Best IT Recipes

Alternate NTFS Data Streams

Today I saw this strange magic NTFS system: each file can have several data streams. In principle, a file can have an a.txt file of size 0b, but there can be any number of bytes hidden in a separate data stream for this file. This is strictly NTFS-related magic, and I see no noble reason for these streams. You can search NTFS streams using the streams utility from Sysinternals. This will show you that basically each of these nasty thumbs.db files comes with an extra data stream.

Ok, now I saw this magical work on Windows NT4, streams added to files copied, deleted (using the above utility), but now I try to do this at home on my Win XP system, but although I can detect existing streams, I can’t display their contents, I can’t create new ones or a lot when I use the syntax filename:streamname .

I get this error:

File name, directory name, or Invalid volume label syntax.

Example: Exiting the streams utility:

 c:\DOWNLOADS>streams.exe -s . Streams v1.56 - Enumerate alternate NTFS data streams Copyright (C) 1999-2007 Mark Russinovich Sysinternals - www.sysinternals.com c:\DOWNLOADS\1013.pdf: :Zone.Identifier:$DATA 46 c:\DOWNLOADS>type 1013.pdf:Zone.Identifier The filename, directory name, or volume label syntax is incorrect.

Why can't I display the contents of an alternate data stream?

Looking at the Microsoft documentation on How to Use Alternate NTFS Data Streams , I see that this applies to my operating system, although they mention that these streams will not be supported in the future. Can anyone shed some light on this?

+16
filesystems stream ntfs alternate-data-stream
Nov 27 '09 at 16:47
source share
6 answers

At the top of the head: NTFS datastreams were introduced in Windows NT 4.0 and were around all descendants (excluding win-95 descendants: 98, Me). In XP, Vista, and Win 7, they still exist. As long as Windows versions support NTFS, they will support file streams. They will support NTFS for a long time.

The error you indicated is described on the page that you see in your question. The type command does not understand streams. Using:

 more < 1013.pdf:Zone.Identifier


Work with streams

Microsoft has only a few commands that work with threads, in fact, only < , > work with threads, and therefore only commands that can work with these redirection operators can be used. I wrote a couple of blog posts about alternative data streams about how you can still manage streams with just these commands.

Streams will work only with programs that are designed to work with them, simply because they need to be processed specifically (compare connection points, as well as the NTFS function, but the driver hides details, and programs do not need to do anything special: they just consider the connection point real file).

When you try to open a file stream using start filename:streamname , and the program says something like “illegal file name” or “file not found,” and you are sure that the stream name is correct, then most likely the program does not support streams . I noticed that Notepad, Wordpad, and Word / Excel work correctly with threads, although Word and Excel consider the files to be dangerous. The following are some experiments .



NOTE: it seems to you that the alternate data streams are odd. They are strange because they are so hidden, but many major file systems (HFS, NSS) have this, and the concept goes back to the early 80s. In fact, streams were originally added to NTFS to interact with other file systems.

+20
Nov 27 '09 at 16:55
source share
— -

By the way, you can open AltDataStream using notepad:

 notepad.exe 1013.pdf:Zone.Identifier

In addition, you can specify the type AltDataStream (not only using Notepad, but also the "full stream name"):

 1013.pdf:Zone.Identifier:$DATA
+7
Nov 30 '09 at 10:43
source share

This is strictly NTFS related magic.

Not so - Mac OS has had these ever since that day, they are called forks in this world, and you must use ResEdit to get to them. the classic use of them is to combine media assets with an executable file.

+7
Sep 28 '10 at 15:31
source share

One possible target for an alternate stream: metadata. You can add a large description for the document without affecting the contents of the source file.

+5
Nov 27 '09 at 17:28
source share

The Win32 API handles alternative thread names perfectly.

CMD, on the other hand, does some funky file name analysis when it is possible to have * /? extension and barfs when ":" is present. What is copied and printed, but a simple redirection is performed.

+3
Jul 26 2018-12-12T00:
source share

An error literally means that it is not recognized as an alternative data stream, and the link you create contains a specific character that is not allowed in the path name ( : ; other invalid characters include \\ , / , etc.).

Try:

start this_is_a.txt:ads.exe

+2
May 19 '11 at 19:12
source share


More articles:


All Articles