Update DFIRBatch.reb with Windows Notepad

[ogmini]

Add Third Party Application section for Windows Notepad

Description

Add Third Party Application section for Windows Notepad

Checklist:

Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR

• I have generated a unique GUID for my Batch file(s)
• I have tested and validated the new Batch file(s) against test data and achieved the desired output
• I have placed the Batch file(s) within the .\RECmd\BatchExamples directory
• I have set or updated the version of my Batch file(s)
• I have made an attempt to document the artifacts within the Batch file(s)
• I have consulted the Guide/Template to ensure my Map(s) follow the same format

Thank you for your submission and for contributing to the DFIR community!

[Copilot]

Pull Request Overview

Adds a new Third Party Application section for Windows Notepad artifacts and bumps the batch file version.

• Updated version and GUID in DFIRBatch.reb to 2.12
• Added registry artifact entries for Windows Notepad under “Third Party Application”
• Updated contributors list and version history in DFIRBatch.md

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
BatchExamples/DFIRBatch.reb	Bumped Version/Id and inserted Windows Notepad registry entries
BatchExamples/DFIRBatch.md	Added ogmini to contributors and added v2.12 to version history

Comments suppressed due to low confidence (4)

BatchExamples/DFIRBatch.reb:4

• The GUID contains a curly apostrophe (‘) instead of a hyphen, making it invalid. Replace with the standard '-' character.

Id: 6e68cc0b-c945-428b-a‘b91-c02d91c877b8

BatchExamples/DFIRBatch.reb:3059

• The closing quote is a curly quotation mark, which may break parsing. Use a standard ASCII double-quote (") instead.

        Comment: "MRU from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat”

BatchExamples/DFIRBatch.reb:3066

• The closing quote is a curly quotation mark; replace it with a standard ASCII double-quote (") for consistency and correct parsing.

        Comment: "TypedPaths from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat”

BatchExamples/DFIRBatch.reb:3073

• The closing quotation mark is curly and could cause parser errors—use the standard ASCII double-quote (") instead.

        Comment: "MountPoints2 from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat”

[AndrewRathbun]

Have we tested if this works in RECmd? I don't think this is a valid HiveType but I'd have to check....

[AndrewRathbun]

@ogmini FYI ^^

[AndrewRathbun]

RECmd/RECmd/ReBatch.cs

Lines 36 to 56 in 0c5b479

	public enum HiveType_
	{
	[Description("Other")] Other = 0,
	[Description("NTUSER")] NtUser = 1,
	[Description("SAM")] Sam = 2,
	[Description("SECURITY")] Security = 3,
	[Description("SOFTWARE")] Software = 4,
	[Description("SYSTEM")] System = 5,
	[Description("USRCLASS")] UsrClass = 6,
	[Description("COMPONENTS")] Components = 7,
	[Description("DRIVERS")] Drivers = 8,
	[Description("AMCACHE")] Amcache = 9,
	[Description("SYSCACHE")] Syscache = 10,
	[Description("BCD")] Bcd = 11,
	[Description("BCD-Template")] BcdTemplate = 12,
	[Description("ELAM")] Elam = 13,
	[Description("userdiff")] userdiff = 14,
	[Description("BBI")] Bbi = 15,
	[Description("VSMIDK")] Vsmidk = 16,
	[Description("DEFAULT")] Default = 17
	}

It appears that Other is a valid HiveType. If we can confirm this works, then game on 👍

[AndrewRathbun]

@ogmini pinging in case you missed this

[ogmini]

@ogmini pinging in case you missed this

It was tested and reported as "Other" as you noticed. I think it might be best to hold off or close this pull request for now. I'm trying to finish figuring out the other HiveTypes and it would be useful to correctly parse them. This rabbit hole sort of blew up in my face with complexity.

[AndrewRathbun]

@ogmini pinging in case you missed this

It was tested and reported as "Other" as you noticed. I think it might be best to hold off or close this pull request for now. I'm trying to finish figuring out the other HiveTypes and it would be useful to correctly parse them. This rabbit hole sort of blew up in my face with complexity.

Hey no worries!- I will close for now and we can always reopen this, if needed. Thanks for your work as it is admired and appreciated. Let me know if you need any assistance on anything or want some validation on what you're seeing!

[reece394]

I thought I would help unblock you a little with the Other hive bit @ogmini. I had the same issue when working on the DEFAULT registry hive. Thankfully with the help of @AndrewRathbun we got that working properly. I have done the same with User.dat, UserClasses.dat and settings.dat with EricZimmerman/Registry#32 and #94. Below is a sample of it working with Paint UWP where we specify the HiveType of User, UserClasses or settings based on your needs. (Microsoft Being Lazy helps us). Thanks for your research as it made me think that if this is the same other keys might be the same too!

