Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

April 26, 2007

Alternate Data Streams in Windows Vista

Windows NT 3.1 was released … oh, back in the early to mid ’90s.

Ever since then, I’ve been aware that it supported Alternate Data Streams, also known as ADS, or in some technical documents that didn’t make it to final review, Alternative Data Streams.

This was added, I think, to support Macintosh resource forks, and to extend them.

It’s been used for any number of things, from “Mark of the Web” (file:Zone.Identifier), to thumb-prints (using a very random looking string), to icons for favourites (file.url:favicon). Some viruses have even tried to use ADS to hide themselves (though, as I’ve noticed before, there has to be a non-ADS way of executing it that can be found with a regular virus scan).

I’ve noted before that it’s a little tricky to enumerate and handle alternate data streams in operating systems prior to Windows Server 2003, at least from the API, but I’ve been complaining since the days of NT 3.1 that there’s no support in the command line or the GUI for listing alternate data streams in files.

But the big secret in Vista, that I have yet to see anyone report on, is that Vista allows you to list streams from the command line:


All I can say is, after about 15 years, it’s ABOUT DAMN TIME!

Now, could you provide me with the following?

“dir /s /b /r | findstr /r “…:””, so that I can do a recursive search to find all the alternate data streams on my drive?

A command to delete the stream (“del null.txt:foo.txt” or “del null.txt:foo.txt:$DATA” both give back the error message “The filename, directory name, or volume label syntax is incorrect.” – even though the RemoveFile API can take those names and delete the stream)?

For the first option, you can always use my “sdir” – StreamDir – a tool that lists streams in a similar format. You can find it over at http://www.wftpd.com/downloads.htm

Still, of course, there is no GUI, nor any GUI way to search for alternate data streams.

But this “dir /r”, this is a baby step forward.


  1.   Ken Hoover — April 30, 2007 @ 8:48 am    Reply

    About damn time indeed.  Amen!

  2.   user551 — July 27, 2007 @ 6:37 am    Reply

    dir /a /s /d | findstr $DATA

    works fine for me, not sure if it misses some of the alternate data streams but it works alright.

  3.   alunj — July 27, 2007 @ 4:26 pm    Reply

    I presume you mean “dir /a /s /r | findstr $DATA” – and while that will tell you the name of the file and stream, it doesn’t tell you the location of the file and stream.

  4.   Jim — September 26, 2007 @ 2:22 pm    Reply

    Have you tried a tool call LADS? That can be used to recursively search for Alternate Data Streams.

    Also the rm command in MSYS can be used to delete ADSs. It can be used in the command line by adding the MSYS bin folder to the end of your path environment variable.

  5.   Tim Slattery(MVP) — July 15, 2008 @ 12:41 pm    Reply

    Ah..I didn’t know about the new dir switch in Vista, thanks!

    You don’t mention that redirection characters on the command line (< , >) can handle ADSs. For example: type b.txt:str1 copies the contents of a.txt into the str1 named stream of b.txt. See my page that discusses ADSs (in the Website slot).

    In XP ADSs are used to store the data shown on the “Summary” tab for many file types (ie: *.txt files which have no place else to put it). A poster in ms.p.vista.general this morning is claiming that that’s not true in Vista. I’m at work with an XP machine, so I can’t verify that. My Vista computer is at home, but I’m going to have to check that out when I get there.

  6.   alunj — July 15, 2008 @ 1:21 pm    Reply

    I think it depends on the type of file – for instance, JPGs and MP3s have their own format for storing detailed information inside of themselves – this is why it takes a long time the first time you add a Title, or an Artist to an MP3 – it has to re-write the file.
    Other files have no room for metadata, and so such details have to ride outside the file – and ADS is a good place to do that.

  7.   Andreas Kontarinis — July 29, 2008 @ 7:47 am    Reply

    “…and ADS is a good place to do that.”

    I strongly agree with that phrase… only I find it very strange that indeed Vista doesn’t support this behavior at all! I have tried to find an extension to enable at least tag (keyword) support for any files or – even better – folders, because that would be the most useful way of implementing that. But nothing exists…

    The reason is said to be that when you move the file to a non-NTFS volume the information is lost and the user doesn’t know it. So the file is modified to include the data! But, most of the times you DON’T want to change the file or give that personal information to others… like when you rate a file or categorize it according to your other files using tags.

    As for the reason given, maybe there could be an addition to the Explorer interface that when copying a file to an unsupported medium, there could be an option to convert the stream to an extra file or something… Windows is really filled with small little config files (like “desktop.ini”), this couldn’t be so terrible I think!

    Is there a way of contacting anyone responsible in Microsoft and changing their minds about it? This decision made a very useful feature in Vista a completely useless one… and the way to implement it using ADS were there from the beginning! It is the best way, with no extra files or databases and really binded to the file wanted!

    Sorry for the long comment, I understand that it has nothing to do with you but I am really frustrated by this behavior… :-/

  8.   alunj — July 29, 2008 @ 8:11 am    Reply

    So there’s an empty spot in the market here – someone needs to write a shell namespace extension that adds an extra tab for comments or other tags to be added to the user’s choice of files. With luck some programmer out there will read this and start coding.

  9.   anonymous — December 30, 2008 @ 3:41 am    Reply

    Yes if some dev reads this I request him to help some helpless users to get back the “Summary” tab for Vista.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs