New Plugins Home (where Notepad++ will load from)



  • @donho have a look here.

    I feel we need to consider case where people use common PC. So user choice should be honored. If all the plugins go to %ALLUSERSPROFILE%, then it will be available to all. But some user may not want a particular plugin and may uninstall it which will impact other user on the same machine.



  • @SinghRajenM said:

    I feel we need to consider case where people use common PC. So user choice should be honored. If all the plugins go to %ALLUSERSPROFILE%, then it will be available to all. But some user may not want a particular plugin and may uninstall it which will impact other user on the same machine.

    I do understand the need. However, there’ll be some situation which make Plugins Admin behaviour inconsistent:
    If the same plugin foo.dll is in 2 different locations, %ALLUSERSPROFILE%\Notepad++\plugins\foo\foo.dll and %LOCALAPPDATA%\Notepad++\plugins\foo\foo.dll
    Notepad++ should load only one (let’s say the one in %LOCALAPPDATA%). If user removes this plugin by using Plugins Admin, after restart, the one in %ALLUSERSPROFILE% will be loaded by Notepad++ - user will be confused.

    So the best behaviour (to me) is loading plugins only from one location.

    @Meta-Chuh Sorry, I wasn’t clear. I just updated the content.



  • @donho ,

    If user removes this plugin by using Plugins Admin, after restart, the one in %ALLUSERSPROFILE% will be loaded by Notepad++ - user will be confused.

    What about removing the plugin from both places in this case?
    Or refusing to install it locally for the user if it is already installed for all users?



  • Alternative solution:

    1. Don’t allow installation in %LOCALAPPDATA%\Notepad++\plugins\ when plugin/dll already available in %ALLUSERSPROFILE%\Notepad++\plugins\ i.e. allow only one installation location.
    2. When duplicate plugins are detected (e.g. manually installed by user in %LOCALAPPDATA%\Notepad++\plugins\), load the one that is favorite (e.g. configuration option named UserProfile with value All or Current).

    Furthermore, it would be nice/helpfull when the PluginAdmin has a column indicating where each plugin is installed e.g. AllUsers or %UserName%.



  • @donho

    I do understand the need. However, there’ll be some situation which make Plugins Admin behaviour inconsistent:
    If the same plugin foo.dll is in 2 different locations, %ALLUSERSPROFILE%\Notepad++\plugins\foo\foo.dll and %LOCALAPPDATA%\Notepad++\plugins\foo\foo.dll
    Notepad++ should load only one (let’s say the one in %LOCALAPPDATA%). If user removes this plugin by using Plugins Admin, after restart, the one in %ALLUSERSPROFILE% will be loaded by Notepad++ - user will be confused.

    I feel this can be handled easily.

    1. Always, give preference to user location (preferably %appdata% over %localAppdata%), than the global location which can be %allusersprofile%.
    2. All default plugin can go to global location.
    3. New plugin installation should go to user location. Even update of an existing plugin should go to user location only. Because Npp will give preference to user location always as per #1.
    4. If user tries to remove a plugin then
    • if plugin present only in global scope (e.g. %allusersprofile%), then don’t actually remove a plugin, rather mark it in ignored list. This list should be maintained in user scope. It can be written either as config file somewhere in %appdata% or in HKCU. %appdata% is preferred as it can roam from PC to PC for domain users.
    • if plugin present in both user and global scope, then remove the plugin from user scope and mark it in ignore list as well so that loading from global scope will be avoided.


  • @donho

    What will be the location for nppPluginList.dll?



  • @donho

    When plugin authors want to update a plugin they have to change the related entry in the plugin list. Thus they need the ability to test if this entry works correctly.

    Since the nppPluginList.dll file can not be changed we need another approach. What are your ideas/plans concerning this point?



  • @SinghRajenM said:

    if plugin present only in global scope (e.g. %allusersprofile%), then don’t actually remove a plugin, rather mark it in ignored list.

    I like this idea of yours. It is an efficient way out of the problem where user A doesn’t want particular plugin and by removing it removes it for all other users as well.

    But the approach to install and prefer always the user version of a plugin is two-folded. It depends on the way you look at it.
    If you look from an administrator’s perspective you might want the users to access specific set of plugins (including specific versions) that are known to be safe and the possibility for a user to overwrite your secure version with his custom one is a nightmare. You can see @Fran-Favorini 's post here.



  • @dinkumoil

    What will be the location for nppPluginList.dll?

    There is no impact for plugins location or am I missing somethings?

    When plugin authors want to update a plugin they have to change the related entry in the plugin list. Thus they need the ability to test if this entry works correctly.
    Since the nppPluginList.dll file can not be changed we need another approach. What are your ideas/plans concerning this point?

    They should always use the tools with the current plugin list. It should be enough for testing, shouldn’t it ?



  • @pnedev

    If you look from an administrator’s perspective you might want the users to access specific set of plugins (including specific versions) that are known to be safe and the possibility for a user to overwrite your secure version with his custom one is a nightmare.

    Oh, I see. But even this also can be handled using config or registry whether to allow user to load/install/update plugin. This config can be written by providing an another checkbox on installer’s last page (just before finish), or can be pushed as group policy from domain users.

    Otherwise, standard user will never be able to use any new plugin because s/he can’t write to %allusersprofile%. This way we are just blocking normal user to use full-fledged plugin managers even administrator does not set any policy explicitly. However, this statement is not validated, but I feel it is true in most of the cases. Correct me, if I am wrong.



  • @donho

    The current discussion about how and where to install plugins has overlayed the questions in my comment. I wanted to have exact infos about these topics.

