SkillAgentSearch skills...

StickyParser

StickyParser - Sticky Notes Forensic. A Windows Sticky Notes Praser (snt and plum.sqlite supported). Additional Feature: SQLite Recovery - Deleted content recovery from plum.sqlite or any generic sqlite.

GenerateConvertImprove

Install / Use

/learn @iamhunggy/StickyParser
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

StickyParser

A Windows Sticky Notes Parser (snt and plum.sqlite supported) - Recovery of sqlite/plum sqlite also supported.

For details on how Sticky Notes work, you could also refer to my write up here : https://dingtoffee.medium.com/windows-sticky-notes-forensics-80ee31ab67ef

Sticky Notes is a feature starting from Windows 7 that allows a user to create sticky notes on their desktop/laptop. 

Legacy Sticky Note Format 

  • Available Windows Version: Windows 7 to Windows 10 (before build 1607) 
  • Location: %APPDATA%\Roaming\StickyNotes\StickyNotes.snt The .snt file is an MS OLE/compound file binary format.  .snt file can be opened and viewed using the MiTEC Structured Storage Viewer or you could also use the parser I created to extract the content. 

Win10 Sticky Note Format 

  • Available Windows Version: Windows 10 (After build 1607) 
  • Location: %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
  • Transaction Log and Events : %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-shm and %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-wal

Starting from Windows 10 Build 1607, Microsoft has changed the sticky note databse from OLE to sqlite3. In order to view the completed events, it is recommended to roll the transaction logs and events of sqlite-shm and sqlite-wal into sqlite3. You could use any sqlite browser or my script to parse the information out.

Features

For latest version of StickyNote,

  • Copy everything under the %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState.
  • Run StickyPraser against the copied folder. Make sure the other files apart from the plum.sqlite are all in the same folder. Once run, WAL/SHMfiles will be merged into .sqlite file.
  • Execute StickyPasrser
  • Result csv will be created under the directory you specified.
  • All timestamps are recorded in UTC.

For legacy snt format of StickyNote,

  • Copy StickyNotes.snt under C:\Users\User\AppData\Roaming\StickyNotes\
  • Run StickyPraser against the StickyNotes.snt
  • Result csv will be created under the directory you specified.
  • All timestamps are recorded in UTC.

Additional Features:

  • Support recovery of deleted content of plum.sqlite.
  • Result will be created under the directory you specified.

Support Python Version 3.x only.

Prerequisite

Please install the relevant Python modules before running: pip install pandas olefile

Usage

usage: stickyparser.py [-h] [-s [snt file]] [-p [sqlite file]] [-d [File Directory]] [-r [sqlite file]]

StickyParser: Parses sticky note files in legacy snt formats or latest sqlite formats.It can also be used to recover
deleted content inside sqlite. For latest version of StickyNote, please copy everything under the
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbw\LocalState Folder. Run StickyPraser against
the copied folder. Make sure the other files apart from the plum.sqlite are all in the same folder. Once run, WAL/SHM
files will be merged into .sqlite file.

optional arguments:
  -h, --help           show this help message and exit
  -s [snt file]        Sticky note .snt file. Example: StickyParser.exe -s C:\Users\User\AppData\Roaming\Sticky
                       Notes\StickyNotes.snt. Choose either -s or -p only.
  -p [sqlite file]     Sticky note plum.sqlite file. Example: StickyParse -s <Path>\plum.sqlite. Choose either -s or
                       -p
  -d [File Directory]  Specify the directory where the output should write to. Example: StickyParser -p <path> -d
                       C:\Users\User\Desktop\
  -r [sqlite file]     To recover deleted content from sqlite.

Example Commands

  • Parse snt file
python stickyparser.py -s "C:\Users\User\AppData\Roaming\StickyNotes\StickyNotes.snt" -d C:\temp
  • Parse plum.sqlite file
python stickyparser.py -p %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite -d C:\temp
  • Recovery of deleted content inside plum.sqlite (it may also support generic sqlite3 file)
python stickyparser.py -r %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite -d C:\temp

Example Outputs

SNT Paser Output SNT Praser Output Plum Sqlite Paser Output Plum Sqlite Paser Output

References

  • https://github.com/aramosf/recoversqlite
  • https://gist.github.com/daddycocoaman/e1a4f31109e17188d5ce8fd0ca15b63e

Related Skills

feishu-drive

344.4k

|

things-mac

344.4k

Manage Things 3 via the `things` CLI on macOS (add/update projects+todos via URL scheme; read/search/list from the local Things database)

clawhub

344.4k

Use the ClawHub CLI to search, install, update, and publish agent skills from clawhub.com

postkit

PostgreSQL-native identity, configuration, metering, and job queues. SQL functions that work with any language or driver

iamhunggy

View profile

View on GitHub
GitHub Stars21
CategoryData
Updated19d ago
Forks1
iamhunggy/StickyParser

Languages

Python

Security Score

90/100

Audited on Mar 13, 2026

No findings