Notepad

This module searches for stored data in various applications in the following locations as referenced in the table below;

Application

Location

Notepad++

_{C:\Users\<UserProfile>\APPDATA\Roaming\NotePad++\backup\}

Notepad (Windows 11 / Server 2025)

_{C:\Users\<UserProfile>\AppData\Local\Packages\Microsoft.WindowsNotepad_*\LocalState\TabState\}

Visual Studio Code

_{C:\Users\<UserProfile>\AppData\Roaming\Code\Backups}

PowerShell_ISE

_{C:\Users\<UserProfile>\AppData\Local\Microsoft_Corporation\powershell_ise*\}

Default behavior in Windows 11 and Windows Server 2025 is to store Notepad files on disk in binary files. This module will attempt to extract readable strings from these files.

For each system output is stored in $pwd\PME\PME\Notepad\

Supported Methods

MSSQL
SMB
SessionHunter
WMI
WinRM

Optional Parameters

Parameter

Value

Description

-ShowOutput

N/A

Displays each target output to the console

-SuccessOnly

N/A

Display only successful results

Usage

# Standard execution
PsMapExec [Method] -targets All -Module Notepad -ShowOutput

Last updated 5 days ago

Was this helpful?