    @donho said:

    @dinkumoil said:

    What will be the location for nppPluginList.dll?

    There is no impact for plugins location or am I missing somethings?

    Maybe this is the wrong topic to ask this question. There was a discussion if the file maybe should be stored under %ProgramData% in order to make it available to all users. I wanted to know the current status of that discussion.

    They should always use the tools with the current plugin list. It should be enough for testing, shouldn’t it ?

    OK, question answered.



  • @dinkumoil said:

    Maybe this is the wrong topic to ask this question. There was a discussion if the file maybe should be stored under %ProgramData% in order to make it available to all users. I wanted to know the current status of that discussion.

    What’s your thought about it then?



  • @donho said:

    What’s your thought about it then?

    I think it would be better to store it under %ProgramData%. A plugin list only available for that user who installed Notepad++ makes no sense, especially as in the future the plugins itself seem to get stored under %ProgramData% as well.



  • @SinghRajenM said:

    However, this statement is not validated, but I feel it is true in most of the cases. Correct me, if I am wrong.

    I’m not quite familiar with that but your comment sounds perfectly reasonable to me.



  • The idea of plugins loading from both default / user folders is good (I said it and I say it again), but in order to avoid plugins management conflict and simplefy the implementation, I think it’s a nice-to-have but not a must-to-have feature. Therefore it won’t be implemented.



  • @dinkumoil said:

    I think it would be better to store it under %ProgramData%. A plugin list only available for that user who installed Notepad++ makes no sense, especially as in the future the plugins itself seem to get stored under %ProgramData% as well.

    @dinkumoil & @SinghRajenM :
    It’s a good idea to have one list for all users. However, the nppPluginList.dll is supposed to be updated independently. It means Notepad++ which is launched without Admin right cannot modify the data in %Programdata%. So plugin list cannot be in %Programdata% because it cannot be updated by users without admin right.
    Or you’ve got a solution for that?



  • Notepad++ loads plugins from: <NPP_INST_DIR>\plugins
    is strictly needed if you are in an environement where the enterprise sets the MS Windows AppLocker to allow only binaries from a certain position or every binary needing a signature and everything is pre-packaged.

    in such an environment, users cannot install plugins themselves but every plugin needed by a user needs to be pre-packaged with NPP itself and then distributed to all.

    any idea how this can be achieved with 7.6? i am one of the NPP users in this environment and also responsible for the instructions how to package it.



  • @donho

    If the file nppPluginList.dll gets stored under %ProgramData% I guess the exact path would be %ProgramData%\Notepad++\plugins\config\nppPluginList.dll.

    If plugins get installed under %ProgramData% the exact path would be %ProgramData%\Notepad++\plugins\<plugin-name>\<plugin-name>.dll.

    These would be two different locations. Thus it would be possible to change during installation of Notepad++ the NTFS access rights of the directory %ProgramData%\Notepad++\plugins\config to grant access to all users.

    The nppPluginList.dll doesn’t contain executable code and, I guess, it is loaded with the flags LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE, thus access rights for all users should not introduce any risk.

    BUT what’s about plugin installation? Storing plugins under %ProgramData%\Notepad++\plugins\<plugin-name> would also require elevated rights, a thing GUP.exe currently doesn’t do (maybe it is even not able to do).

    If we want plugins to be installed under %ProgramData% we need a GUP.exe that is able to trigger UAC when copying a files to a certain directory. Thus GUP.exe could be used to download and install nppPluginList.dll and plugins themself.

    Because GUP.exe isn’t able to provide user feedback during plugin installation I think it is necessary to extend this program anyway. The current version is too simple - too much KISSes ;-).


    Some thoughts from a higher point of view:

    As far as I know all these discussions about where and how to store plugins derive from the idea to publish a Windows Store App variant of Notepad++. Because Microsoft issued the policy that an UWP package has to be immutable it is not possible to change the content of an UWP app’s installation directory.

    BUT Microsoft has also issued the policy that files with executable code have to be stored under %ProgramFiles% because this location offers some sort of protection against malware attacks. Thus neither %LocalAppData% nor %ProgramData% is the right place for storing plugin DLL files.

    It seems like the author of the UWP package spec had not in mind that there could be UWP apps which provide a plugin interface, thus he brought us into a dilemma - it makes no difference where plugin DLL files get stored, as long as the location tries to fit the requirements of an UWP app the location is WRONG, because of the one or the other policy.

    How about declining the requests for a Notepad++ UWP app variant because of security concerns and because the whole concept of UWP apps is crap?

    There is a certificate protected SciLexer.dll and SHA-256 hashes of plugin ZIP files to prevent malware and man-in-the-middle attacks but DLL files get stored at unsecure locations - it’s a paradoxon.



  • See https://github.com/NightRi-se/notepad-plus-plus/issues/10 and workaround https://github.com/NightRi-se/notepad-plus-plus/issues/19 for UWP. Plugins seems to be a problem in that environment.



  • @dinkumoil
    Indeed, it’s just implemented in 61402a354f214fab8d6899ec19e57f657268c0c6 :
    https://github.com/notepad-plus-plus/notepad-plus-plus/commit/61402a354f214fab8d6899ec19e57f657268c0c6

    However, I really don’t think it’s a good idea to put plugin list in %PROGRAMDATA%. The reason is the following:
    The UAC elevation will be required for updating plugin list - and it’s the case for one part of use case (no idea about the percentage).
    Another use case (IMO it’s more common) is without UAC elevation to update plugins list - to make Notepad++ hard to use for just one usage case, that’s what I’m trying to avoid to.


Log in to reply