Alternate Data Streams

The NTFS file system has a little known feature called “Alternate Data Streams”. It can store any kind of data, which will not be visible in Windows Explorer.

Access via default PowerShell Commands is possible:

1
2
3
4
5
6
7
8

#List all streams for one file
Get-Item 'Filename.ext' -Stream *

#Get content of a stream
Get-Content 'Filename.ext' -Stream 'StreamName'

#Set content of a stream
Set-Content 'Filename.ext' -Stream 'MySecretStream' - Value 'MyStreamValue'

Use Cases

The most commonly known Alternate Data Stream is $DATA, which is simply the default data stream containing the actual file contents. Get-Content 'Filename.ext' is equivalent to Get-Content 'Filename.ext' -Stream '$DATA'

Windows and browsers use a stream called Zone.Identifier to display the “Do you want to run this file?” dialog for downloaded files.
The content of the stream looks like this:

1
2
3
4

[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://de.wikipedia.org/wiki/Flagge_Japans#/media/Datei:Flag_of_Japan.svg
HostUrl=https://upload.wikimedia.org/wikipedia/commons/thumb/9/9e/Flag_of_Japan.svg/2880px-Flag_of_Japan.svg.png

After scanning all files on my PC, I only found two other streams, com.dropbox.attributes and com.dropbox.attrs - obviously used by the dropbox client.

Alternate Data Streams could be useful in your own applications, to store some metadata. Keep in mind, that they will only work on NTFS volumes. All streams, except $DATA, will be lost when copied to FAT, EXT or HFS file systems.

Sources

• c’t Magazin, Jhg 2019, Nr. 20, S. 158ff, Art “Platzverwalter”
• Was steckt hinter der Sicherheitswarnung nach einem Download, Technet Blogs