Navigation Menu

Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



17 Commits

Repository files navigation

Open Safety

An improvement on the "map .js files to notepad" trick

Designed to assist with securing environments by ensuring such blocking events raise significant alarms. For background and more information, see this blog post



  • Deploy the executable to an appropriate location
  • Replace notepad.exe mappings in Group Policies with the new location

SMB/Home User


A typical intended deployment involves never manually using this application. The above installation process will configure it to run with suspect files as a parameter. Example:

open_safety.exe example.js

You may wish to query the version:

open_safety.exe --version


This application aims to provide two mechanisms to better handle script execution than the notepad trick. Specifically:

  • It provides the user a suitable message, presenting a much less confusing feedback than open a test file of source code
  • It attempts to alert any monitoring IT teams


When this application is executed it will follow the below process, for the script "example.js":

  • To prevent any misuse, it first ensures the called file has an appropriate file extension
  • It further checks the file does not sit under standard system directories
  • The file is renamed to "DANGEROUS example.js.txt" to neutralise the risk.
  • It creates the file "" in the same directory containing the EICAR test string. This should set off appropriate alarms for Defenders


This application currently uses only one external crate (base64). It's designed as much as possible with guard rails around misuse, and it never actually deletes content. CI has been setup with strict use of clippy and cargo fmt. There's a deliberate goal of becoming "stable" and not requiring ongoing addition of features to assist with this becoming trusted for use. To this end, I'm unlikely to accept PRs with substantive changes. Designed to build with rust stable with no unsafe. The binary in "releases" is built straight from this codebase, includes no telemetry or additional code. Currently only Windows x64 type binaries are pre-built for releases.


  • Installation Powershell to fetch executable from Github releases
  • Implement CI with Github actions
  • Blog post on why this is useful
  • Obtain a code signing cert

Release guide

cargo build --release
$codeCertificate = Get-ChildItem Cert:\CurrentUser\My
Set-AuthenticodeSignature -FilePath .\target\release\open_safety.exe  -Certificate $codeCertificate -TimeStampServer ""


An application to assist with securing script execution







No packages published