Notepad

This module searches for stored data in various applications in the following locations as referenced in the table below;

Application
Location

Notepad++

C:\Users\<UserProfile>\APPDATA\Roaming\NotePad++\backup\

Notepad (Windows 11 / Server 2025)

C:\Users\<UserProfile>\AppData\Local\Packages\Microsoft.WindowsNotepad_*\LocalState\TabState\

Visual Studio Code

C:\Users\<UserProfile>\AppData\Roaming\Code\Backups

PowerShell_ISE

C:\Users\<UserProfile>\AppData\Local\Microsoft_Corporation\powershell_ise*\

Default behavior in Windows 11 and Windows Server 2025 is to store Notepad files on disk in binary files. This module will attempt to extract readable strings from these files.

For each system output is stored in $pwd\PME\PME\Notepad\

Supported Methods

  • MSSQL

  • SMB

  • SessionHunter

  • WMI

  • WinRM

Optional Parameters

Parameter
Value
Description

-ShowOutput

N/A

Displays each target output to the console

-SuccessOnly

N/A

Display only successful results

Usage

# Standard execution
PsMapExec [Method] -targets All -Module Notepad -ShowOutput

Last updated

Was this helpful?