Streams displays which NTFS files have alternate streams content


Frank Heyne has written a small FAQ on Alternate Data Streams in NTFS. David LeBlanc published
Detecting Alternate Data Streams. Mark Russinovich at
www.sysinternals.com has released freeware utility Streams which displays NTFS files that have alternate streams
content. Useful to Windows NT admin. Crucial Security has released a similar
freeware tool, CrucialADS.


The NTFS file system provides applications the
ability to create alternate data streams of information. By default, all data is
stored in a file’s main unnamed data stream, but by using the syntax
“file:stream”, you are able to read and write to alternates. Not all
applications are written to access alternate streams, but you can demonstrate
streams very simply. First, change to a directory on a NTFS drive from within a
command prompt. Next, type “echo hello > test:stream”. You’ve just created a
stream named ‘stream’ that is associated with the file ‘test’. Note that when
you look at the size of test it is reported as 0, and the file looks empty when
opened in any text editor. To see your stream enter “more < test:stream” (the
type command doesn’t accept stream syntax so you have to use more). NT does not
come with any tools that let you see which NTFS files have streams associated
with them, so I’ve written one myself. Streams will examine the files you
specify and inform you of the name and sizes of any named streams it encounters
within those files. Streams makes use of an undocumented native function for
retrieving file stream information. Full source code is included.

You can download ads_cat from Packet
Storm.
ads_cat is a utility for writing to NTFS’s Alternate File Streams and
includes ads_extract, ads_cp, and ads_rm, utilities to read, copy, and remove
data from NTFS alternate file streams.

Streams technology was used to create a new type virus. See Malicious
code exploits unique Win2K function

David LeBlanc has written a tutorial on Detecting Alternate Data Streams

Carvdawg’s
Perl Page
has scripts Astream.pl and ads.pl. Astream.pl is a Perl script
that demonstrates how an NTFS alternate data stream (ADS) can be created
programmatically. Ads.pl is a script that detects ADSs. Ads.pl is based on Dave
Roth’s streams.pl script from his latest book, with some modifications added to
include checking the directory listing. Thanks goes to Frank Heyne for pointing
out how to check the directory listing for ADSs.

NTFS Tips:

Managing Shared Resources and Resource Security
Choosing
Between FAT and NTFS

Web
versus NTFS Permissions

NTFS
Security, Part 2: Implementing NTFS Special Permissions on Your Web Site

Getting the Most from IIS Security
NTFS Permissions
Cancel an NTFS conversion

NT equivalents of
NetWare Rights

Access
NTFS from DOS, Win95 or Win98 using NTFSDOS driver

NTFS Last Access TimeStamp

xcopy – keep attributes

How To Remove Files
with Reserved Names such as LPT1 or PRN

NTFS Metadata files
Disable NTs 8.3 aliases for
LFNs under NTFS

Streams
displays which NTFS files have alternate streams content

VolumeID changes NT and FAT volume
IDs

Create a NTFS
partition over 4GB during installation

Windows NT NTFS Directory
Compression

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top