    -
        Description: Recent File List
        HiveType: NTUSER
        Category: User Activity
        KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
        Recursive: false
        Comment: "Displays recent files accessed by the user with MS Paint"

# https://forensafe.com/blogs/PaintMRU.html

    -
        Description: Recent File List
        HiveType: User
        Category: User Activity
        KeyPath: SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
        Recursive: false
        Comment: "Displays recent files accessed by the user with MS Paint Windows Store Version"

# https://forensafe.com/blogs/PaintMRU.html
# https://ogmini.github.io/2025/06/14/Microsoft-Paint-Application-Hive.html

[AndrewRathbun]

FYI, here's the updated Enum in RECmd:

RECmd/RECmd/ReBatch.cs

Lines 36 to 60 in 18704c6

	public enum HiveType_
	{
	[Description("Other")] Other = 0,
	[Description("NTUSER")] NtUser = 1,
	[Description("SAM")] Sam = 2,
	[Description("SECURITY")] Security = 3,
	[Description("SOFTWARE")] Software = 4,
	[Description("SYSTEM")] System = 5,
	[Description("USRCLASS")] UsrClass = 6,
	[Description("COMPONENTS")] Components = 7,
	[Description("DRIVERS")] Drivers = 8,
	[Description("AMCACHE")] Amcache = 9,
	[Description("SYSCACHE")] Syscache = 10,
	[Description("BCD")] Bcd = 11,
	[Description("BCD-Template")] BcdTemplate = 12,
	[Description("ELAM")] Elam = 13,
	[Description("userdiff")] userdiff = 14,
	[Description("BBI")] Bbi = 15,
	[Description("VSMIDK")] Vsmidk = 16,
	[Description("DEFAULT")] Default = 17,
	[Description("User")] User = 18,
	[Description("UserClasses")] UserClasses = 19,
	[Description("settings")] settings = 20,
	[Description("Registry")] Registry = 21
	}

If we want to re-open this, test, and merge, just say the word @ogmini or @reece394, otherwise, I'll just wait for another PR in the future. If there's anything that you'd like run down @ogmini, feel free to task it out here, if needed.

[reece394]

The only comment I would make is at the min that commit has Notepad specific comments and is in the third party section. What I would do instead is go through the batch file and for the keys that are the same copy and paste them to the line below and change the HiveType and comment to Windows Store/ UWP. That way they are generic and should capture every Windows Store/UWP app. My plan is to work on this over the next few days if my cases don’t steal me away

[ogmini]

No objections on my end. Won't have much time to poke at this due to summer and work.

This question probably should reside in the https://github.com/[EricZimmerman/RegistryPlugins](https://github.com/EricZimmerman/RegistryPlugins) repo. I'll ask it here first though. If I wanted the settings.dat to get parsed in a more usable fashion I would accomplish that with a RegistryPlugin? Something that would be generic to all the Windows Store/UWP apps. Or would this be more appropriate for the https://github.com/EricZimmerman/Registry repo?

[AndrewRathbun]

No objections on my end. Won't have much time to poke at this due to summer and work.

This question probably should reside in the https://github.com/[EricZimmerman/RegistryPlugins](https://github.com/EricZimmerman/RegistryPlugins) repo. I'll ask it here first though. If I wanted the settings.dat to get parsed in a more usable fashion I would accomplish that with a RegistryPlugin? Something that would be generic to all the Windows Store/UWP apps. Or would this be more appropriate for the https://github.com/EricZimmerman/Registry repo?

Yes, a plugin will make use of the ValueData2 and ValueData3 columns similar to the other plugin outputs in the batch file.

[ogmini]

No objections on my end. Won't have much time to poke at this due to summer and work.
This question probably should reside in the [https://github.com/EricZimmerman/RegistryPlugins](https://github.com/%5BEricZimmerman/RegistryPlugins%5D(https://github.com/EricZimmerman/RegistryPlugins)) repo. I'll ask it here first though. If I wanted the settings.dat to get parsed in a more usable fashion I would accomplish that with a RegistryPlugin? Something that would be generic to all the Windows Store/UWP apps. Or would this be more appropriate for the https://github.com/EricZimmerman/Registry repo?

Yes, a plugin will make use of the ValueData2 and ValueData3 columns similar to the other plugin outputs in the batch file.

The settings.dat mainly consists of VKCellRecords that have different Types than those specified currently in the Registry Repo. https://ogmini.github.io/2025/06/20/Registry-Hive-Data-Types-Part-3.html

https://github.com/EricZimmerman/Registry/blob/master/Registry/Cells/VkCellRecord.cs#L24-L75

Would making the change at this level be a bad idea?

[EricZimmerman]

If it's just a value store then probably no? Seems to be deviating away from a hive to just a key value pair using vk data structure.

Steal the vk code but let's not overcomplicate