@podlipom51-podlipom51 said in File empty after opening it as Adminitrator:

I was unable to save file. Suggested to open as Administrator after accepting my file is empty. It is very important file for me what to do?

Where were you trying to save the file? To somewhere in c:\program files\ or c:\windows or similarly protected area? Or were you trying to save to a normal writeable directory on your machine’s local drive? Or a mounted network drive? Because it only suggests Administrator if it gets a “permission denied” error when you try to write the file.

after accepting my file is empty. It is very important file for me what to do?

Bummer. Unfortunately, if you already restarted Notepad++, and it didn’t have the Settings > Preferences > Backup set to take “session snapshots and periodic backups”, your unsaved changes were never written to disk anywhere. As soon as Notepad++ exited, those bits were removed from active memory, and were lost. Since the files were likely never written to disk, I doubt that an external file-recovery utility like Recuva would work for you, but you might try directing such at the `c:\users<username>\AppData\Roaming\Notepad++\backup

See our FAQ on backups for more details about how the Notepad++ backup settings work, how the AutoSave plugin can help improve things, and best-practice suggestions for avoiding data loss in the future.

Also, I think one of the frequent contributors is actively working on a solution to have Notepad++ be able to get UAC permission for a file-save without needing to restart the application – such a feature would definitely help in your case. Unfortunately, I’ve spent the last few minutes trying to find the Issue or PR where that was being discussed, and haven’t found it yet.

@PeterJones said in Digital certificate for open source projects:

be able to trace that signature to a Certificate Authority in the windows certificate manager store

IMO - not an option for N++.
Even the GitHub does not recognize the sign, so I doubt the MS will, moreover the needed x509 cert is a short-lived one (expires immediately?):

https://docs.sigstore.dev/about/faq/#i-signed-my-commit-with-gitsign-but-it-shows-up-as-unverified-in-my-github-repository-page-why

The Sigstore CA root is not a part of GitHub’s trust root. Gitsign’s ephemeral keys are only valid for a short time, so using standard x509 verification would consider the certificate invalid after expiration. Verification needs to include validation via the transparency log to verify that the certificate was valid at the time it was used.

@Bhaalthazar said in Security of Legacy Notepad++ Versions (CVE-2025-49144):

patching older vulnerable versions

It could be fun, now without the public CA cert available…

@Brian-Dickens

https://community.notepad-plus-plus.org/post/102220

As I said, without the N++ digital signature, stupid AVs go nuts.

The number of false positives from AVs is so high because in the past, many attackers probably have also used the free, open source NSIS for their purposes.

Here’s my reply:
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16638#issuecomment-2947240947

@Emmanuel-Meekers
AFAIK there is no technical means to limit the number of plugins a user is able to install. You can only remove the capability to install plugins at all.

You could do a survey which plugins your employees need. There can be different needs, e.g. technical staff likely needs other plugins than employees that ar more involved in administrative tasks. Then you can install these plugins on the employee’s machines.

After that you need to rename or delete <install-directory>\updater\GUP.exe to prevent users from installing any other plugins. As long as your employees don’t have admin access to Notepad++'s install directory, they are not able to revert these changes.

The disadvantage is that your users neither will be able to update Notepad++ itself nor the installed plugins. This is something your ICT department has to do.

@Alan-Kilborn So where should this be discussed then?

I would greatly appreciate if anyone did know of some little FOOS tool/script like I mentioned, more reliable than what I’ve hacked together, to help me secure my friends cyber security.

Can people here DM me suggestions?

If there was a discord this could be spun off into a thread.

I’m not sure if it matters to anyone but the suggestions and discussion so far have been really helpful and spot on solving the problem which I’m still using NPP for BTW (such as displaying instructions as we just discussed).

For some perspective, the person I’m trying to help recently lost 7kg in just over a week due to stress and worry from being targeted and harassed by some hacker/scammer that’s been messing with then, trying to take accounts etc for a while now.

I agree it’s not on strictly topic and I don’t expect to discuss this here, it’s just without at least giving a way to continue the discussion elsewhere, given the fact that it’s still directly addressing the goal I initially stated, and the potential consequences to people, it seems kinda callous to just stomp on it like we’re posting cat memes.

So how and where should this be continued, or is that irrelevant?

@Izzy-Gonzalez said in Notepadd++ General version update function:

Is there any way to allow a normal user to update the software without having to provide the user admin rights to the local PC?

Microsoft has defined C:\Program Files\ (and equivalent, though I’ll use that as the generic path going forward in this post) as requiring UAC (elevated privileges, or “Admin privileges”). If someone installs Notepad++ into C:\Program Files\Notepad++\, then it will require admin rights (unless you have disabled UAC on your PC).

If you cannot disable UAC requirements, you could try changing the permission of the C:\Program Files\Notepad++\ directory (and all subdirectories) – which will require UAC/Admin once to be able to change the permissions, but should successfully update thereafter. (That’s what I do on my work machine, since I frequently update Notepad++ or its plugins, and got tired of entering my password every time I did.)

If changing permissions of the installation directory is not something you’re interested in, you might consider installing Notepad++ to a location where you do have write access, instead of in the default C:\Program Files\Notepad++\ – maybe you could create a directory called C:\LocalApps\, and install Notepad++ as C:\LocalApps\Notepad++\ . As long as you installed it as your local, non-privileged user and have appropriate permissions in the C:\LocalApps\ hierarchy, you shouldn’t be pestered for Admin rights on future updates.

