anavem.
Low RiskWindowsLegitimateCommonly Abused
notepad.exeTEXT EDITOR

notepad.exe - Windows Notepad Security Analysis

notepad.exe is the **Windows text editor**, a ubiquitous and trusted application. While typically benign, attackers use notepad.exe as a **process injection target** due to its trusted status and for **testing code execution** (spawning notepad to verify RCE). Notepad spawned from unusual parents is suspicious.

Risk Summary

LOW priority for SOC triage. notepad.exe is typically benign but is used as a test target for code execution and process injection. Monitor for notepad spawned from unexpected parents like web servers or services.

Overview

What is notepad.exe?

notepad.exe is the built-in Windows text editor.

Core Functions

Text Editing:

  • Simple text file editing
  • View text files

Security Significance

  • Injection Target: Common for testing
  • RCE Verification: Attackers spawn notepad to test
  • Trusted Process: Rarely blocked
  • Masquerade Target: Malware impersonation

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\notepad.exe
Parentexplorer.exe (user launch)
UserLogged-in user
NetworkNone

Normal Launch

explorer.exe → notepad.exe

Common Locations

C:\Windows\System32\notepad.exeC:\Windows\SysWOW64\notepad.exeC:\Windows\notepad.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\notepad.exe
Parent:      explorer.exe
Network:     None
User:        Logged-in user

SUSPICIOUS

Parent:      w3wp.exe (webshell!)
             svchost.exe
             services.exe
Path:        C:\Temp\notepad.exe
Network:     Any (abnormal)

Abuse Techniques

Attack Techniques

Technique #1: Code Execution Verification (T1106)

Attackers spawn notepad to verify RCE:

start notepad.exe

Technique #2: Process Injection Target (T1055)

Injecting code into notepad.exe:

  • Trusted process
  • Rarely monitored

Technique #3: Process Masquerading (T1036.005)

Malware named notepad.exe.

Detection Guidance

Detection Strategies

Priority #1: Unusual Parent Process

Process = "notepad.exe" AND
Parent IN ["w3wp.exe", "httpd.exe", "java.exe"]
→ ALERT: CRITICAL - Possible RCE

Priority #2: Network Activity

Process = "notepad.exe" AND
NetworkConnection = true
→ ALERT: HIGH - Notepad shouldn't network

Remediation Steps

Protection and Remediation

Defense: Monitor Unusual Parents

Alert on notepad from web server processes.

If Compromise Suspected

  1. Check parent process
  2. Look for webshell indicators
  3. Review for process injection

Investigation Checklist

Investigation Checklist

  • Check parent process
  • Verify path is System32
  • Check for network activity
  • Look for injection indicators

MITRE ATT&CK Techniques

T1055T1036.005T1106

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026