Skip to content

Commit

Permalink
Windows 11 Notepad TabState parser.
Browse files Browse the repository at this point in the history
  • Loading branch information
DReneau authored Oct 24, 2024
1 parent b124213 commit c6625f5
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions Modules/Apps/GitHub/Notepad_Parser.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Description: A Module to parse (Windows 11+) Notepad TabState files.
Category: Windows
Author: DReneau
Version: 1.0
Id: b5a8a229-4897-4bda-a8f0-f2246362664f
BinaryUrl: https://github.com/AbdulRhmanAlfaifi/notepad_parser/releases/download/v0.1.0/notepad_parser.exe
ExportFormat: json
Processors:
- Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: "Get-ChildItem -Recurse '%sourceDirectory%' -Filter '*.bin' | Where-Object { $_.FullName -like '*Microsoft.WindowsNotepad_8wekyb3d8bbwe\\LocalState\\TabState*' } | ForEach-Object { $outputFile = Join-Path '%destinationDirectory%' ([System.IO.Path]::GetFileNameWithoutExtension($_.FullName) + '.json'); $tempFile = Join-Path '%destinationDirectory%' ([System.IO.Path]::GetFileNameWithoutExtension($_.FullName) + '_temp.json'); & '%kapeDirectory%\\Modules\\bin\\notepad_parser.exe' \"$($_.FullName)\" -f jsonl -o $tempFile; if (Test-Path $outputFile) { Remove-Item $outputFile }; Rename-Item $tempFile $outputFile }"
ExportFormat: json

# Documentation
# https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/
# Windows 11 Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data.
# This parser written by AbdulRhman Alfaifi will parse the Windows 11 Notepad cache, specifically the TabState.
# The Notepad artifacts are stored here: "%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad _8wekyb3d8bbwe\LocalState"

0 comments on commit c6625f5

Please sign in to comment.