Notepad.exe P

0 views

Skip to first unread message

Rosalie Checca

unread,

Aug 5, 2024, 12:36:08 AM8/5/24

to beautodawed

Iran into this today (2022) on Windows 10. This link (What prevents copied/renamed/moved notepad.exe from running in some Windows editions?) turned out to be spot on with what was wrong in my case. Going into the en-us\ folder in C:\Windows\, creating a copy of notepad.exe.mui, and renaming it to match my new executable name, allowed that .exe to run.

By performing a search I found that notepad.exe in c:\windows, c:\windows\system and c:\windows\system32, and in all three locations I have tried to replace it with the file taken from another Windows 7 PC but I get the same error.

Notepad is perhaps the most commonly hardcoded program in Windows. many Setup programs use it to view the Readme file, and you can use your imagination to come up with other places where a program or batch file or printed instructions will hard-code the path to Notepad.

I have had this problem since upgrading from Textpad 5 to Textpad 6, which has an option to 'Replace Notepad'. I could not run notepad by double-clicking, or launching from a command prompt from any of its many locations.

had a "Debugger" reg_sz value which pointed to the non-existent Textpad 5. So the debugger value overrides the requested image file with an alternate image file of your choice. Nice, if a little dangerous because any Windows image file can be silently overridden.

I have encountered a similar issues if my %PATH% environment variable is too long. Check your environment variables and see if there are any old uninstalled programs still sitting in your PATH variable and remove them.

So I was looking around in my windows folder and I noticed a strange notepad.exe with no image. It works as notepad properly but I would like to know if this is some sort of piece of malware that is being hidden.

I also put it in virus total and saw some other people were reporting problems with it. Someone who is more experienced with this stuff please get back to me.

Virus total link:

When you use Invoke-command, the commands you enter (either in the script block or script you send) are sent to the WSgps MPROVHOST process on the remote machine. Effectively, this is a copy of PowerShell running on that system. When you run a GUI program, like Notepad, there is, in effect, nowhere for the GUI to be displayed. The local console can only display data that is sent (via SOAP) tohe client. You can launch notepad if you run it from within a remote PS Session (Enter-PSSESSION). Running notepad makes the notepad.exe process visible if you look at it via Get-Process. But that notepad process is incomplete - eg it lacks a value for properties like MainModule.

Is there any known legitimate reason that notepad.exe would make network connections to a domain controller? I observed this behavior. The first connection was to port 135 and the second was to one of the Microsoft RPC dynamic ports. In addition I also observed an SNMP request (port 161 udp) to some random device where sysmon reported the source process as C:\windows\system32\notepad.exe

When a shell dialog (file open/save, print, etc.) is opened, network traffic generated by accesses to SMB file shares or other network resources will be attributed to the process that is accessing those resources. That means both direct connections to the system that is hosting the resource, and connections to the domain if services need to be discovered, policies need to be looked up, or authentication tokens need to be requested. As such, seeing traffic to port 135 from Notepad in a domain is not that unusual. It'd be even more likely if you're replicating user profiles to a central location so that a user can roam to other workstations.

Seeing SNMP from that process is rather unusual. One explanation might be if a security or monitoring product you have installed sends back telemetry from modules that are injected into running processes. I know that SolarWinds uses SNMP for some of its telemetry collection, but I'm not sure on the exact implementation.

If you don't have more information to go on, such as packet captures of the traffic in question, I would recommend being cautious and following your incident response plan. At minimum I would get someone qualified to do some forensic capture and investigation of the affected host.

