FAQ: Windows NT's File System and alternate data streams Copyright © 1998 Frank Heyne If you want to put this page on your own web server, please renounce and use a link instead. The reason is simple: I don't want old copies with old versions of the FAQ laying around on the web. For those people who are not sure if they are viewing the page on a mirrored site: The address of the original page is http://rcswww.urz.tu-dresden.de/~fh/nt/ntfs-ads.phtml This page is intended for people who administer Windows NT machines. People who try to hack Windows NT machines have no reason to read it, because there are only 2 possibilities: Either they already know or they are not as cool as they might think. ------------------------------------------------------------------------ What is NTFS? It is the abbreviation of New Technology File System - Windows NT's preferred file system. What is an alternate data stream (ADS)? In NTFS, a file consits of different data streams. One stream holds the security information (access rights and such things), another one holds the "real data" you expect to be in a file. There may be another stream with link information instead of the real data stream, if the file actually is a link. And there may be alternate data streams, holding data the same way the standard data stream does. What is wrong with alternate data streams? I could say: Nothing, they work as expected and as documented (yes, Microsoft did it). But stop - there is something wrong: They are totally hidden. You can have a file with 1 byte in the official main data stream and some hundred MB in one or more alternate data streams. What do you expect the dir command, file manager or explorer to show as filesize? It is 1 byte! That means a user can hide quite a lot of data in alternate data streams and nobody will know? So it is. But a user does need certain special priviledges to use alternate data streams? No. Even guest can create such streams in every file where he has write access for. How does somebody create an ADS? You can do it on the command prompt, like notepad visible.txt:hidden.txt. This will create an hidden stream hidden.txt in the file visible.txt. It doesn't matter if the file exists or not. How does somebody copy text data into an ADS? type atextfile > visible.txt:hidden2.txt. This will create another hidden stream hidden2.txt in the file visible.txt. How does somebody copy text data from an ADS into a "normal" file? more < visible.txt:hidden2.txt > newfile.txt. This will create a file newfile.txt from the hidden stream hidden2.txt in the file visible.txt. Can somebody add an ADS to a directory entry instead of a file? Yes, it works the same way. What possibilities does Microsoft provide to check if there are alternate data streams on my NTFS disks? Do you expect they care? But if the sum of available and used storage on a hard disk is much less than it's size, I want to know a way to check if there are alternate data streams on my NTFS disks! You can move all files onto a FAT drive and back to the NTFS drive. This way all alternate data streams will be deleted, because FAT does not know how to save this kind of data. OK, but this is not quite handy. And I might be interested in viewing the data, before I will delete it! You can view your disks with a sector editor. Is there no other, more convenient, way? I have developed a command line tool called LADS (List Alternate Data Streams), which scans the entire drive or a given directory. It lists the size of all alternate data streams it finds. You can download the freeware version 1.0 of lads (20KB). Why is LADS so slow? It must open every file in the directory tree you specified. That is why it will take quite some minutes to scan a 1 GB drive. How does somebody copy binary data to or from an ADS? This is possible only with special programs, like the registered version of lads. ------------------------------------------------------------------------ Don't forget to visit my Windows NT Eventlog FAQ and my Windows NT main page. -------------------------------------------------- 111 total hits since Tuesday March 17. 111 hits today. Last access on Tuesday March 17 at 14:57:15 from icmp.demon.co.uk Page was last updated on Tuesday March 17, 1998 at 11:09:51