Windows NT 3.1 was released … oh, back in the early to mid ’90s.
Ever since then, I’ve been aware that it supported Alternate Data Streams, also known as ADS, or in some technical documents that didn’t make it to final review, Alternative Data Streams.
This was added, I think, to support Macintosh resource forks, and to extend them.
It’s been used for any number of things, from “Mark of the Web” (file:Zone.Identifier), to thumb-prints (using a very random looking string), to icons for favourites (file.url:favicon). Some viruses have even tried to use ADS to hide themselves (though, as I’ve noticed before, there has to be a non-ADS way of executing it that can be found with a regular virus scan).
I’ve noted before that it’s a little tricky to enumerate and handle alternate data streams in operating systems prior to Windows Server 2003, at least from the API, but I’ve been complaining since the days of NT 3.1 that there’s no support in the command line or the GUI for listing alternate data streams in files.
But the big secret in Vista, that I have yet to see anyone report on, is that Vista allows you to list streams from the command line:
All I can say is, after about 15 years, it’s ABOUT DAMN TIME!
Now, could you provide me with the following?
“dir /s /b /r | findstr /r “…:””, so that I can do a recursive search to find all the alternate data streams on my drive?
A command to delete the stream (“del null.txt:foo.txt” or “del null.txt:foo.txt:$DATA” both give back the error message “The filename, directory name, or volume label syntax is incorrect.” – even though the RemoveFile API can take those names and delete the stream)?
For the first option, you can always use my “sdir” – StreamDir – a tool that lists streams in a similar format. You can find it over at http://www.wftpd.com/downloads.htm
Still, of course, there is no GUI, nor any GUI way to search for alternate data streams.
But this “dir /r”, this is a baby step forward.