In my previous post I have provided a list of ‘new’ protocols I noticed in the latest Windows 11 build.
One that immediately caught my attention was “ms-notepad://”. You can use it to launch Notepad via “ms-notepad://<filename>” links and it also accepts command line switches.
So…
One could launch:
ms-notepad://foobar.txt
and that would make Notepad attempt to open one of these:
- C:\Users\<user>\ms-notepad:\foobar.txt\
- C:\Users\<user>\ms-notepad:\foobar.txt.txt
or
ms-notepad://..\..\..\foobar.txt
to open:
- C:\foobar.txt
- C:\foobar.txt.txt
If you embed a link pointing to the above foobar.txt file in a HTML file and open in f.ex. Microsoft Edge, and then click the link, you will see Notepad trying to open the following files:
- C:\Users\<user>\ms-notepad:..%5C..%5C..%5Cfoobar.txt\
- C:\Users\<user>\ms-notepad:..%5C..%5C..%5Cfoobar.txt.txt
It looks like the protocol handler is not doing very well with this unexpected input.
Additionally, new Notepad.exe accepts a /TESTING:>argument> command line argument. I don’t fully understand how the program processes this argument, but I noticed it has to be provided in a Base64 form.
So:
file://..\..\..\test\foobar.txt
can be converted to a Base64 blob:
ZmlsZTovLy4uXC4uXC4uXHRlc3RcZm9vYmFyLnR4dCAgICA=
One can then launch Notepad with a TESTING argument from a command line or via a protocol handler:
notepad /TESTING:ZmlsZTovLy4uXC4uXC4uXHRlc3RcZm9vYmFyLnR4dCAgICA= ms-notepad:// /TESTING:ZmlsZTovLy4uXC4uXC4uXHRlc3RcZm9vYmFyLnR4dCAgICA=
In both cases the Notepad will try to open:
C:\test\foobar.txt
And while nothing substantial comes out of this quick ‘research’, I find it pretty interesting that so many new URL-like protocols are still being introduced in new Windows builds.