The new win11 version of Notepad accepts a few command line options that i have not seen documented anywhere (or only documented partially).
- /A – forces Notepad to read the input file as ANSI
- /W – forces Notepad to read the input file as WIDE (Unicode 16LE)
- /.SETUP – tells Notepad it was launched by the Installer; AFAICT running Notepad with this option literally DoSes it
- /.SETUP <filename> – same as above except we try to open the file <filename> — still DoS though
- RestartByRestartManager:<GUID> – mentioned by @nas_bench here – used to restore some of the AutoSaved documents; the information is saved under HKCU\Software\Microsoft\Notepad\Autosave\GUID in a form of three coma-separated values f.ex.:
so analyzing this key and its children may have some DFIR value, potentially.
The first value is a code page (0,1=ANSI; 2,3=Unicode LE/BE; 4,5=UTF8 with or w/o BOM, 6=Chinese), second is probably a document path, and the third is a working directory. These all need to be confirmed as I am making quick&dirty assumptions here.
Launching c:\windows\notepad.exe under xdbg makes the old-fashioned Notepad window appear, with a banner encouraging the user to launch the new version of Notepad (Microsoft app):
This behavior is a bit unexpected and am wondering if it could be somehow abused.
The Launch button executes the so-called Centennial version of Notepad located here:
%LOCALAPPDATA%\Microsoft\WindowsApps\Microsoft.WindowsNotepad_8wekyb3d8bbwe\notepad.exe
In some circumstances a file probe.autosave may be created by new Notepad.
The info about currently opened tabs seems to be stored in this folder:
C:\Users\<USER>\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState
and there (already) is a library for parsing these.
Launching notepad.exe leads to Windows App being executed, because of these new settings in the Registry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 AppExecutionAliasRedirect = 1 AppExecutionAliasRedirectPackages = * FilterFullPath = C:\Windows\System32\notepad.exe
Changing the value of AppExecutionAliasRedirect from 1 to 0 will bring the old Notepad back. And lo and behold, there is a ‘legitimate’ way to disable new Notepad too – the Advanced App Settings allow us to disable the so-called Windows Apps aliases:
Once you disable the Notepad alias, the old Notepad will return. And if you want to disable that annoying banner showing up in this old Notepad you can add the following Registry entry:
HKCU\Software\Microsoft\Notepad
ShowStoreBanner (dword) = 0
And with that, we are back to the good ol’ Notepad version we all love 😉
The Windows 11 changes are very interesting from the DFIR perspective. Many old programs we took for granted (for decades!) are now exhibiting new behaviors that need an additional research effort. This is actually quite exciting because we all want to close cases in a conclusive way and knowing how to interpret the superset of all forensic artifacts is of a paramount importance…
