Issue of the Month: Fantastic Notes and Where to Find Them

Notepad has been a fundamental tool since its debut in Windows 1.0 back in 1983. Over the years, it has served countless users for everything from jotting down quick notes to temporarily storing sensitive data such as passwords, phone numbers, and email addresses, due to its simplicity and ease of use.

Many users, including myself, often rely on Notepad for this kind of temporary storage. It’s common to quickly paste sensitive information into a blank tab for convenience. While we don’t always explicitly choose to save the file, we often just close Notepad once we're done, assuming the data is discarded and not retained.

With the release of Windows 11 and Windows Server 2025, Microsoft has enhanced Notepad with new features including improved find-and-replace functionality, tabbed interface support, and even integration with large language models (LLMs). However, one notable change introduces a potential security risk: Notepad now retains unsaved content even after closing the application or rebooting the system.

This persistence occurs because Notepad now stores unsaved data as temporary binary files within the current user’s %APPDATA% directory. These files are located under the following path:
C:\Users\<UserName>\AppData\Local\Packages\Microsoft.WindowsNotepad_<RandomValue>\LocalState\TabState

For attackers operating in a post-exploitation context, these binary backup files can be a goldmine of sensitive data. In my own assessments, I’ve frequently uncovered credentials, phone numbers, internal system logs, and other forms of confidential information stored within them.

This behaviour isn’t exclusive to the modern Notepad app either. Similar functionality exists in Notepad++, a popular alternative to Microsoft Notepad, which also stores unsaved session data as binary files in the user’s %APPDATA% directory under:
C:\Users\<UserName>\AppData\Roaming\Notepad++\backup\*

With Windows 10 reaching End of Life in October 2025, many organizations are migrating to Windows 11. This means broader adoption of the updated Universal Windows Platform (UWP)-based Notepad.

Adversaries can trivially extract plaintext from these binary files using tools like Sysinternals Strings.exe or PowerShell-based alternatives such as Invoke-PowerStrings.

Unfortunately, as of the time of writing, the most effective way to prevent this behaviour is to manually disable it in Notepad’s settings via the gear icon. This must be done on a per-user and per-device basis. There does not currently appear to be a Group Policy Object (GPO) or registry-based solution available, likely due to the limitations of UWP applications.

Otherwise, organizations could roll out scripts to perform regular cleanup of the following directories from each user profile on the system.

·         C:\Users\<UserName>\AppData\Roaming\Notepad++\backup\*

·         C:\Users\<UserName>\AppData\Local\Packages\Microsoft.WindowsNotepad_<RandomValue>\LocalState\TabState.

Organizations should additionally provide end user training on the risks associated with storing sensitive data in applications such as Notepad and Notepad++, advising users instead to store temporary sensitive data into company approved applications.