Everhart, Glenn
From:	Bill Potvin, II [bpotvin@MERXSOFT.COM]
Sent:	Thursday, July 02, 1998 12:12 PM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Re: Alert: ASP vulnerability with Alternate Data Streams
<<
The only "pre-defined" stream available on any file is the
::$INFORMATION_SECURITY stream.
>>

*IF* you are talking about File Records in the Mft, then in my experience
this is incorrect. It appears that all *non-extension* records will always
have:

$STANDARD_INFORMATION
$FILE_NAME
$SECURITY_DESCRIPTOR (I assume this is the stream you named)

They may also always have a $DATA attribute, albeit empty. But, I'd have to
go scan again to be sure.

"Extension" Records appear to only contain the attributes that wouldn't fit
in the base record. If a base record has too may attributes to fit on the
record, then an $ATTRIBUTE_LIST will be created, whose data contains a list
of *all* the attributes on the file along with the record number containing
them. An extension record can be identified by the presence of a
"BaseRecordNumber" value in the record header, in addition to the fact that
it doesn't have $STANDARD_INFORMATION, $FILE_NAME or $SECURITY_DESCRIPTOR
attributes.

Of course, this is Ntfs Version 1, too. I've been too busy to get into
Version 2, but I know that there are some differences.

regards,
bill.