NTFS Alternate Data Streams (ADS)

A file in NTFS can be understood as a collection of streams. The file content that we all see and work with every day is stored in the default or unnamed stream. But there can be any number of other named streams in the file.

When you do a “dir” command from the command line or look at a directory in Windows Explorer, you’re seeing the size of the file’s default stream. These tools take no notice of named streams attached to the file. You could have a 50 byte text file with a one megabyte named stream attached, and the system would tell you that the file is 50 bytes long. You would never know that there was a named stream riding along.

The LADS tool can tell you which files have named streams and how long those streams are. It’s a bit difficult to tell what the contents of the streams are because the standard File Open and File Save dialog boxes won’t let you specify named streams. You can do it by invoking notepad (and maybe other apps) from the command line. I believe this works because the standard file open commands used by all programs will accept the colon format, even though the File Open/File Save dialog rejects it .

If a file named textfile.txt has a stream named str1, for example, this command will show it:

notepad textfile.txt:str1

Notepad will be able to save the file in response to the “Save” command. You will not be able to use notepad’s “File open” function to read the named string, because when you enter “textfile.txt:str1” it will tell you that you’ve entered an invalid file name!

Some console commands will take the colon syntax to specify a named stream, many will not.

Notes

1. The “copy” console command copies all streams.
2. Streams are unique to NTFS. Unix (and linux) file systems don’t have them, neither do the FAT file systems. Copying or moving a file containing named streams to one of these file systems will copy the default stream only; any named streams will be lost.
3. Although many console commands do not accept colon syntax, the shell itself does. You can use colon syntax in shell redirect directives:

          type <a.txt  >b.txt:str1
          

   This command will copy the contents of a.txt (its default stream) into a stream named “str1” in the file “b.txt”. Specifying

          copy a.txt b.txt:str1
   

   will result in an error message to the effect that “b.txt:str1” is not a legal file name.
4. Remember that a directory is only a file with a bit set in its directory entry that causes the OS to handle it in a special way. Directories can also have named streams attached to them!

Uses in Windows XP

1. Internet Explorer
   When you download a file from the Internet using Internet Explorer, the file is stored with an ADS named Zone.Identifier. The contents of this stream are:

   [ZoneTransfer]
   ZoneId=3
   

   This simply tags the file as being the result of an internet download (Zone 3 is the Internet).
2. Summary

   When you right-click most files in Windows Explorer and select “Properties”, one of the tabs in the dialog box is labeled “Summary”. For some types of files (Word and Excel files, for example) the data on this tab is stored in the file itself, the code that operates the tab knows how to invoke the Word and Excel DOM to read and write this data.

   But the Summary tab also exists for plain text files and other file types where there’s no room for the data within the files. For these files, the data is stored in Alternate Data Streams.

   Using the Summary tab on these files creates three streams. The names of two begin with a character whose hex representation is 05. This is unprintable and nearly unusable. Using the asterisk to represent this character, the names of the three streams are:

   *DocumentSummaryInformation
   *SummaryInformation
   {4c8cc155-6c1e-11d1-8e41-00c04fb9389d}
   

   The first two contain some kind of data, *SummaryInformation has more data (264 bytes in my test) than *DocumentSummaryInformation (132 bytes). The third file, with a GUID for a name, contains no data in my test.

   *DocumentSummaryInformation contains the “category” attribute. *SummaryInformation contains title, author, subject, comments, and keyword attributes. Each field is preceded by a 4-byte integer giving the length (including the terminating null byte) of the character field following it. The character strings are in ASCII. There’s lots of other binary data (both files begin with the hex bytes FE FF) in the file. I was able to read these streams only by invoking the AXE hex editor from the command line, and going to some lengths to specify the x05 character correctly.

   Anja Schaffhirt has done a considerable amount of work figuring out the format of the *DocumentSummaryInformation stream. Her report gives a great deal more detail on this stream then my brief description.

   The streams are created when you type data into the Summary tab fields and click “Apply” or “OK”. Note that if you delete the data in those fields and click “Apply” again, the streams still exist.

Feel free to contact me with questions or comments.

Tim Slattery
MS MVP (Shell/user)