NTFS alternate data streams

Question

Today I have seen this weird magic NTFS system supports: each file can have multiple data streams. Basically one could have a file a.txt of 0b size but there can be any number of bytes hidden in a separate data stream for that file. This is strictly NTFS related magic and I don't see any noble reason for having these streams around. You can look for NTFS streams with the help of the streams utility from Sysinternals. This will show you that basically every one of those nasty thumbs.db files comes with an extra data stream.

Okay, now I have seen this magic work on a Windows NT4 system, streams added to files, copied over, deleted (with the help of the aforementioned utility), but I am now trying this at home on my Win XP system, but although I can detect the existing streams, I can't display their contents, can't create new ones, or very much anything when I use the filename:streamname syntax.

I get this error:

The filename, directory name, or volume label syntax is incorrect.

Example: Output from the streams utility:

c:\DOWNLOADS>streams.exe -s .

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\DOWNLOADS\1013.pdf:
   :Zone.Identifier:$DATA       46

c:\DOWNLOADS>type 1013.pdf:Zone.Identifier
The filename, directory name, or volume label syntax is incorrect.

Why can't I display the contents of the alternate data stream?

Looking at the Microsoft documentation on "How To Use NTFS Alternate Data Streams", I can see that this applies to my operating system, although they do mention that these streams will not be supported in the future. Anyone can shed any light on this?

It says that alternate streams may not be supported in _future file systems_ (i.e. those that come after NTFS), however it says that NTFS will be supported in future _OSes_ regardless. — Pavel Minaev, Nov 27 '09 at 17:15
I agree with that. So, as long as my fs is NTFS, I should be able to work with these streams. Do I need a special version of `copy` program to support copying data from and into alternate streams? — Peter Perháč, Nov 27 '09 at 23:32
I'm not sure what your question is - maybe you should edit the question title so we don't have to sift through the question body looking for what you're actually asking... — hippietrail, Oct 25 '12 at 13:26

Abel · Accepted Answer · 2012-05-29T22:07:30.797

From the top of my head: NTFS datastreams were introduced in Windows NT 4.0 and have been around in all descendants (excluding the win-95 descendants: 98, Me). In XP, Vista and Win 7 they're still around. As long as Windows versions support NTFS, they will support file streams. They will support NTFS for a long time to come.

The error you have is described on the page you show in your question. The type command doesn't understand streams. Use:

more < 1013.pdf:Zone.Identifier

Working with streams

Microsoft only has a handful commands that work with streams, in fact, only <, > work with streams, and thus only commands can be used that can work with these redirect operators. I wrote a couple of blog posts on alternate datastreams on how you can still manipulate streams with only these commands.

Streams will only work with programs that are designed to work with them, simply because they need to be treated specially (compare junction points, also a feature of NTFS, but the driver hides the details and programs do not need to do anything special: they just consider the junction point a real file).

When you try to open a file stream using start filename:streamname and a program says something like "illegal filename" or "file not found", and you are positive that the stream name is correct, then it's likely that the program does not support streams. I noticed that Notepad, Wordpad and Word/Excel work correctly with streams, though Word and Excel consider the files dangerous. Here are some experiments you may try.

NOTE: you seem to consider alternate data streams odd. They are odd because they are so hidden, but many major file system (HFS, NSS) have it and the concept dates back to the early 80s. In fact, originally the streams were added to NTFS for interoperability with other filesystems.

funny thing is I have seen it work with the type command. However the shell used to demonstrate this was NT4 shell, not the usual cmd.exe — Peter Perháč, Nov 27 '09 at 23:25
copy 1013.pdf:Zone.Identifier x.xxx should work too. but it doesn't on my machine. I just don't understand what's going on. — Peter Perháč, Nov 27 '09 at 23:30
@PeterPerháč: no, `copy` doesn't work. Yes, `type` does work, but only like so: `type somefile > otherfile:streamname`. The reverse (using type to read a stream) does _not_ work. For more ideas see: http://www.undermyhat.org/blog/2012/04/ultimate-guide-manipulating-alternate-data-streams/ — Abel, May 29 '12 at 22:09

score 11 · Answer 2 · answered Nov 30 '09 at 10:43

11

BTW, you can open AltDataStream with notepad:

notepad.exe 1013.pdf:Zone.Identifier

Also, you may specify type of AltDataStream (not only with Notepad, it is 'full stream name'):

1013.pdf:Zone.Identifier:$DATA

answered Nov 30 '09 at 10:43

Nishi

10,634
3
27
36

2

Same is true for Word, Excel and probably other MS programs, but you must start it from a command prompt. The type of data stream can indeed be specified, but must always be `$DATA`, other types are not supported. – Abel May 29 '12 at 22:10
Is it possible to use AltDataStreams like a hidden file folder? I.e. can you view the Zone.Identifiers associated with the stream? – Python Cheese Dec 08 '18 at 03:19

score 9 · Answer 3 · answered Sep 28 '10 at 15:31

9

This is strictly NTFS related magic

Not so - Mac OS has had these since back in the day, they are called forks in that world, and you would use ResEdit to get at them. The classic use of them is to bundle media assets along with an executable.

answered Sep 28 '10 at 15:31

Gaius

2,556
1
24
43

9

Indeed. Microsoft used alternate streams to store Mac forks in their NT Server _Services for Macintosh_ package. – bobbogo Jan 20 '11 at 13:14

score 7 · Answer 4 · answered Nov 27 '09 at 17:28

7

One possible purpose for alternate stream: meta-data. One can add, for a document, a large description without affecting the content of the original file.

answered Nov 27 '09 at 17:28

Victor Hurdugaci

28,177
5
87
103

score 4 · Answer 5 · answered Jul 26 '12 at 19:42

The Win32 API handles the naming of alternate streams just fine.

CMD, on the other hand, does some funky parsing of the file name when it's possible to have */? expansion and barfs when a ":" is present. That's why copy and type fail but simple redirection works.

score 4 · Answer 6 · answered May 19 '11 at 19:12

4

The error literally means that it is not being recognized as an alternate data stream and the reference you're making contains a certain character that is not allowed in a path name (the :; other characters not allowed include \\,/, etc).

Try:

start this_is_a.txt:ads.exe

answered May 19 '11 at 19:12

Joseph Hansen

12,665
8
50
68

7

Note: Windows 7 has silently removed the ability to execute from ADS and I'm still looking for a way to actually do that. – Joseph Hansen May 19 '11 at 19:51
2

You can execute from an alternate data stream, but not directly. Copy the datastream to a file and execute it will work. I don't (yet) know of another way. – Abel May 29 '12 at 22:15

NTFS alternate data streams

6 Answers6

Working with streams

Linked