ogmini - Exploration of DFIR
Having fun while learning about and pivoting into the world of DFIR.
About Blog Posts by Tags Research CTF/Challenge GitHub RSS
Windows Notepad - Forced Save on Detecting Manipulation?
by ogmini
Came across an interesting behavior while doing some testing. Initially, I wasn’t able to replicate it. Early on in I would sometimes see the creation of a guid.bin.tmp file in the TabState folder. At the time I had brushed it off as it would “resolve” by deleting itself and nothing seemed to break. I theorized that it might be related to file locks and Windows Notepad trying to protect the integrity of the TabState files.
Windows Notepad will now force you to decide between saving your open tabs when you close Windows Notepad if a .tmp file was ever created during the current session. I’m pretty sure this behavior didn’t exist in previous version. Just to clarify, the forced saving I believe is new as I had noticed the creation of .tmp files in the past but not the prompt to save. I would need to regression test to verify. Some sort of security? The .tmp files are the same format as the normal TabState files but they contain the changes made during the “lock” and are ultimately rolled back into the normal bin file at the next chance.
Replication
If you want to replicate this behavior you can follow the steps below. Note this isn’t exactly consistent as there is some very short timing required.
- Open Windows Notepad and have a Tab with some Markdown text in it and it should be in the unsaved state.
- Open the TabState file in 010 Editor.
- Type a letter into the Windows Notepad Tab.
- Quickly go back to 010 Editor and click on a cell. You will know if you did this right if 010 Editor doesn’t prompt you to update the contents.
- You should now see a guid.bin.tmp file.
- Making another change in the Windows Notepad Tab will cause the deletion of the guid.bin.tmp file.
