The time in Wales is: 23 October 2017 12:39:06

View and Access NTFS Alternate Data Streams

The NT File System (NTFS) has always supported the ability to add Alternate Data Streams (ADS) to each file and folder. The ADS are not shown in Windows Explorer so it is pretty difficult to know if a file has more than one data stream associated with it. Indeed it is quite feasible to have a 10GB ADS attached to a one byte text file, Windows Explorer will show that the text file is occupying 1KB of your disk and you are left wondering what is using the additional 10GB.

The 10GB hidden file stream example is highly unlikely, but some PC press is concerned that some anti-social people will start hiding ad-ware and / or  viruses in alternate data streams.

From version 2.1 AISBackup will optionally display and allow access to ADS directly from the Select Files for Backup form and Select Files for Restore form. ADS may accessed via right click options or dragged and dropped directly onto Windows Explorer to create normal 'Visible' copies of the ADS.

There is a lot of information available on the web about ADS, click here for a Google Search.

Here are a few of our notes on ADS:

  • ADS are only on NTFS drives, FAT or FAT32 drives do not support them. It follows that ADS are not supported under Windows 95, 98 or ME.

  • ADS are not a secret, they have just not been very well documented or implemented in Windows.

  • Microsoft use ADS to add 'Zone' information to downloads. This is the reason why executing a file that has been downloaded causes a Microsoft's security warning.

  • Microsoft also use ADS for adding Summary Information to files: Right click a file, choose Properties, then click the Summary tab, enter a few details. The file now has two ADS, one called |SummaryInformation and the other is given a name based on a Global Unique Identifier, e.g. {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}.

  • Virus checkers may not check ADS. Restoring or copying a virus infected ADS to a normal 'visible' file should, however, detect the virus.

    One web-based article claims that of 17 anti-virus programs checked none of them check ADS for viruses.

  • Even if an ADS is a virus there has to be a mechanism present on the PC to execute it, this program in itself will probably be identified as a virus threat.

  • All ADS may be removed from a file by copying it to a FAT drive. Individual ADS may be removed from a file by using AISBackup right click options.

The latest version of AISBackup may be downloaded from here.

A packaged test backup containing an ADS may be downloaded here. The password for this backup is lower case: