Peter Hinchley

Learning in Public

✪ NTFS Alternate Data Streams

The data within a file on an NTFS partition is stored in an element called a stream. Each file has a mandatory "unnamed" stream, but alternate streams may also be created.

Let's create a simple text file:

echo Hello > hello.txt

A quick check - dir hello.txt - will confirm the file size is 8 bytes.

Now, let's attach a hidden alternate stream to hello.txt named secret containing the text password:

echo password > hello.txt:secret

If you open the file in Notepad, you will not see the content within the alternate stream. The following command will also just display Hello:

more < hello.txt

You will also get the same result if you explicitly reference the unnamed stream:

more < hello.txt::$DATA

However, if you explicitly request access to the alternate stream, you will see password:

more < hello.txt:secret

If you once again check the size of hello.txt, you will notice that the content we added to the alternate stream has not changed the file size. However, by using dir /R we can confirm the existence of the additional stream and its size:

26/11/2012   8 hello.txt
            11 hello.txt:secret:$DATA

Note: Only notepad.exe and console commands used with redirection operators (such as the examples shown above), allow you to work with alternate streams. For example, the following command will not work:

type hello.txt:secret

Alternate streams open up some interesting possibilities. For example, you could hide the presence of an executable by embedding it into an alternate stream:

type nasty.exe > empty.txt:nasty.exe

Prior to Windows 7, you could easily execute the hidden file:

start .\empty.txt:nasty.exe

However, as a security measure, from Windows 7 onwards, this approach can no longer be used to execute code from an alternate stream. Although you can easily circumvent this limitation using a symbolic link. For example, the following command (if executed under a privileged account) will provide an entry point to the executable:

mklink safe.txt empty.txt:nasty.exe

Now you can launch nasty.exe (stored within a hidden alternate stream) by running safe.txt.

A common use of streams is for storing web browser security zone data. For example, if you download a file named foo.exe from a web site in the internet zone, the file will include a stream named foo.exe:Zone.Identifer with the following data:

[ZoneTransfer]
ZoneId=3

When you try and execute foo.exe, Windows will use the Zone.Identifier stream to determine that the file was not downloaded from a trusted source. As such, you will be presented with a security warning dialog. As a popup dialog can be problematic when attempting the silent installation of a program, you could remove it by deleting the alternate stream:

type NUL > foo.exe:Zone.Identifer

You can also use the System Internals tool streams.exe to delete the stream:

streams.exe -d foo.exe

In addition to working with files, you can also attach an alternate data stream to a directory. To add a stream named description to c:\temp containing the text "temporary stuff", change into c:\temp, and then use the following command:

echo temporary stuff > :description

To access the content use:

more < :description

Keep in mind that streams are a function of NTFS, and as soon as you copy a file to a FAT/FAT32 partition, the stream data will be lost.