POC powershell scripts which abuse Microsoft notepad session restor feature.
A collection of PowerShell tools for analyzing and interacting with Windows Notepad's session restore functionality. These tools are designed for security research, digital forensics, and understanding Windows application persistence mechanisms.
These tools are intended for educational purposes, security research, and authorized penetration testing only. Users are responsible for ensuring compliance with applicable laws and regulations. Do not use these tools on systems you do not own or lack explicit permission to test.
This repository contains two PowerShell scripts that work together to analyze and interact with Windows Notepad's session restore feature:
- PSNoteEnum.ps1 - Enumerates and controls Notepad session restore settings and files
- PSNoteExecute.ps1 - Extracts and executes obfuscated content from files using marker strings
A comprehensive tool for analyzing Windows Notepad's session restore functionality. This script can check restore settings, manage running processes, and extract session restore data.
- Check current Notepad session restore status
- Enable/disable session restore functionality
- Monitor running Notepad processes
- Extract session restore files (covert and overt methods)
A utility for extracting and executing obfuscated PowerShell commands hidden within files using delimiter strings. Supports multiple encoding methods including UTF-16LE and UTF-8 Base64.
- Extract content between marker strings
- Execute extracted PowerShell commands
- Support for Unicode (UTF-16LE) Base64 decoding
- Support for regular (UTF-8) Base64 decoding
- Display extracted commands without execution
- Clone this repository:
git clone https://github.com/yourusername/notepad-session-tools.git
cd notepad-session-tools- Ensure PowerShell execution policy allows script execution:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserCheck Notepad restore status:
.\PSNoteEnum.ps1 -CheckRestoreEnable session restore:
.\PSNoteEnum.ps1 -EnableRestoreDisable session restore:
.\PSNoteEnum.ps1 -DisableRestoreCheck for running Notepad processes:
.\PSNoteEnum.ps1 -CheckProcessCovert enumeration (without disrupting Notepad):
.\PSNoteEnum.ps1 -CovertEnumOvert enumeration (closes and reopens Notepad):
.\PSNoteEnum.ps1 -OvertEnum# Check status and processes, then perform covert enumeration
.\PSNoteEnum.ps1 -CheckRestore -CheckProcess -CovertEnumExtract and execute plain PowerShell commands:
.\PSNoteExecute.ps1 -SetString "string" -TargetFile "C:\path\to\file.bin" -CmdExecutionDisplay extracted command without execution:
.\PSNoteExecute.ps1 -SetString "string" -TargetFile "C:\path\to\file.bin" -CmdDisplayUnicode Base64 (UTF-16LE) encoded payload:
.\PSNoteExecute.ps1 -SetString "string" -TargetFile "payload.bin" -UnicodeBase64Regular Base64 (UTF-8) encoded payload:
.\PSNoteExecute.ps1 -SetString "string" -TargetFile "payload.bin" -RegularBase64| Parameter | Type | Description |
|---|---|---|
-CheckRestore |
Switch | Check current Notepad session restore setting |
-EnableRestore |
Switch | Enable Notepad session restore functionality |
-DisableRestore |
Switch | Disable Notepad session restore functionality |
-CheckProcess |
Switch | Check for running Notepad processes |
-CovertEnum |
Switch | Extract session files without disrupting Notepad |
-OvertEnum |
Switch | Extract session files by restarting Notepad |
| Parameter | Type | Description |
|---|---|---|
-SetString |
String | Marker string used for content delimitation |
-TargetFile |
String | Path to file containing obfuscated content |
-CmdExecution |
Switch | Execute extracted PowerShell commands |
-UnicodeBase64 |
Switch | Decode UTF-16LE Base64 encoded content |
-RegularBase64 |
Switch | Decode UTF-8 Base64 encoded content |
-CmdDisplay |
Switch | Display extracted commands without execution |
The tools interact with files in the following locations:
Registry Path:
HKCU:\Software\Microsoft\Notepad\RestoreWindows
Session Files Path:
C:\Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_*\LocalState\TabState\*.bin
- Initial Assessment:
# Check current configuration
.\PSNoteEnum.ps1 -CheckRestore -CheckProcess
# Enable session restore if needed
.\PSNoteEnum.ps1 -EnableRestore- Data Collection:
# Perform covert enumeration
.\PSNoteEnum.ps1 -CovertEnum- Analysis and Execution:
# Display hidden content
.\PSNoteExecute.ps1 -SetString "HIDDEN" -TargetFile "session.bin" -CmdDisplay
# Execute if safe to do so
.\PSNoteExecute.ps1 -SetString "HIDDEN" -TargetFile "session.bin" -CmdExecutionWindows Notepad uses session restore functionality to preserve open tabs and content across application restarts. This feature stores session data in binary files located in the user's LocalState directory.
The execution script supports multiple obfuscation techniques:
- Plain Text: Direct PowerShell commands between markers
- Unicode Base64: UTF-16LE encoded Base64 strings
- Regular Base64: UTF-8 encoded Base64 strings
- Monitor changes to
HKCU:\Software\Microsoft\Notepad\RestoreWindows - Watch for unusual Notepad process behavior
- Scan TabState directories for suspicious content
- Implement application whitelisting where appropriate
- Always test in isolated environments
- Document all findings responsibly
- Consider impact on system stability
- Follow responsible disclosure practices
- OS: Windows 10/11 (with modern Notepad)
- PowerShell: Version 5.1 or higher
- Privileges: User-level access (some functions may require elevated privileges)
Contributions are welcome! Please ensure all contributions:
- Include appropriate documentation
- Follow responsible disclosure principles
- Are tested in isolated environments
- Include security considerations
This project is licensed under the MIT License - see the LICENSE file for details.
- Initial release
- Basic enumeration functionality
- Command execution capabilities
- Support for multiple encoding methods
Remember: Use these tools responsibly and only on systems you own or have explicit permission to test.