Other Files


Search File Contents for String

C:\xyz> cd c:\Users\user\Documents & findstr /SI /M "password" *.xml *.ini *.txt


Search File Contents for String

C:\xyz> findstr /si password *.xml *.ini *.txt *.config

stuff.txt:password: l-x9r11_2_GL!

Search File Contents for String

C:\xyz> findstr /spin "password" *.*

stuff.txt:1:password: l-x9r11_2_GL!

Search File Contents with PowerShell

PS C:\xyz> select-string -Path C:\Users\user\Documents\*.txt -Pattern password

stuff.txt:1:password: l-x9r11_2_GL!

Search for File Extensions

C:\xyz> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*


Search for File Extensions

C:\xyz> where /R C:\ *.config


Search for File Extensions Using PowerShell

PS C:\xyz> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

    Directory: C:\inetpub\wwwroot

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021   9:59 AM            329 web.config


Sticky Notes Passwords

People often use the StickyNotes app on Windows workstations to save passwords and other information, not realizing it is a database file. This file is located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite and is always worth searching for and examining.

PS C:\xyz> ls

    Directory: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021  11:59 AM          20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a----         5/25/2021  11:59 AM            982 Ecs.dat
-a----         5/25/2021  11:59 AM           4096 plum.sqlite
-a----         5/25/2021  11:59 AM          32768 plum.sqlite-shm
-a----         5/25/2021  12:00 PM         197792 plum.sqlite-wal

Viewing Sticky Notes Data Using PowerShell: PSSQLite module

PS C:\xyz> Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

PS C:\xyz> cd .\PSSQLite\
PS C:\xyz> Import-Module .\PSSQLite.psd1
PS C:\xyz> $db = 'C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS C:\xyz> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

\id=de368df0-6939-4579-8d38-0fda521c9bc4 vCenter
\id=1a44a631-6fff-4961-a4df-27898e9e1e65 root:Vc3nt3R_adm1n!
\id=c450fc5f-dc51-4412-b4ac-321fd41c522a Thycotic demo tomorrow at 10am

Strings to View DB File Contents

neutron@kali[/kali]$  strings plum.sqlite-wal

"Text" varchar ,
"WindowPosition" varchar ,
"IsOpen" integer ,
"IsAlwaysOnTop" integer ,
"CreationNoteIdAnchor" varchar ,
"Theme" varchar ,
"IsFutureNote" integer ,
"RemoteId" varchar ,
"ChangeKey" varchar ,
"LastServerVersion" varchar ,
"RemoteSchemaVersion" integer ,
"IsRemoteDataInvalid" integer ,
"PendingInsightsScan" integer ,
"Type" varchar ,
"Id" varchar primary key not null ,
"ParentId" varchar ,
"CreatedAt" bigint ,
"DeletedAt" bigint ,
"UpdatedAt" bigint )'
U   af907b1b-1eef-4d29-b238-3ea74f7ffe5c
U   93b49900-6530-42e0-b35c-2663989ae4b3

< SNIP >

\id=011f29a4-e37f-451d-967e-c42b818473c2 vCenter
\id=34910533-ddcf-4ac4-b8ed-3d1f10be9e61 alright*
\id=ffaea2ff-b4fc-4a14-a431-998dc833208c root:Vc3nt3R_adm1n!ManagedPosition=Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c


Other Files of Interest

%WINDIR%\repair\software, %WINDIR%\repair\security
C:\Program Files\Windows PowerShell\*