dissect.target.plugins.apps.editor.windowsnotepad

Module Contents

Classes

WindowsNotepadTab

Windows notepad tab content parser

WindowsNotepadPlugin

Windows notepad tab content plugin.

Attributes

dissect.target.plugins.apps.editor.windowsnotepad.windowstab_def = Multiline-String
Show Value
"""
struct file_header {
    char        magic[2]; // NP
    uleb128     updateNumber; // increases on every settings update when fileType=9,
                              // doesn't seem to change on fileType 0 or 1
    uleb128     fileType; // 0 if unsaved, 1 if saved, 9 if contains settings?
}

struct tab_header_saved {
    uleb128     filePathLength;
    wchar       filePath[filePathLength];
    uleb128     fileSize; // likely similar to fixedSizeBlockLength
    uleb128     encoding;
    uleb128     carriageReturnType;
    uleb128     timestamp; // Windows Filetime format (not unix timestamp)
    char        sha256[32];
    char        unk0;
    char        unk1;
    uleb128     fixedSizeBlockLength;
    uleb128     fixedSizeBlockLengthDuplicate;
    uint8       wordWrap; // 1 if wordwrap enabled, 0 if disabled
    uint8       rightToLeft;
    uint8       showUnicode;
    uint8       optionsVersion;
};

struct tab_header_unsaved {
    char        unk0;
    uleb128     fixedSizeBlockLength; // will always be 00 when unsaved because size is not yet known
    uleb128     fixedSizeBlockLengthDuplicate; // will always be 00 when unsaved because size is not yet known
    uint8       wordWrap; // 1 if wordwrap enabled, 0 if disabled
    uint8       rightToLeft;
    uint8       showUnicode;
    uint8       optionsVersion;
};

struct tab_header_crc32_stub {
    char        unk1;
    char        unk2;
    char        crc32[4];
};

struct fixed_size_data_block {
    uleb128     nAdded;
    wchar       data[nAdded];
    uint8       hasRemainingVariableDataBlocks; // indicates whether after this single-data block more data will follow
    char        crc32[4];
};

struct variable_size_data_block {
    uleb128     offset;
    uleb128     nDeleted;
    uleb128     nAdded;
    wchar       data[nAdded];
    char        crc32[4];
};

struct options_v1 {
    uleb128     unk;
};

struct options_v2 {
    uleb128     unk1; // likely autocorrect or spellcheck
    uleb128     unk2; // likely autocorrect or spellcheck
};
"""
dissect.target.plugins.apps.editor.windowsnotepad.GENERIC_TAB_CONTENTS_RECORD_FIELDS = [('string', 'content'), ('path', 'path'), ('string', 'deleted_content')]
dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadUnsavedTabRecord
dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadSavedTabRecord
dissect.target.plugins.apps.editor.windowsnotepad.c_windowstab
class dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadTab(file: dissect.target.helpers.fsutil.TargetPath)

Windows notepad tab content parser

file
is_saved = None
content = None
deleted_content = None
__repr__() str
class dissect.target.plugins.apps.editor.windowsnotepad.WindowsNotepadPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.apps.editor.editor.EditorPlugin

Windows notepad tab content plugin.

__namespace__ = 'windowsnotepad'

Defines the plugin namespace.

GLOB = 'AppData/Local/Packages/Microsoft.WindowsNotepad_*/LocalState/TabState/*.bin'
users_tabs: set[dissect.target.helpers.fsutil.TargetPath, dissect.target.helpers.record.UnixUserRecord | dissect.target.helpers.record.WindowsUserRecord]
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

history() Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]

Return contents from Windows 11 Notepad tabs - and its deleted content if available.

Windows Notepad application for Windows 11 is now able to restore both saved and unsaved tabs when you re-open the application.

Resources:

Yields WindowsNotepadSavedTabRecord or WindowsNotepadUnsavedTabRecord records:

ts              (datetime): The modification time of the tab.
content         (string):   The content of the tab.
path            (path):     The path to the tab file.
deleted_content (string):   The deleted content of the tab, if available.
digest          (digest):   A digest of the tab content.
saved_path      (path):     The path where the tab was saved.