The command line can access alternate data streams using redirection operators. Streams are specified on the command line as filename<\/i>:<\/b>stream name<\/i>.<\/p>\nCreating an Alternate Data Stream<\/h3>\n
As an example, a string is written into an ADS named hidden<\/tt>, which is associated with file test.txt<\/tt>:<\/p>\n The file appears to be empty, though as detailed below, the metadata is intact and associated with the file:<\/p>\n The metadata can be viewed by redirecting from it to more<\/tt>:<\/p>\n The name and content of the ADS can be anything (see 'Details' below for restrictions):<\/p>\n On Windows Vista and later, a list of alternate data streams can be obtained using DIR \/R<\/tt>:<\/p>\n On earlier operating systems, the SysInternals utility Streams<\/a> can be used:<\/p>\n Metadata can be added to directories the same way it's added to files:<\/p>\n To be more accurate, streams are specified as filename<\/i>:<\/b>stream name<\/i>:<\/b>stream type<\/i>. It appears that the only stream type accessible from the command line is $DATA, which is why it's optional. All of the stream types are listed in the WIN32_STREAM_ID structure documentation<\/a>. The default data stream is unnamed, so filename<\/i>::$DATA will contain the file's data:<\/p>\n Stream names are generally held to the same requirements as any filename. One interesting difference is that stream names can contain characters whose integer representations are in the range from 1 through 31. Refer to Naming Files, Paths, and Namespaces<\/a> (MSDN) for details.<\/p>\n Note that when using streams with files having a single letter name, the filename should be prefixed with a period and backslash. The reason for this is Windows drive names. For example, does \"echo hello > c:test<\/tt>\" refer to a stream named test<\/tt> on file c<\/tt>, or does it refer to a file test<\/tt> on drive c<\/tt>?<\/p>\n As of Windows Vista, it is no longer possible to execute directly from an alternate data stream. On Windows XP and earlier, the Start command was used, similar to start somefile.ext:hiddenExecutable<\/tt>.<\/p>\n Notepad can be used to create and edit alternate data streams. The File Open dialog doesn't recognize stream syntax, however, so the file must be created and opened using command line parameters. Notepad will insist on appending .txt<\/tt> to the stream name.<\/p>\n Microsoft provides a sample program<\/a> in C++, demonstrating how to open and write to an alternate data stream.<\/p>\n Since Windows XP SP2<\/a>, when a file is downloaded from the Internet and executed (assuming a zone-aware browser), this warning is displayed:<\/p>\n Windows displays this warning because the web browser tagged the executable with a alternate data stream named Zone.Identifier<\/tt>:<\/p>\n By redirecting this stream to more<\/tt>, we can see its contents:<\/p>\n The PowerShell blog<\/a> has more information on zone identifiers.<\/p>\n The W2K.Stream virus used alternate data streams<\/a>.<\/p>\n Introduction Alternate Data Streams (ADS) allow arbitrary metadata to be associated with files and directories on Windows NTFS. Alternate data streams are the Windows implementation of forks. The apparent size of the file will be unchanged, and most applications and … Continue reading \n
C:\\test>echo Hidden text > test.txt:hidden<\/pre>\n<\/blockquote>\n
\n
C:\\test>dir test.txt\r\n\r\n06\/24\/2010 01:33 PM 0 test.txt<\/pre>\n<\/blockquote>\n
Viewing an Alternate Data Stream<\/h3>\n
\n
C:\\test>more < test.txt:hidden\r\nHidden text<\/pre>\n<\/blockquote>\n
\n
C:\\test>echo Arbitrary string > test.txt:arbitraryName\r\n\r\nC:\\test>more < test.txt:arbitraryName\r\nArbitrary string<\/pre>\n<\/blockquote>\n
Listing Files With Alternate Data Streams<\/h3>\n
\n
C:\\test>dir test.txt \/R\r\n\r\n06\/24\/2010 01:33 PM 0 test.txt\r\n 38 test.txt:arbitraryName:$DATA\r\n 28 test.txt:hidden:$DATA<\/pre>\n<\/blockquote>\n
\n
C:\\test>c:\\tools\\SysInternals\\streams.exe test.txt\r\n\r\nStreams v1.56 - Enumerate alternate NTFS data streams\r\nCopyright (C) 1999-2007 Mark Russinovich\r\nSysinternals - www.sysinternals.com\r\n\r\nC:\\test\\test.txt:\r\n :arbitraryName:$DATA 38\r\n :hidden:$DATA 28<\/pre>\n<\/blockquote>\n
Alternate Data Streams on Directories<\/h3>\n
\n
C:\\test>mkdir test2\r\n\r\nC:\\test>echo ADS on a directory > test2:someText\r\n\r\nC:\\test>dir \/r\r\n\r\n06\/25\/2010 11:27 PM <DIR> .\r\n06\/25\/2010 11:27 PM <DIR> ..\r\n06\/25\/2010 11:27 PM <DIR> test2\r\n 42 test2:someText:$DATA\r\n\r\nC:\\test>more < test2:someText\r\nADS on a directory<\/pre>\n<\/blockquote>\n
Details<\/h2>\n
Stream Naming<\/h3>\n
\n
C:\\test>echo This is the file > file.txt\r\n\r\nC:\\test>echo This is the stream > file.txt:stream\r\n\r\nC:\\test>more < file.txt::$DATA\r\nThis is the file\r\n\r\nC:\\test>more < file.txt:stream:$DATA\r\nThis is the stream<\/pre>\n<\/blockquote>\n
Executing Streams<\/h3>\n
Editing with Notepad<\/h3>\n
Programmatic Access<\/h3>\n
Real-World Applications<\/h2>\n
Downloaded Executables<\/h3>\n
![\"\"](\"http:\/\/www.curlybrace.com\/words\/wp-content\/uploads\/2010\/06\/UAC_Example_s.png\" "\\"UAC_Example_s\\"")
<\/a><\/p><\/blockquote>\n\n
C:\\test>dir \/r setup.exe\r\n\r\n06\/25\/2010 12:10 PM 680,467 setup.exe\r\n 26 setup.exe:Zone.Identifier:$DATA<\/pre>\n<\/blockquote>\n
\n
C:\\test>more < setup.exe:Zone.Identifier\r\n[ZoneTransfer]\r\nZoneId=3<\/pre>\n<\/blockquote>\n
Viruses<\/h3>\n
Additional Resources<\/h2>\n
\n
A Programmer's Perspective on NTFS 2000 Part 1: Stream and Hard Link<\/del><\/a> (MSDN, article removed)\nA Programmer's Perspective on NTFS 2000 Part 2: Encryption, Sparseness, and Reparse Points<\/del><\/a> (MSDN, article removed)\nFile Streams<\/a> (MSDN)\nVisual browsing of alternative data-streams in Windows Explorer<\/a> (CodeProject)\nNTFS Alternate Data Streams<\/a> (Alex Ionescu)\n<\/ul>\n","protected":false},"excerpt":{"rendered":"