Alternate Data Streams in Windows Vista

Windows NT 3.1 was released … oh, back in the early to mid ’90s.

Ever since then, I’ve been aware that it supported Alternate Data Streams, also known as ADS, or in some technical documents that didn’t make it to final review, Alternative Data Streams.

This was added, I think, to support Macintosh resource forks, and to extend them.

It’s been used for any number of things, from “Mark of the Web” (file:Zone.Identifier), to thumb-prints (using a very random looking string), to icons for favourites (file.url:favicon). Some viruses have even tried to use ADS to hide themselves (though, as I’ve noticed before, there has to be a non-ADS way of executing it that can be found with a regular virus scan).

I’ve noted before that it’s a little tricky to enumerate and handle alternate data streams in operating systems prior to Windows Server 2003, at least from the API, but I’ve been complaining since the days of NT 3.1 that there’s no support in the command line or the GUI for listing alternate data streams in files.

But the big secret in Vista, that I have yet to see anyone report on, is that Vista allows you to list streams from the command line:


All I can say is, after about 15 years, it’s ABOUT DAMN TIME!

Now, could you provide me with the following?

“dir /s /b /r | findstr /r “…:””, so that I can do a recursive search to find all the alternate data streams on my drive?

A command to delete the stream (“del null.txt:foo.txt” or “del null.txt:foo.txt:$DATA” both give back the error message “The filename, directory name, or volume label syntax is incorrect.” – even though the RemoveFile API can take those names and delete the stream)?

For the first option, you can always use my “sdir” – StreamDir – a tool that lists streams in a similar format. You can find it over at

Still, of course, there is no GUI, nor any GUI way to search for alternate data streams.

But this “dir /r”, this is a baby step forward.

What do those dollar signs on shares do?

Most Windows administrators have used “hidden shares” from time to time.

net use * \\computer\c$” gives you a share, if you have access, to the C: drive on the named computer.

Occasionally, someone will suggest that hidden shares are a great security measure, allowing you to create shares that are inaccessible to anyone who doesn’t know the mystic magic incantation. Okay, so C$ and D$ are obvious, but ABRACADABRA$, who’s going to know that exists?

For a while, it’s been demonstrated by a number of my favourite security tools – Jesper Johansson, Mark Russinovich (or rather, the tools these security tool gurus wrote) – that these hidden shares are really hidden by the client.

Yes, hidden by the client. That means that when your program enumerates the shares on a remote server, all the shares, including the hidden ones, come back in the list of shares, and the clients choose whether to display them all or hide the ones with a dollar sign at the end.

I am reminded of the Ravenous Bugblatter Beast of Traal.

Clearly, someone at Microsoft got as sick as I do of having to face people who say “ah, but only the really clever hackers will have access to those tools” (forgetting, conveniently, that I have access to the tools, so it’s really not that special).

In Windows Vista, you can now see all the hidden shares by running the single command “net view \\computer /all“:

Doubtless someone will say what a horrible stupid and generally bad-for-security thing this is that Microsoft has done, because it now means that everyone can see all your hidden shares.

Me? I think it’s about time that people stopped hiding stuff in ways that require the client to be well behaved in order for them to stay hidden. I plan to include “net view \\computer /all” in my toolkit for scaring the unwary and the unwise into taking real security measures rather than covering everything in their security blanket.

April is Autism Awareness Month

And yet… so many people are completely unaware of what autism is.

Maybe you’ve seen “Rain Man”, starring Dustin Hoffmann, the guy from Top Gun, and the girl from Hot Shots.

Yeah, it’s like that, for some autistics.

But in the time since autism was identified and described as a syndrome of its own, over fifty years ago, it’s been realised that there’s a wide range to the effects of autism, both in the collection of symptoms and the depth of their effects on different individuals.

The terms “low functioning” and “high functioning” are often used to give a rough degree of overall effects on an individual, but should not be used as a means of guessing what symptoms an autistic person will possess. A “high functioning” individual may be almost completely non-verbal, preferring to communicate using picture cards or typing; similarly, a low functioning individual may be able to make a reasonable facsimile of small-talk by using echolalia – the wholesale repetition of mostly appropriate sentences, without understanding the words that comprise the sentences themselves.

Study in autism has been marked by some spectacularly popular – yet completely false – assertions, such as those of Bruno Bettelheim, who claimed that the cause of autism was a mother who consciously or unconsciously did not want their child to live, and as a result, became cold and unattached. Modern investigations, including Functional MRIs, have indicated that the physical structure of brains in autistic children is different from that of neurotypical (“NT”) children.

