Learning About Computers and the Internet
Tips Blog WinXP Internet Computing Downloads Vista/7 Home

Alternate Data Streams (forks) in Windows NTFS Files
NTFS files and directories can contain separate, independent units of data called "streams" or "forks". These alternate data streams are hidden to most operations. Their properties and management are discussed.

A somewhat obscure feature of files stored on NTFS formatted media is the capability for a file to contain separate and independent collections of information. These units of data have been given the name "streams" since they are sequences of bytes, All files have one default unit of data or "stream" , which is the part that we usually mean by "the" file. It is also the part that the Windows system associates with the file name. In addition, however, a file may contain other, alternate data streams. Alternate data streams (ADS) are not generally known outside of technical circles and are hidden from many of the usual ways that files are listed. They are not listed in Windows Explorer, their size isn't added to the listed file sizes, and they are not listed by a normal "dir" command. In many respects they are invisible. Yet an alternate stream can contain a variety of information. It may be information about the file (metadata), security settings, or even another file.

Managing alternate data streams

An alternate data stream is named with the notation: filename:streamname where "filename" is the ordinary default stream that we think of as "the" file and is what appears in Windows Explorer. This is followed by a colon and the name given to a particular stream. Note that a file can have a number of streams. In some cases the stream name is a hexadecimal GUID or other arcane notation or it can be a another file name. I am going to skip some of the arcane details and confine the discussion primarily to the case where the alternate data stream is another file since this will be the topic of primary interest to most PC users.

Finding alternate data streams

Since  ADS are not listed in the usual places, how can we find them? The easiest way is to download one of the utilities that are available for listing ADS. I have tried two. Both"Streams" from Microsoft Sysinternals and "LADS" from Frank Heyne work fine. Given a file or folder to search, a list of any streams that are found will be displayed. Operations with ADS are generally carried out in the command prompt and each utility is simply a file that is used in the command line. Place the file anywhere convenient. However, a folder that is in the path environment usually makes things easier. A command using the program "Streams" might read: streams somefolder\*This would list any streams in the specified folder. A switch is available to recurse subfolders. Note that a listing of ADS often includes notation showing the type of content. Thus a listing might read:somefile:somestream:$DATAHere $DATA indicates the nature of the stream. The utilities mentioned here list only the names of ADS. They do not display the contents.

In Vista, a switch /R has been added to the directory command that allows the listing of alternate streams. To list streams, use the command dir /R somefolder

Viewing or accessing alternate data streams

If you know the name of a stream, some Windows applications can view or even run a stream. If the stream consists of text, you can enter into the command line: more < [path]somefile:somestreamYou will then get the text of the stream as output. For text streams, you can also use Notepad in the command line. Enter: notepad [path]somefile:somestreamNotepad will open and display the text. For an application like Notepad you must use the fully-qualified path for the stream.

A stream can also have binary content or even be an executable file. For example, the stream might be a picture. The accessory Paint can open an image stream thus: mspaint [path]somefile:somepicture.gif Other graphics programs may not work, however.

Note that the same file that has a text stream could also have a binary stream (or several).

Executable streams

Even an executable file can be a stream on a text file. An innocent looking 1 KB text file can actually contain a hidden (and large) executable file, If an executable stream is present, it can be run by the command: start [path]somefile.txt:someprogram.exe Note that the full path must be used. (This does not work in Vista.)

Creating alternate data streams

It is very easy to add an alternate data stream to an existing file. Again we make use of the command line. To create a new stream containing some text enter the command: echo {some text} > [path]somefile:addedtext.txt The file "somefile" will then contain a stream with the text file "addedtext.txt" containing the text from the "echo" command.

Adding an entire file, including binary files, as a stream is done by the command: type [path]programfile.exe > [path]somefile:addedfile.exe

Alternate data streams can also be attached to a directory with similar commands.

Security considerations

Since an executable file can be hidden inside an otherwise harmless file, a malicious file could be hidden by this method. Fortunately, major anti-virus programs can recognize alternate streams. Also, a hidden file in a stream is removed when a containing file is copied to a non-NTFS medium like most thumb drives or emailed as an attachment. Further, a file in a stream will not survive the usual download methods. The utility "Streams" discussed above has a switch for deleting ADS.

Additional information

More information about alternate data streams can be found at these references:

 << Home page ©2002-2016 Victor Laurie    Home page >>