@Paolo-Monni ,

I found this comment from Don which indicates that DigiCert donated a certificate in 2022. (And previously in v7.7 release notes in 2019.)

So yes, it’s a free certificate donated by the certificate authority. I don’t know of any cheap sources for mere mortals

Update: a quick web search found this reddit discussion which had discussions about a few options – it started 3 years ago, but there have been a few more-recent comments, and it at least gives a starting point for future research.

@Shravan-Joshi ,

When are you planning …

We at this Forum are the Community of Notepad++ users, not the developer. We are not planning to update anything.

This is apparently a rather new issue – it was just publicly reported to the author yesterday. But you can watch that official issue to see when something happens with it.

@saladah0330 - I uploaded Notepad++ v8.6.7 to https://www.virustotal.com/gui/home/upload and that web site says Zillya / Trojan.Rozena.Win32.219427

If you search the Notepad++ forums for Zillya you will find it’s a longstanding issue. As AV vendors do not document the details of their detection process we don’t know why that particular scanner complains about Notepad++.

Notepad++'s triggering for updates process is not related to this issue. The installer package that you download is exactly the same regardless on if a download was before or after is triggered for updates.

It’s a puzzle that Zillya did not complain about the file you downloaded. If you still have the installer.exe file see if Zillya still does not complain.

The size of your file should be one of:

4,701,256 bytes for npp.8.6.7.Installer.exe 4,854,296 bytes for npp.8.6.7.Installer.x64.exe

Check your web browser’s download history and get the exact URL that you downloaded the installer from. It should be either

https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.6.7/npp.8.6.7.Installer.x64.exe https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.6.7/npp.8.6.7.Installer.exe

The download page at https://notepad-plus-plus.org/downloads/v8.6.7/ has GPG signatures that can be used to see if the exe you have in hand matches what Notepad++'s developer intended you have…

@bitRAKE
Good catch! I already an issue in the mimeTools repo referencing that article.

Of course, if it is, as you say, not an issue with the official plugin but rather an issue with Notepad++ loading a malicious DLL of the same name, I guess there’s nothing Don Ho can do about the issue.

@andy778 ,

Could you put a little more effort into explaining what you’re talking about? As it is, I had to do research on my own to figure out whether you were just an incompetent spammer, or whether you were actually trying to have a Notepad++ related conversation…

I had never heard of the OpenSSF Scorecard before your post, though I did a bit of digging after.

It doesn’t seem to be just spam, since that tool is at least mentioned/described by the US Cybersecuirty & Infrastructure Security Agency (https://www.cisa.gov/resources-tools/services/openssf-scorecard)

I found that https://securityscorecards.dev/ describes how to run it, either from a GitHub action or from a command line, but the command line requires an environment I don’t have immediate access to, so I cannot see how the results might be presented.

Some possible discussion points, assuming you were willing to provide more information:

A score alone tells us nothing, especially if we know nothing about the service. Is it allowed by the license of that software to actually share the results (as more than a meaningless “aggregate score”)? (Given it’s for scoring FOSS projects, I would assume that the results were Free and Open as well.) If it is allowed, and you want to spark discussion, you need to share more of the results, so there’s actually something to talk about.

What kinds of scores do other comparable, volunteer-only, 0-budget OSS projects get?

All the environments for running the tool seem to be non-Windows-specific (Homebrew is Mac, AFAIK; Docker is for mixed environments, and “Nix” is presumably a derivative of “*nix”, which is the generic “Unix/Linux/similar” term [though I had never seen it without at least the splat]). But given that none of those is Windows-specific, is OpenSSF scorecard actually capable of meaningfully scoring a Win32 project? Or does OpenSSF subtract points for just using a non-open-source environment like Windows?

If you’re trying to convince the Developer that the OpenSSF needs to be run automatically as a GitHub Action, you won’t be able to do that here, as he doesn’t read random posts in the Community Forum. But if you can show the fellow users that it might be a useful tool, which brings up actionable points with something more than a meaningless number, we might encourage you to put in an official feature request to add an Action for this tool (as the Developer has shown, for example with the EU-FOSSA review a few years ago, that he is willing to entertain Open Source reviews and the inputs they provide).

These were paid ads… malware developers sometimes buy advertising on Google

@mkupper That also makes sense. Thank you for the clarification and possible reasons for this occurring! I really do appreciate it.

The issue has been reported to the developer. It is up to him when it gets fixed.

The developer has committed a fix, updating to curl 8.4.0. The new libcurl.dll should be included in the next version of Notepad++ (presumably to be named v8.5.9).

Good catch!

I think this page on the Developer Program Policy for impersonation might cover this.

Quoted from the page (with emphasis on the item I think those apps violate):

Impersonation

We don’t allow apps that mislead users by impersonating someone else (for example, another developer, company, entity) or another app. Don’t imply that your app is related to or authorized by someone that it isn’t. Be careful not to use app icons, descriptions, titles, or in-app elements that could mislead users about your app’s relationship to someone else or another app.
Examples of common violations

Developers that falsely imply a relationship to another company / developer / entity / organization.

The developer name listed for this app suggests an official relationship with Google, even though such a relationship doesn’t exist.

Apps whose icons and titles are falsely implying a relationship with another company / developer / entity / organization.

The app is using a national emblem and misleading users into believing it is affiliated with government.

The app is copying the logo of a business entity to falsely suggest it is an official app of the business.

App titles and icons that are so similar to those of existing products or services that users may be misled.

I for one am going to flag those apps because of the icon/title collisions.