Much discussion has been made in the last decade of “Asperger’s Syndrome” – named after Hans Asperger, the “other” discoverer of autism (most American references to autism cite Kanner as the discoverer of autism, although Kanner and Asperger made their discoveries at or about the same time). While Kanner described a more severe, low functioning form of autism, Asperger noticed a wide range of patients with similar symptoms, and as a result the syndrome named for him is used to describe those patients with autistic behaviours who are not so severe as to classify under Kanner’s classification.

There is a growing concern that the distinction between Asperger’s and Autism is entirely artificial, and this is born out mostly in the diagnostic criteria, wherein the main difference between the two diagnoses is a lower-than-average IQ (autism), or a higher-than-average IQ (Asperger’s). Since many of the tests used for IQ testing in children are actually quite difficult to perform given autism’s symptoms, it seems a little like grading deaf children by shouting questions at them, and giving “high IQ” marks to those that respond because they were able to lip-read.

So, we talk about the Autism Spectrum – and although that sounds like a linear range, it’s more of a multivariate.

Kids with Asperger’s Syndrome are capable of huge achievement if they’re given support and have access to assistive therapies – speech therapy, occupational therapy and physical therapy. Yes, physical therapy, because for some reason there seems to be a lack of motor strength, balance, and coordination in most kids on the autism spectrum, and physical therapy allows for the development of techniques that will help build strength, balance, and coordination. Occupational therapy allows for the child to learn skills that provide him an ability to integrate into regular school life. Speech therapy and related therapies allow the child to learn how to interact socially with his peers.

Note that I keep referring to the child as “he” – while autism is not a wholly male syndrome, it affects males in a ratio of about four to one; why this is, is hotly debated, but there are certainly female autistics, including perhaps the most famous autistic of all, Temple Grandin, author of “Emergence: Labeled Autistic”, among several other books.

What of the lower-functioning autistics, though? Aren’t they doomed to lives in institutions, closeted away from society, forever rocking and banging their heads locked in their own worlds?

Surprisingly, no. As I hinted at with my analogy to shouting IQ test questions at deaf kids, it’s gradually emerging that many of these kids who were thought to have low IQ are simply not able to interact with the world around them. Once they are given an avenue of communication, whether it’s facilitated communication (which is a tad controversial), or something as simple as learning to use a keyboard, many children previously considered lower functioning and lower IQ are turning out to be quite intelligent, and often well-informed about the world around them.

I think the next few decades could see some interesting advances in learning how to make the best of an autistic child – autism brings some amazing skills and an “out-of-the-box? Didn’t see the box in the first place!” kind of thinking that produces astonishing effects when given full rein.

Don’t catch exceptions

A long time ago, the developer of a competing product to my own WFTPD Pro decided that he was going to do something about GPFs in his software.

He released a new version, and declared that you would never see another GPF from his software.

How did he achieve this?

His entire main processing loop was wrapped in a massive “try { … } catch” clause, which basically ignored all GPFs, so that the program could carry on running.

At the time, I knew this was a bad idea, and resolved that I would respond to all my users who asked with a clear statement that it is better to take the GPF hit and know that something needs fixing, than to ignore the GPF, and thus ignore the error that caused it.

Today brings a nice reminder of why you should always take your GPFs with pride.

Determina posted an analysis of the latest bug in ANI processing on Windows (ANIs are animated cursors – like the hourglass, or the spinning hypno-wheel designed to make you ignore the fact that time is passing slowly).

The part that really spoke to my ideas about exception catching is as follows:

In addition to the missing /GS check, the vulnerable code in USER32.DLL is wrapped in an exception handler that can recover from access violations. If the exploit is unsuccessful, for example due to the Vista ASLR, the process will not terminate and the attacker can simply try again. This gives the attacker an easy way to bypass the ASLR protection and increase the reliability of the exploit.

In case the long technical words and acronyms caught you by surprise, that means simply that if you catch and ignore all exceptions, then the attacker can keep trying to attack your application until he gets in to your system – the application doesn’t stop and warn you that something might be wrong.

Remember, it’s the cardinal rule of programming in an unreliable world:

Don’t catch errors that you can’t fix, and don’t fix errors that you can’t catch.

[“Unreliable” includes “unsecure” as a subset.]

This is one of the reasons I dislike exception-based programming – the developer is ‘programmed’ to expect exceptions, and to treat them as a normal part of programming. Expected actions, to my mind, should be indicated by return values or returned arguments – that’s true even for error returns from functions. Exceptions should be reserved for truly exceptional circumstances – such as an attempt to execute data, or code outside of your ownership. And those exceptions should get handled by the operating system, not the application.

Obviously, if you’re programming against an API that uses exceptions as a means of communicating, you should catch those exceptions and handle them – but don’t forget to pass all other exceptions up to higher levels than you, so your program doesn’t become a paragon of reliability for your attackers.

In other words, find and fix true code errors, don’t mask and ignore them.