Are you interested in Alternate Data Streams? It is a feature offered by the NTFS file system. In this post, MiniTool will introduce this feature to you and show you how to use/manage it.
What Are Alternate Data Streams
Alternate Data Streams (ADS) is a file attribute only found on the NTFS file system. It allows each file in the NTFS file system to have multiple data streams, which means that in addition to the primary data stream file, there can also be many non-primary data streams file lodged in the primary data stream file.
- What is the primary data stream? It is also called the unnamed data stream, referring to the standard content of a file or directory, which is usually visible to users. The primary data stream file is the host file and you can see it in Windows Explorer.
- What is non-primary data stream? The non-primary data stream is the data stream having a name. These data streams are so-called alternate data streams. They are invisible to users and you can't see them in Windows Explorer.
What Can You Do with NTFS Alternate Data Streams
Alternate Data Streams were originally designed to be compatible with Macintosh's HFS+ file system. Using this technology, you can write related data in a file resource (in the form of Alternate Data Streams). And the written data can be extracted using a very simple method. Then, you can read it or even execute it as an independent file.
Alternate Data Streams also has other features, for example:
- It can store data related to the file like keywords, summaries, sound files, images, etc.
- It can hide files. The Alternate Data Streams files can't be seen and the host file will not become bigger or have any changes.
- It can identify high risk files that shouldn’t be accessed.
- The Windows Attachment Manager uses ADS as a file scanner to check whether the downloaded file is safe.
- The SQL Database server uses ADS to maintain database integrity.
- Citrix’s virtual memory uses ADS to boost DLL loading speed.
- Anti-virus applications like Kaspersky use ADS to enhance the scanning technology.
However, because the Alternate Data Streams file is covert and executable, many hackers will use it to make viruses.
How to Use Alternate Data Streams
1. How to Create and Open an Alternate Data Streams File
There are 2 types of ADS files: one is the isolated ADS file and the other is the associated ADS file.
To create an isolated ADS file, the only way is to use command "echo content > :ads filename". To open the isolated ADS file, you should use command "notepad :ads filename". Please note that the content and ADS filename should be replaced accordingly.
In most cases, people will create associated ADS files. To create an associated ADS file, you can use echo command or type command. Please refer to the following guide:
Step 1: Open Command Prompt and run it as administrator. Go to the drive where you want to create the ADS file and use dir command to check what files are there. You can check the file type according to the file extension (dir means directory).
Step 2: Create an ADS file and open it.
- Echo content > host filename:ads filename.As the following picture shows, the content "partitionwizard.com" is written into the ADS file "ads2.txt", which is associated with the host file "file.docx".
- Type ads file > host file: ads file. There are two files in E drive: txt.txt and file.docx. Now I want to make the "txt.txt" file become an ADS file lodged in the host file "file.docx". I will use the type command.
1. If you want to create an ADS file in a subdirectory, you should first open the drive and then use "cd + directory name" to open the subdirectory.
2. The host file and ADS file can be various types, such as executable files, images, documents, folder, compressed file, etc. Please note that the host file can even be a drive (c:\, e:\, etc.).
3. To check whether the ADS file is crated successfully, you can use command "dir /r".
4. The ADS file opening method should be changed according to the ADS file types. For example, if the ADS file is a text file, you can open it with notepad; if the ADS file is an image file, you should open it with mspaint.
5. After opening the ADS file, you can then edit it, change it and save it.
In the Windows XP day’s, users can run an executable ADS file by using the "start" command. But Microsoft has plugged that security hole. Nowadays, to run the ADS file, you can use the following 2 commands:
- wmic process call create "ads file path". It will give you a process ID. Then, open the Task Manager, skip to Details tab, and you can find the process according to the ID.
- mklink "file path" "ads file path". This command will create a symbolic link for the ADS file. Then, you can run the symbolic link file to run the ADS file. Open the Task Manager, skip to the Details tab, and you can find the ads file is running.
1. You can run the executable ADS successfully only if it is a complete program file that can run alone (for example, a setup program). Otherwise, it won't run, because the loss of important files (various .dll files).
2. When I use the first method, I have found a process named file.docx:setup.tmp. When I use the second method, I have found a process named xxads.tmp. This may be the difference between the two methods.
2. How to Detect and Remove ADS Files
To detect ADS files, you can use dir /r command. But this command can only detect the ADS files under the current folder. If you want to detect ADS files under the subfolder, you should open it first (eg. dir ddd) and then use command (eg. dir ddd /r) to display ADS files. Some people may also suggest you use lads.exe tool to detect ADS files.
After finding ADS files, you can delete these NTFS Alternate Data Streams files through the following 3 ways:
- Delete the host file directly.
- Move the host file to a non-NTFS partition like FAT32, FAT, etc.
- Use Streams.exe offered by Microsoft to delete streams.
In this part, I will show you how to wipe Alternate Data Streams using streams.exe. Here is the guide:
- Make sure the Alternate Data Streams files have stopped running.
- Download Streams.exe tool from Microsoft and then unzip it.
- Open the streams folder and move streams app to the root directory of the partition where you want to delete the streams files.
- Run command "streams -d + host file path" This command will delete all ADS files lodged in the host file.
1. The dir /r command won't display isolated ADS files.
2. To delete the isolated ADS file, you need to delete its upper directory. But Streams.exe tool can help you delete the isolated ADA file more easily. In the above picture, I have created an isolated ADS file under E directory. You can see the command streams -d e:\ has deleted the isolated ADS file.
Check the 3 ways to force close a program without Task Manager. Learn how to kill unresponsive programs with Taskkill, keyboard shortcut, etc.
Convert a Partition to NTFS
As mentioned above, the Alternate Data Streams is only available to the NTFS file system. Therefore, if you want to use the Alternate Data Streams feature, you need to make sure the partition is NTFS file system.
If your partition is currently FAT32 file system, you can use MiniTool Partition Wizard to convert it to NTFS without data loss. If your partition is other file systems, please back up data and then format this partition to NTFS. Here is the guide:
Step 1: Launch MiniTool Partition Wizard and go to its main interface. Right-click on the FAT32 partition and choose Convert FAT to NTFS option.
Step 2: Click the Start button to execute the conversion operation.
Step 3: After the conversion completes, click the Close button.
If you want to format the partition to NTFS, please copy and paste data to a safe place and then you can format the partition using one of the following ways.
Way 1. Use MiniTool Partition Wizard
- Launch MiniTool Partition Wizard and go to its main interface.
- Right-click on the partition and choose Format.
- Choose NTFS file system and click OK button.
- Click Apply button.
Way 2. Use Windows File Explorer
- Open Windows File Explorer by clicking its icon on the Taskbar.
- Click This PC.
- Right-click on the drive in the right panel and choose Format.
- Make sure the NTFS file system is selected and then click OK button.
Way 3. Use Disk Management
- Press Windows key + R to call out Run box.
- In the Run box, type "msc" and press Enter.
- In the Disk Management tool, right-click the partition and choose Format.
- Choose NTFS file system and click OK button.
Here is a post talking about Alternate Data Streams. What are Alternate Data Streams? What can you do with Alternate Data Streams? How to create and run Alternate Data Streams files? How to detect and wipe Alternate Data Streams files? This post will give you the answers.Click to tweet
Is this post useful to you? Do you have other ideas about Alternate Data Streams? Do you know other good usages about Alternate Data Streams? Please leave a comment in the following zone for sharing. In addition, if you have difficulty in using MiniTool Partition Wizard, please feel free to contact us via [email protected]. We will get back to you as soon as possible.