FAQ: Windows NT's File System and alternate data streams Copyright © 1998 Frank Heyne If you want to put this page on your own web server, please renounce and use a link instead. The reason is simple: I don't want old copies with old versions of the FAQ laying around on the web. For those people who are not sure if they are viewing the page on a mirrored site: The address of the original page is http://rcswww.urz.tu-dresden.de/~fh/nt/ntfs-ads.phtml This page is intended for people who administer Windows NT machines. People who try to hack Windows NT machines have no reason to read it, because there are only 2 possibilities: Either they already know or they are not as cool as they might think. ------------------------------------------------------------------------ What is NTFS? It is the abbreviation of New Technology File System - Windows NT's preferred file system. What is an alternate data stream (ADS)? In NTFS, a file consits of different data streams. One stream holds the security information (access rights and such things), another one holds the "real data" you expect to be in a file. There may be another stream with link information instead of the real data stream, if the file actually is a link. And there may be alternate data streams, holding data the same way the standard data stream does. What is wrong with alternate data streams? I could say: Nothing, they work as expected and as documented (yes, Microsoft did it). But stop - there is something wrong: They are totally hidden. You can have a file with 1 byte in the official main data stream and some hundred MB in one or more alternate data streams. What do you expect the dir command, file manager or explorer to show as filesize? It is 1 byte! That means a user can hide quite a lot of data in alternate data streams and nobody will know? So it is. But a user does need certain special priviledges to use alternate data streams? No. Even guest can create such streams in every file where he has write access for. How does somebody create an ADS? You can do it on the command prompt, like notepad visible.txt:hidden.txt. This will create an hidden stream hidden.txt in the file visible.txt. It doesn't matter if the file exists or not. How does somebody copy data into an ADS? type atextfile > visible.txt:hidden2.txt. This will create another hidden stream hidden2.txt in the file visible.txt. How does somebody copy text data from an ADS into a "normal" file? more < visible.txt:hidden2.txt > newfile.txt. This will create a file newfile.txt from the hidden stream hidden2.txt in the file visible.txt. How does somebody copy binary data from an ADS into a "normal" file? cat visible.txt:hidden.exe > hack.exe. This will create a file hack.exe from the hidden stream hidden.exe in the file visible.txt. (Cat is a tool from the Ressource Kit.) How does somebody delete an ADS? Let us assume you know there is a file important.exe with an ADS attached to it. The file is very important and the ADS very dangerous. You need to hold the main stream and delete the ADS. Let us assume there is no FAT drive on your network, otherwise you could move the file to this drive and than move it back again. All you need to do is: ren important.exe temp.exe cat temp.exe > important.exe del temp.exe Can somebody add an ADS to a directory entry instead of a file? Yes, it works the same way. What possibilities does Microsoft provide to check if there are alternate data streams on my NTFS disks? Do you expect they care? But if the sum of available and used storage on a hard disk is much less than it's size, I want to know a way to check if there are alternate data streams on my NTFS disks! You can move all files onto a FAT drive and back to the NTFS drive. This way all alternate data streams will be deleted, because FAT does not know how to save this kind of data. OK, but this is not quite handy. And I might be interested in viewing the data, before I will delete it! I have developed a command line tool called LADS (List Alternate Data Streams), which scans the entire drive or a given directory. It lists the names and size of all alternate data streams it finds. You can download the freeware version 1.10 of LADS (20KB). This software is provided "as is", without warranty of any kind! Use it on your own risk! Why is LADS so slow? It must open every file in the directory tree you specified. That is why it will take quite some minutes to scan a 1 GB drive. Where the hell did you get all this info? I found something in the Win32 SDK. The rest I had to figure out the hard way. And I do know I am not the only one, but probably the first one who published it. Where on Microsoft's web server can I find info on ADS? I had no success searching on their server during the last few days. Searching for "alternate data stream" returned 0 hits, though there is KB article Q105763 about it. They still have to learn a lot about publishing web pages which generate not more traffic than necessary. They put a very silly tag on their pages which states they are "valid until creation time". If you, for instance, press the "Back" button in your browser, it can't take the copy from it's cache (because it is invalid now), but it has to reload the page from the server instead. With this method they can tell "We had a million visits, though our poor servers can handle only some thousand." (And actually only some thousand people were visiting their site.) ------------------------------------------------------------------------ Don't forget to visit my Windows NT Eventlog FAQ and my Windows NT main page. -------------------------------------------------- 1804 total hits since Tuesday March 17. 51 hits today. Last access on Friday March 20 at 14:16:20 from 206.151.92.65 Page was last updated on Friday March 20, 1998 at 10:20:32