We notice some curious processes for a remote server, specifically notepad.exe running as NT AUTHORITY\SYSTEM. Now anyone familiar with meterpreter knows that notepad.exe is a favorite process to spin up as a host for the meterpreter session. Given the SYSTEM level access, it is likely that another hackthebox user has performed successful exploitation and is enjoying their new privileges. Just as a bit of a joke, I decided to try to receive some ill-gotten gains:

The notepad process is spawned with PROCESS_ALL_ACCESS designation. In the Windows Documentation on Process Security and Access Rights, we can see that this flag, when passed to CreateProcess gives the new process object all possible access rights. This means that the any processes running on the system can use the new process to create new processes and threads, duplicate its handle, query information about the process such as tokens and access codes, set information about the process, read and write to its memory, perform an operation on its address space, and do basically whatever it likes with the new process.

attempting to copy program file notepad.exe from the \windows to the \tools directory using command prompt. Trying to complete simple tasks using command prompt, but still unable to grasp. have not found a set of instructions that clicks for me, very new to "computing"

I stupidly clicked the button, and it appeared to switch to a new version of notepad. At least, the offer to launch the new version disappeared.

I eventually ended up in a nightmare of installing the Microsoft Store notepad (which seemed to be "new version" that was being offered).

It installed but I think it trashed my old c:\windows\system32\notepad.exe installation.

After spending several wasted hours reading up on the errors and trying to debug it, uninstalling the notepad store app, checking all my disks (they are good), reinstalling some 2013 C++ redistributables, and otherwise wasting my time, I still get the error above. My code has been working for many months until this notepad headache started.

In visual studio, this is the full error. I no longer have a side-by-side installation of notepad, to the best of my knowledge. I could not find anything in the "application event log" (was I looking in the right place?). And I don't know how to use the sxstrace.exe tool. The problem showed up when I stupidly clicked the LAUNCH button offer of the new notepad. Something in that process screwed up the "side-by-side" installation, whatever that is.

I also made SURE that I had reinstalled the latest C++ redistributables (x86 and x64) and rebooted (again). But nothing helps. It still complains with the side-by-side error. I also ran the sxstrace tool, captured a binary log file, and converted it to a txt file. The txt file was 1KB and empty.

I went through the redistributable list (2010, 2013, 2019, etc.) to collect all the known version numbers that were available from Microsoft. Then I compared those versions with the ones that I installed. In my travels at the MS site, there was an issue with one of their releases where installing the x86 version would delete the x64 version. This may have been an issue on my machine when I was installing versions.

They fixed it in KB3138367 and provided a new installer that would ensure both x86 and x64 versions were installed. I installed that one, reinstalled the latest notepad app from the MS store, and the issue went away for a few hours. The link to that KB version is below.

The InitialAutoRunScript option will execute the specified Meterpreter script as soon as a session is established. The migrate script is located in /path/to/metasploit/msf3/scripts/meterpreter/migrate.rb. The -f option opens a new process (notepad.exe) and migrates your Meterpreter session to it.

Edit this script to force many parts of Cobalt Strike and the Metasploit Framework to migrate Meterpreter to something other than notepad.exe. Try an alternative, like rundll32.exe. As of this writing, lines 42-54 of this file contain the code you need to change.

Note: these modules are the same thing. As of this writing, the Metasploit Framework is still in a transition porting post modules that accept a PAYLOAD to windows/local exploit modules. I expect that post modules with equivalent local exploits will eventually go away.

Is StarDock the outfit that keeps updating File Explorer? I cannot access any file with a *.txt extension. File explorer can find hardly any file. In the command prompt window, I go to C:\Windows\System32, and do a dir notepad.exe, and dir can't find the file. I create a shortcut on the desktop to notepad, and the program is now accessible. All this trouble with no file with *.txt extension is accessible and notepad cannot be found started after the last File Explorer update.

Why does starDock have to mess with File Explorer? Just exactly how does one restart File Explorer without rebooting? Is StarDock a bit too precious (definitions 4. and 5., Random House Webster's Unabridged Dictionary)?

Go to one of your text files and right click it and then select Properties and then check to see what app the "Opens with" is set. If it's not Notepad. click the change button and then select Notepad in the resulting dialog.

Thanks and an 'E' for effort, but Notepad is now and always has been the preferred app for *.txt files. The problem may have been that File Explorer could not find notepad.exe even though it was where it has always been -- C:\windows\System32. Somebody from GitHub is patching File Explorer, and this time he, she, it or they busted it.