some other fault causing the computer to shut down so they added the ability for it to 'remember' what you were doing. Should be optional though.

Can this be useful for accidentally closed notepad files? (obviously failing to save them / I mean closing the tab which notifies you that if you dont save itll be lost). I didn't know... I followed and did your AD signup... *By submitting this form, you acknowledge and agree that you are an active security professional currently affiliated with an organization. Note: I am not really unless you consider my hobby as an organization...*

I used to use notepad to store private things temporarily this ruined the only usecase I had for it.

does NPP do this differently?

Python is so fun to screw around with ngl

Can you post your python code somewhere please? Would love to play with it.

My server logs are full of what I see at 22 minutes and 10 seconds on this video.

Honestly, I think a cool thing about it would be able to pull data from it without using notepad. Sorta like saving the tabs to their own file on a system close or signout, or even pull it from a non bootable user space. Frankly, I can't tell you how many times a forced reboot just screwed me over with my notepad scribbles of the moment. I think this is an awesome feature.

Something similar with some modern day phones which no longer have removable batteries? Whether turned off or restarted...closed apps re-open where they left off b4 closed when device powered on again. Really annoying & yucky. No like it at all...phooey! Thx for vid! Possibly similar activity as notepad, possibly? Logo double shows on power down(longer on, more likely it will double play logo on shutdown...instead of just once when no quirky anomalies). Same mobile update w/same date from last year keeps getting pushed as needed download despite already updating a few times. Camera app opens at boot & randomly opens..screen blacks out for 1sec randomly, often opening camera app. Something seems...not right 🤔 Factory reset or default restore doesn't change observed behaviour for almost 2yrs now.

subl will reopen with the contents of a deleted file if subl is open when the file was deleted, then subl is closed and reopened.

Vim can do this too, and Neovim does it by default. I think VSCode does it too, and Sublime probably too. I believe browsers also cache entered form data and only delete it once you submit it or navigate away. I bet the photo app creates a low-res thumbnail file for every picture you open.

I've installed Win11Pro 23H2 and that option looks like it's gone from NotePad.exe.

This is like our Internet browsers remembering our tabs. Nothing new here.

I saw if length of path to original file is greater than 128 (hex 80) it needs to decode with utf-16-be (big endian)

Maybe just reverse engineer notepad.exe

Congrats. Notepad has a feature, Notepad++ had for ages. Only problematic if Windows shares this files with others.

Make sure to update to the latest Bleeding Edge first..